Exploited mirror/server - resources01.phx.ovirt.org

[Geoff Maciolek]

Sorry if this got replicated.  "Short version: someone stuck a PHP shell onto one of the oVirt download servers."

Long version - probably worth reading in its entirety:

Folks, there's a "suspicious" file I saw when browsing plain.resources01.phx.ovirt.org

Specifically, _h5ai_research.php appears to be a shell - it identifies itself as "c99madshell v.2.0 madnet edition" and prompts for login.  It is EXTREMELY unlikely that this is there intentionally.

Distressingly, the file has been there since 2014-09-26.

Now, it doesn't seem most download links point to that server; for example, the main download page (ovirt.org/Download) link for 3.5 points to "http://resources.ovirt.org/pub/ovirt-3.5/" - I didn't notice anything there, but I didn't dig.

BUT - over on ovirt.org/Quick_Start_Guide - there's a link to "http://resources.ovirt.org/releases/stable/iso/" - which redirects to http://resources01.phx.ovirt.org/releases/stable/iso/ - the server mentioned above.

On http://resources01.phx.ovirt.org/releases/ there's a link to an html file which redirects you to "plain.resources01.phx.ovirt.org" - which is where I saw the file in question.

Visible in this index: http://plain.resources01.phx.ovirt.org/releases/
The filename is _h5ai_research.php - but it is most certainly not h5ai related.

If this phx server isn't in use any longer, as it seems may be the case, it should be powered down & cleaned up, DNS entries to it should get removed, and links updated.  Fun fact:  "resources01.phx.ovirt.org (66.187.230.19)" appears to be in a RedHat NOC, whereas "resources.ovirt.org (173.255.252.138)" which seems fine & shares list functions?  Lives at Linode.

--Geoff Maciolek

This e-mail does not reflect the position of PVDC Hosting, LLC or any affiliated companies.

Replies may be directed to this address or to geoffmaciolek at gmail.com,