From GMaciolek at pvdchosting.com Sun Apr 12 17:59:00 2015
Content-Type: multipart/mixed; boundary="===============0309938620470045154=="
MIME-Version: 1.0
From: Geoff Maciolek <GMaciolek at pvdchosting.com>
To: infra at ovirt.org
Subject: Proable exploited webserver:  resources01.phx.ovirt.org
Date: Sun, 12 Apr 2015 21:58:57 +0000
Message-ID: <A2D341A8808F024CAFA63F1287B9929CF1B98864@EMBX01.exch.local>

--===============0309938620470045154==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

--_000_A2D341A8808F024CAFA63F1287B9929CF1B98864EMBX01exchlocal_
Content-Type: text/plain; charset=3D"iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Folks, there's a suspious file I saw when browsing plain.resources01.phx.ov=
=3D
irt.org

Specifically, _h5ai_research.php appears to be a shell - it identifies itse=
=3D
lf as "c99madshell v.2.0 madnet edition" and prompts for login.  It is EXTR=
=3D
EMELY unlikely that this is there intentionally.

Distressingly, the file has been there since 2014-09-26.

--Geoff Maciolek
PVDCHosting, LLC

--_000_A2D341A8808F024CAFA63F1287B9929CF1B98864EMBX01exchlocal_
Content-Type: text/html; charset=3D"iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<html dir=3D3D"ltr">
<head>
<meta http-equiv=3D3D"Content-Type" content=3D3D"text/html; charset=3D3Diso=
-8859-=3D
1">
<style id=3D3D"owaParaStyle" type=3D3D"text/css">P {margin-top:0;margin-bot=
tom:=3D
0;}</style>
</head>
<body ocsi=3D3D"0" fpstyle=3D3D"1">
<div style=3D3D"direction: ltr;font-family: Tahoma;color: #000000;font-size=
: =3D
10pt;">Folks, there's a suspious file I saw when browsing plain.resources01=
=3D
.phx.ovirt.org<br>
<br>
Specifically, _h5ai_research.php appears to be a shell - it identifies itse=
=3D
lf as &quot;c99madshell v.2.0 madnet edition&quot; and prompts for login.&n=
=3D
bsp; It is EXTREMELY unlikely that this is there intentionally.<br>
<br>
Distressingly, the file has been there since 2014-09-26.<br>
<div><br>
<div style=3D3D"font-family:Tahoma; font-size:13px">--Geoff Maciolek<br>
PVDCHosting, LLC<br>
</div>
</div>
</div>
</body>
</html>

--_000_A2D341A8808F024CAFA63F1287B9929CF1B98864EMBX01exchlocal_--

--===============0309938620470045154==
Content-Type: multipart/alternative
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.bin"

