[Zope] Urgent: Severe problem

Wed Sep 24 15:20:25 EDT 2003

Tom,

So do you think this is a DoS attack?  I have seen DoS attacks before but I
have never seen one that uses over 2,000 machines.  I do not think that the
packets are spoffed, because 1) I can ping them, 2) They appear to
primarily originate from about 8 different countries only, 3) If I stop the
server (I did that for one full day), they keep going  even after a day-
most DoS attacks stop when the system crashes or stops responding.

Anyway, if it not related to zope, what do you think this flood is related
to?  And why from all over the world.  The attack started September 15 and
the customer has no idea why they would single out his site. Pretty low
volume site.  This system is on a shared hosting machine, and the attacks
are only focused on this one customer and not the whole machine.

Any thoughts?

We thought that there might be a database in a CMF servers and all of
sudden, someone put this customers site down as one of them and all zope
users started trying to access it.  We do not use CMF and I had never heard
of it before so please excuse my ignorance as to what it actually does.
Like you mentioned,it probably has nothing to do with CMF.  The only
reference in google that we could fine was to zope, so we thought there
might be a link.

I am thinking about calling CERT to see if this is from a virus, but wanted
to make sure I understood the cause more before notifying CERT.

P.S. If zope at zope.org is a mailling list,please let me know so that I do
not bore everyone with our problem.  Thanks.

Juan

"Passin, Tom" wrote:

> [ Juan Lorenzana]
> > My name is Juan Lorenzana and I am a system administrator for
> > an ISP in
> > Brazil.  They offer virtual servers and virtual hosting.  The reason I
> > am sending you this email is that one of our virtual hosting
> > customer's
> > web site is being flooded with requests that appear to be related to
> > zope.  An excerpt of the log files appear below:
> >
> >
> > Access Log file:
> > 168.226.70.160 - - [24/Sep/2003:11:34:50 -0600] "GET
> > /put?ver=01&task=newzad&first=1 HTTP/1.1" 404 285
> > 216.244.197.250 - - [24/Sep/2003:11:35:55 -0600] "GET
> > /put?ver=01&task=newzad&first=1 HTTP/1.0" 404 273
> > 200.63.144.150 - - [24/Sep/2003:11:36:10 -0600] "GET
> > /put?ver=01&task=newzad&first=1 HTTP/1.0" 404 273
>
> The same thing has also been seen in a php context, so it is probably
> nothing to do with Zope  -
>
> "The server farm is being hit by about 30,000 of these per minute
> along with all of your valid requests :
>
> from http://forum.mydomain.com/viewtopic.php?t=2241&start=15 -
>
> -- begin log snip --
>
> 4.35.208.254 [27/Aug/2003:14:13:46 -0700]
> "\x87\x92\xdc\xecf\xaa\xb8,i\x99?\xd7\xe1\xff\xe3\xabi\x9a\xb9tl\xba\"#\
> xe7\
> xf5\xaa\x1fp\x1b0\xe0xmH\xb9\xcd\t\xdd\xf5b\xa9\x1b&S\x8d\x8b\xba$\xb6\x
> 80\xcfJU\xb3I\xec\x83*!\xea2^\xff\x1fd\x9c\x0c\xe3\x9b\xac\x01\xd4\x90\x
> b1\x8\xd7'P\xb5Y\xa3\x14\x04\xdb\x16\x11E\xad\x1c\xc8\x06\xf9\xc9K
> \x04\xe0\xa2\x8c\xb1FlxG\xb6\xc9\x9as\xb5x\xc5\x91\xc9=\xba'\xe6\x86@\xb
> 2)Mw\xa6\xc9 at i" 400 371
>
> 200.67.219.5 www.Gustavo.com [27/Aug/2003:14:13:46 -0700] "GET
> http://www.instituto.com.br/attackDoS.php?ver=01&task=newzad&first=1
> HTTP/1.1" 404 5
>
> -- end log snip -- "
>
> There are other php examples too.
>
> The Zope Hot Patch does not look like the query string.  the only part
> that has a name starting with "z" is this -
>
> from zLOG import LOG, INFO
>
> I doubt that this has anything to do with zope per se, given the above.
>
> Anyone else know anything more concrete than speculation?
>
> Cheers,
>
> Tom P
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.zope.org/pipermail/zope/attachments/20030924/f7e2ae3c/attachment.html