Re: Exploited mirror/server - resources01.phx.ovirt.org

Sorry if this got replicated. "Short version: someone stuck a PHP shell onto one of the oVirt download servers." Long version - probably worth reading in its entirety: Folks, there's a "suspicious" file I saw when browsing plain.resources01.phx.ovirt.org Specifically, _h5ai_research.php appears to be a shell - it identifies itself as "c99madshell v.2.0 madnet edition" and prompts for login. It is EXTREMELY unlikely that this is there intentionally.

Distressingly, the file has been there since 2014-09-26. Now, it doesn't seem most download links point to that server; for example, the main download page (ovirt.org/Download) link for 3.5 points to "http://resources.ovirt.org/pub/ovirt-3.5/" - I didn't notice anything there, but I didn't dig. BUT - over on ovirt.org/Quick_Start_Guide - there's a link to "http://resources.ovirt.org/releases/stable/iso/" - which redirects to http://resources01.phx.ovirt.org/releases/stable/iso/ - the server mentioned above. On http://resources01.phx.ovirt.org/releases/ there's a link to an html file which redirects you to "plain.resources01.phx.ovirt.org" - which is where I saw the file in question. Visible in this index: http://plain.resources01.phx.ovirt.org/releases/ The filename is _h5ai_research.php - but it is most certainly not h5ai related. If this phx server isn't in use any longer, as it seems may be the case, it should be powered down & cleaned up, DNS entries to it should get removed, and links updated. Fun fact: "resources01.phx.ovirt.org (66.187.230.19)" appears to be in a RedHat NOC, whereas "resources.ovirt.org (173.255.252.138)" which seems fine & shares list functions? Lives at Linode. --Geoff Maciolek This e-mail does not reflect the position of PVDC Hosting, LLC or any affiliated companies. Replies may be directed to this address or to geoffmaciolek(a)gmail.com, _______________________________________________ Infra mailing list Infra(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/infra