Exploited mirror/server - resources01.phx.ovirt.org
Sandro Bonazzola
sbonazzo at redhat.com
Mon Apr 13 06:25:12 UTC 2015
Il 13/04/2015 00:17, Geoff Maciolek ha scritto:
> Sorry if this got replicated. "Short version: someone stuck a PHP shell onto one of the oVirt download servers."
>
> Long version - probably worth reading in its entirety:
>
> Folks, there's a "suspicious" file I saw when browsing plain.resources01.phx.ovirt.org
>
> Specifically, _h5ai_research.php appears to be a shell - it identifies itself as "c99madshell v.2.0 madnet edition" and prompts for login. It is EXTREMELY unlikely that this is there intentionally.
>
David, isn't h5ai the template engine running as file indexer on resource.ovirt.org server?
Following the link on http://resources.ovirt.org/pub/ it lands to http://larsjung.de/h5ai/
Do you remember when the template engine has been installed there?
> Distressingly, the file has been there since 2014-09-26.
>
> Now, it doesn't seem most download links point to that server; for example, the main download page (ovirt.org/Download) link for 3.5 points to "http://resources.ovirt.org/pub/ovirt-3.5/" - I didn't notice anything there, but I didn't dig.
>
> BUT - over on ovirt.org/Quick_Start_Guide - there's a link to "http://resources.ovirt.org/releases/stable/iso/" - which redirects to http://resources01.phx.ovirt.org/releases/stable/iso/ - the server mentioned above.
>
> On http://resources01.phx.ovirt.org/releases/ there's a link to an html file which redirects you to "plain.resources01.phx.ovirt.org" - which is where I saw the file in question.
>
> Visible in this index: http://plain.resources01.phx.ovirt.org/releases/
> The filename is _h5ai_research.php - but it is most certainly not h5ai related.
>
> If this phx server isn't in use any longer, as it seems may be the case, it should be powered down & cleaned up, DNS entries to it should get removed, and links updated. Fun fact: "resources01.phx.ovirt.org (66.187.230.19)" appears to be in a RedHat NOC, whereas "resources.ovirt.org (173.255.252.138)" which seems fine & shares list functions? Lives at Linode.
>
> --Geoff Maciolek
>
> This e-mail does not reflect the position of PVDC Hosting, LLC or any affiliated companies.
>
> Replies may be directed to this address or to geoffmaciolek at gmail.com,
> _______________________________________________
> Infra mailing list
> Infra at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/infra
>
--
Sandro Bonazzola
Better technology. Faster innovation. Powered by community collaboration.
See how it works at redhat.com
More information about the Infra
mailing list