LS1fMDAwX0EyRDM0MUE4ODA4RjAyNENBRkE2M0YxMjg3Qjk5MjlDRjFCOTg4NjRFTUJYMDFleGNo
bG9jYWxfCkNvbnRlbnQtVHlwZTogdGV4dC9wbGFpbjsgY2hhcnNldD0iaXNvLTg4NTktMSIKQ29u
dGVudC1UcmFuc2Zlci1FbmNvZGluZzogcXVvdGVkLXByaW50YWJsZQoKRm9sa3MsIHRoZXJlJ3Mg
YSBzdXNwaW91cyBmaWxlIEkgc2F3IHdoZW4gYnJvd3NpbmcgcGxhaW4ucmVzb3VyY2VzMDEucGh4
Lm92PQppcnQub3JnCgpTcGVjaWZpY2FsbHksIF9oNWFpX3Jlc2VhcmNoLnBocCBhcHBlYXJzIHRv
IGJlIGEgc2hlbGwgLSBpdCBpZGVudGlmaWVzIGl0c2U9CmxmIGFzICJjOTltYWRzaGVsbCB2LjIu
MCBtYWRuZXQgZWRpdGlvbiIgYW5kIHByb21wdHMgZm9yIGxvZ2luLiAgSXQgaXMgRVhUUj0KRU1F
TFkgdW5saWtlbHkgdGhhdCB0aGlzIGlzIHRoZXJlIGludGVudGlvbmFsbHkuCgpEaXN0cmVzc2lu
Z2x5LCB0aGUgZmlsZSBoYXMgYmVlbiB0aGVyZSBzaW5jZSAyMDE0LTA5LTI2LgoKLS1HZW9mZiBN
YWNpb2xlawpQVkRDSG9zdGluZywgTExDCgotLV8wMDBfQTJEMzQxQTg4MDhGMDI0Q0FGQTYzRjEy
ODdCOTkyOUNGMUI5ODg2NEVNQlgwMWV4Y2hsb2NhbF8KQ29udGVudC1UeXBlOiB0ZXh0L2h0bWw7
IGNoYXJzZXQ9Imlzby04ODU5LTEiCkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IHF1b3RlZC1w
cmludGFibGUKCjxodG1sIGRpcj0zRCJsdHIiPgo8aGVhZD4KPG1ldGEgaHR0cC1lcXVpdj0zRCJD
b250ZW50LVR5cGUiIGNvbnRlbnQ9M0QidGV4dC9odG1sOyBjaGFyc2V0PTNEaXNvLTg4NTktPQox
Ij4KPHN0eWxlIGlkPTNEIm93YVBhcmFTdHlsZSIgdHlwZT0zRCJ0ZXh0L2NzcyI+UCB7bWFyZ2lu
LXRvcDowO21hcmdpbi1ib3R0b206PQowO308L3N0eWxlPgo8L2hlYWQ+Cjxib2R5IG9jc2k9M0Qi
MCIgZnBzdHlsZT0zRCIxIj4KPGRpdiBzdHlsZT0zRCJkaXJlY3Rpb246IGx0cjtmb250LWZhbWls
eTogVGFob21hO2NvbG9yOiAjMDAwMDAwO2ZvbnQtc2l6ZTogPQoxMHB0OyI+Rm9sa3MsIHRoZXJl
J3MgYSBzdXNwaW91cyBmaWxlIEkgc2F3IHdoZW4gYnJvd3NpbmcgcGxhaW4ucmVzb3VyY2VzMDE9
Ci5waHgub3ZpcnQub3JnPGJyPgo8YnI+ClNwZWNpZmljYWxseSwgX2g1YWlfcmVzZWFyY2gucGhw
IGFwcGVhcnMgdG8gYmUgYSBzaGVsbCAtIGl0IGlkZW50aWZpZXMgaXRzZT0KbGYgYXMgJnF1b3Q7
Yzk5bWFkc2hlbGwgdi4yLjAgbWFkbmV0IGVkaXRpb24mcXVvdDsgYW5kIHByb21wdHMgZm9yIGxv
Z2luLiZuPQpic3A7IEl0IGlzIEVYVFJFTUVMWSB1bmxpa2VseSB0aGF0IHRoaXMgaXMgdGhlcmUg
aW50ZW50aW9uYWxseS48YnI+Cjxicj4KRGlzdHJlc3NpbmdseSwgdGhlIGZpbGUgaGFzIGJlZW4g
dGhlcmUgc2luY2UgMjAxNC0wOS0yNi48YnI+CjxkaXY+PGJyPgo8ZGl2IHN0eWxlPTNEImZvbnQt
ZmFtaWx5OlRhaG9tYTsgZm9udC1zaXplOjEzcHgiPi0tR2VvZmYgTWFjaW9sZWs8YnI+ClBWRENI
b3N0aW5nLCBMTEM8YnI+CjwvZGl2Pgo8L2Rpdj4KPC9kaXY+CjwvYm9keT4KPC9odG1sPgoKLS1f
MDAwX0EyRDM0MUE4ODA4RjAyNENBRkE2M0YxMjg3Qjk5MjlDRjFCOTg4NjRFTUJYMDFleGNobG9j
YWxfLS0K

--===============0309938620470045154==--