Exploited mirror/server - resources01.phx.ovirt.org
Eyal Edri
eedri at redhat.com
Mon Apr 13 10:24:55 UTC 2015
----- Original Message -----
> From: "Ewoud Kohl van Wijngaarden" <ewoud+ovirt at kohlvanwijngaarden.nl>
> To: infra at ovirt.org
> Sent: Monday, April 13, 2015 1:23:20 PM
> Subject: Re: Exploited mirror/server - resources01.phx.ovirt.org
>
> On Sun, Apr 12, 2015 at 10:17:50PM +0000, Geoff Maciolek wrote:
> > Sorry if this got replicated. "Short version: someone stuck a PHP shell
> > onto one of the oVirt download servers."
>
> Thank you for bringing this to our attention. For the very short term I
> chmodded it 000 so at least it can't be opened now. We will investigate
> further and try to find out how it got there.
>
> > Long version - probably worth reading in its entirety:
> >
> > Folks, there's a "suspicious" file I saw when browsing
> > plain.resources01.phx.ovirt.org
> >
> > Specifically, _h5ai_research.php appears to be a shell - it identifies
> > itself as "c99madshell v.2.0 madnet edition" and prompts for login. It is
> > EXTREMELY unlikely that this is there intentionally.
> >
> > Distressingly, the file has been there since 2014-09-26.
> >
> > Now, it doesn't seem most download links point to that server; for example,
> > the main download page (ovirt.org/Download) link for 3.5 points to
> > "http://resources.ovirt.org/pub/ovirt-3.5/" - I didn't notice anything
> > there, but I didn't dig.
> >
> > BUT - over on ovirt.org/Quick_Start_Guide - there's a link to
> > "http://resources.ovirt.org/releases/stable/iso/" - which redirects to
> > http://resources01.phx.ovirt.org/releases/stable/iso/ - the server
> > mentioned above.
> >
> > On http://resources01.phx.ovirt.org/releases/ there's a link to an html
> > file which redirects you to "plain.resources01.phx.ovirt.org" - which is
> > where I saw the file in question.
> >
> > Visible in this index: http://plain.resources01.phx.ovirt.org/releases/
> > The filename is _h5ai_research.php - but it is most certainly not h5ai
> > related.
> >
> > If this phx server isn't in use any longer, as it seems may be the case, it
> > should be powered down & cleaned up, DNS entries to it should get removed,
> > and links updated. Fun fact: "resources01.phx.ovirt.org (66.187.230.19)"
> > appears to be in a RedHat NOC, whereas "resources.ovirt.org
> > (173.255.252.138)" which seems fine & shares list functions? Lives at
> > Linode.
>
> We plan on migrating away from the linode machine, but this is a long
> process. That's why you see both. IIRC /releases/ is the old directory
> structure which we archived. This also means that the mirror network
> should not be affected.
just update: we're still waiting for the memory upgrade on the hypervisors in order to push this migration.
> _______________________________________________
> Infra mailing list
> Infra at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/infra
>
>
>
More information about the Infra
mailing list