On Thu, Aug 07, 2003 at 10:30:11PM +0100, Stuart Robinson wrote:

Hello all,

I notices in Zope's output stream in the terminal window this evening a curious "ZServer Bad HTTP request: 'GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090% u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090% u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0'" ... which if I'm not mistaken is a deliberate or scripted attack?

1st question: This is nothing to worry about with zope, right? This looks like code-red or something similar looking for a vulnerable IIS server. It shouldn't be a security worry for Zope, just some unwanted traffic.

2nd question: is runing zope behind Apache any help?, and if so (while I appreciate it is not trivial), what sort of things should I look out for? Does anyone know of an 'everymans[!] guide to setting up apache and not doing it the WRONG way'? (sorry that's probably my quota of questions tonight I know!) :-)

If you wish to block this from reaching the zope server, you could configure apache to send a HTTP error response rather than forwarding to zope ... or be evil and send a redirect to the attacking server to attacks itself. The apache manual httpd.apache.org should have a few good examples of blocking using either mod_access or mod_rewrite. -- Dave