Exploited mirror/server - resources01.phx.ovirt.org

Geoff Maciolek GMaciolek at pvdchosting.com
Mon Apr 13 13:19:47 UTC 2015 

A couple of thoughts here.

1:  Sandro, David:  Yes, h5ai is the template engine providing the indexes, but I'm not sure there's anything related there other than the filename, possibly used to "disguise" it.  (My brief searches for known vulnerabilities in that release of h5ai didn't turn anything up).
2:  Ewoud:  It's actually the machine within the redhat NOC (per its IP whois anyway) that seems to be exploited, whereas the Linode machine didn't show up anything obvious from a cursory look at the directory trees.  (Certainly both deserve a search for php shells!)  Some notes on that below.
3:  These machines host downloads, binary and src, I think?  Hopefully none of them have been toyed with, but that certainly bears an audit. Are any code *repositories* hosted there?

It's worth running clamscan, as well as one of the regex monsters that searches for php-shell telltale signs against all the webroots, ala:

grep '((eval.*(base64_decode|gzinflate|\$_))|\$[0O]{4,}|FilesMan|JGF1dGhfc|IIIl|die\(PHP_OS|posix_getpwuid|Array\(base64_decode|document\.write\("\\u00|sh(3(ll|11)))' /var/www/html/ /srv/https/whatever.you.use /var/www/some.otherdomain.maybe/ -lroE --include=*.php

--Geoff Maciolek
PVDCHosting, LLC

________________________________________
From: Eyal Edri [eedri at redhat.com]
Sent: Monday, April 13, 2015 6:24 AM
To: Ewoud Kohl van Wijngaarden
Cc: infra at ovirt.org
Subject: Re: Exploited mirror/server - resources01.phx.ovirt.org

----- Original Message -----
> From: "Ewoud Kohl van Wijngaarden" <ewoud+ovirt at kohlvanwijngaarden.nl>
> To: infra at ovirt.org
> Sent: Monday, April 13, 2015 1:23:20 PM
> Subject: Re: Exploited mirror/server - resources01.phx.ovirt.org
>
> On Sun, Apr 12, 2015 at 10:17:50PM +0000, Geoff Maciolek wrote:
> > Sorry if this got replicated.  "Short version: someone stuck a PHP shell
> > onto one of the oVirt download servers."
>
> Thank you for bringing this to our attention. For the very short term I
> chmodded it 000 so at least it can't be opened now. We will investigate
> further and try to find out how it got there.
>
> > Long version - probably worth reading in its entirety:
> >
> > Folks, there's a "suspicious" file I saw when browsing
> > plain.resources01.phx.ovirt.org
> >
> > Specifically, _h5ai_research.php appears to be a shell - it identifies
> > itself as "c99madshell v.2.0 madnet edition" and prompts for login.  It is
> > EXTREMELY unlikely that this is there intentionally.
> >
> > Distressingly, the file has been there since 2014-09-26.
> >
> > Now, it doesn't seem most download links point to that server; for example,
> > the main download page (ovirt.org/Download) link for 3.5 points to
> > "http://resources.ovirt.org/pub/ovirt-3.5/" - I didn't notice anything
> > there, but I didn't dig.
> >
> > BUT - over on ovirt.org/Quick_Start_Guide - there's a link to
> > "http://resources.ovirt.org/releases/stable/iso/" - which redirects to
> > http://resources01.phx.ovirt.org/releases/stable/iso/ - the server
> > mentioned above.
> >
> > On http://resources01.phx.ovirt.org/releases/ there's a link to an html
> > file which redirects you to "plain.resources01.phx.ovirt.org" - which is
> > where I saw the file in question.
> >
> > Visible in this index: http://plain.resources01.phx.ovirt.org/releases/
> > The filename is _h5ai_research.php - but it is most certainly not h5ai
> > related.
> >
> > If this phx server isn't in use any longer, as it seems may be the case, it
> > should be powered down & cleaned up, DNS entries to it should get removed,
> > and links updated.  Fun fact:  "resources01.phx.ovirt.org (66.187.230.19)"
> > appears to be in a RedHat NOC, whereas "resources.ovirt.org
> > (173.255.252.138)" which seems fine & shares list functions?  Lives at
> > Linode.
>
> We plan on migrating away from the linode machine, but this is a long
> process. That's why you see both. IIRC /releases/ is the old directory
> structure which we archived. This also means that the mirror network
> should not be affected.

just update: we're still waiting for the memory upgrade on the hypervisors in order to push this migration.

> _______________________________________________
> Infra mailing list
> Infra at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/infra
>
>
>
_______________________________________________
Infra mailing list
Infra at ovirt.org
http://lists.ovirt.org/mailman/listinfo/infra

More information about the Infra mailing list