Opera Attack on Cryptome Was Opera Rogue Bot

16 September 2005.
Date: Thu, 15 Sep 2005 21:20:52 +0200
From: Stein Vråle <stein[at]opera.com>
To: A
Cc: jya@pipeline.com
Subject: Re: Attack from Opera.com

On Thu, 15 Sep 2005 11:27:41 -0700
[A wrote]

> Stein,
> 
> I know you're busy right now, but I noticed cryptome.org has posted
> something about attacks originating from pat-tdc.opera.com. If you
> have a chance you might want to take a look at it.
> http://cryptome.org/opera-attack.htm

Hi Mike,

yes I'm aware of that one - sad story, it wasn't really an attack but a
wild-running bot script on one of our development servers :(

I'm not sure what excatly went wrong, but this development server was
the prototype for the new My.Opera.Com site, and they were testing out
some trackback stuff for blogs. For some reason they left the machine
with the bot active (probably a mistake), and it it was running all
night long, hammering the poor cryptome.org site (I think it was
supposed to only check each site once but got stuck due to some bug).

When the developers returned in the morning they stopped it asap but
didn't see what it had done, but later that day I was notified by our
support dudes that we apperantly had attacked that site. Spent some
hours to track it in our logs but it when we finally found the source
machine it was already taken care of by the developers.

Well so it was all our fault - bots can be evil sometimes. But I didn't
know he never got any reply from us (just read his story on your link
now) - I told the support guys to respond and say sorry, but perhaps
they only contacted the innocent man-in-the-middle (Locotus Prime).

Haven't seen anything from them in our hostmaster queue either, but it
may be that they only contacted our upstream ISP, and not us -
hostmaster@opera.com|no should always work, we are very careful about
potential abuse/spam/etc problems, as we have everything to loose if our
domain enters a public IP blacklist or something like that.

I should probably contact them and say sorry, but I'm not to eager to
see my emails being printed in public - so I will first ask the support
guys if they really contacted them or not.

What kind of site is it btw - looks like a news site or crypto site, but
I have never seen it before. Just curious :)

Thanks for the report tough - such incidents can be really dangerous for
our reputation, so it's important we get aware of them and handle them
as promptly and polite as possible.


best regards,

/Stein
#sysadmin
@opera



Date: Fri, 16 Sep 2005 13:49:06 +0200
From: Stein Vråle <stein[at]opera.com>
To: jya[at]pipeline.com
Cc: A
Subject: Re: Attack from Opera.com

Hello Mr. Young,

I'm sorry if my reply yesterday seemed a little strange for you - I didn't
recognize your address when Mike cc'ed it, thought it was a friend of him
or something, so that's why I wrote about cryptme.org in third person ;)

In any case, you probably read my answer to the attack problem, so just to
clear any potential confusion:

The hits on your sites where caused by a failure in one of our development
system, and it was entirly our fault - no externals outside our company
were involved, and it was not intentional to hit your site - it was a
developing accident.

We're really sorry about it, and will do whatever we can to avoid such
things to happen again.

I'm also sorry you didn't reach us by mail either - first report I got on
this was from Locutus Prime, who reported it to our support department
last friday. If anything like this should happen again (but it shouldn't),
you can reach us at hostmaster@opera.com. Also feel free to contact me
directly.

If there is something we can do to compensate for the problems we gave
you, let me know.

Thank you and best regards,

Stein Vråle
sysadmin/hostmaster
Opera Software ASA