[Zope] Urgent: Severe problem

[Passin, Tom]

[ Juan Lorenzana]
> My name is Juan Lorenzana and I am a system administrator for 
> an ISP in
> Brazil.  They offer virtual servers and virtual hosting.  The reason I
> am sending you this email is that one of our virtual hosting 
> customer's
> web site is being flooded with requests that appear to be related to
> zope.  An excerpt of the log files appear below:
> 
> 
> Access Log file:
> 168.226.70.160 - - [24/Sep/2003:11:34:50 -0600] "GET
> /put?ver=01&task=newzad&first=1 HTTP/1.1" 404 285
> 216.244.197.250 - - [24/Sep/2003:11:35:55 -0600] "GET
> /put?ver=01&task=newzad&first=1 HTTP/1.0" 404 273
> 200.63.144.150 - - [24/Sep/2003:11:36:10 -0600] "GET
> /put?ver=01&task=newzad&first=1 HTTP/1.0" 404 273


The same thing has also been seen in a php context, so it is probably
nothing to do with Zope  -

"The server farm is being hit by about 30,000 of these per minute
along with all of your valid requests :

from http://forum.mydomain.com/viewtopic.php?t=2241&start=15 -

-- begin log snip --

4.35.208.254 [27/Aug/2003:14:13:46 -0700]
"\x87\x92\xdc\xecf\xaa\xb8,i\x99?\xd7\xe1\xff\xe3\xabi\x9a\xb9tl\xba\"#\
xe7\
xf5\xaa\x1fp\x1b0\xe0xmH\xb9\xcd\t\xdd\xf5b\xa9\x1b&S\x8d\x8b\xba$\xb6\x
80\xcfJU\xb3I\xec\x83*!\xea2^\xff\x1fd\x9c\x0c\xe3\x9b\xac\x01\xd4\x90\x
b1\x8\xd7'P\xb5Y\xa3\x14\x04\xdb\x16\x11E\xad\x1c\xc8\x06\xf9\xc9K
\x04\xe0\xa2\x8c\xb1FlxG\xb6\xc9\x9as\xb5x\xc5\x91\xc9=\xba'\xe6\x86@\xb
2)Mw\xa6\xc9 at i" 400 371

200.67.219.5 www.Gustavo.com [27/Aug/2003:14:13:46 -0700] "GET
http://www.instituto.com.br/attackDoS.php?ver=01&task=newzad&first=1
HTTP/1.1" 404 5

-- end log snip -- "

There are other php examples too.

The Zope Hot Patch does not look like the query string.  the only part
that has a name starting with "z" is this -

from zLOG import LOG, INFO

I doubt that this has anything to do with zope per se, given the above.

Anyone else know anything more concrete than speculation?

Cheers,

Tom P