Il 13/04/2015 00:17, Geoff Maciolek ha scritto:
Sorry if this got replicated. "Short version: someone stuck a PHP shell onto one of the oVirt download servers."
Long version - probably worth reading in its entirety:
Folks, there's a "suspicious" file I saw when browsing plain.resources01.phx.ovirt.org
Specifically, _h5ai_research.php appears to be a shell - it identifies itself as "c99madshell v.2.0 madnet edition" and prompts for login. It is EXTREMELY unlikely that this is there intentionally.
David, isn't h5ai the template engine running as file indexer on resource.ovirt.org server? Following the link on http://resources.ovirt.org/pub/ it lands to http://larsjung.de/h5ai/ Do you remember when the template engine has been installed there?
Distressingly, the file has been there since 2014-09-26.
Now, it doesn't seem most download links point to that server; for example, the main download page (ovirt.org/Download) link for 3.5 points to "http://resources.ovirt.org/pub/ovirt-3.5/" - I didn't notice anything there, but I didn't dig.
BUT - over on ovirt.org/Quick_Start_Guide - there's a link to "http://resources.ovirt.org/releases/stable/iso/" - which redirects to http://resources01.phx.ovirt.org/releases/stable/iso/ - the server mentioned above.
On http://resources01.phx.ovirt.org/releases/ there's a link to an html file which redirects you to "plain.resources01.phx.ovirt.org" - which is where I saw the file in question.
Visible in this index: http://plain.resources01.phx.ovirt.org/releases/ The filename is _h5ai_research.php - but it is most certainly not h5ai related.
If this phx server isn't in use any longer, as it seems may be the case, it should be powered down & cleaned up, DNS entries to it should get removed, and links updated. Fun fact: "resources01.phx.ovirt.org (66.187.230.19)" appears to be in a RedHat NOC, whereas "resources.ovirt.org (173.255.252.138)" which seems fine & shares list functions? Lives at Linode.
--Geoff Maciolek
This e-mail does not reflect the position of PVDC Hosting, LLC or any affiliated companies.
Replies may be directed to this address or to geoffmaciolek@gmail.com, _______________________________________________ Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra
-- Sandro Bonazzola Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com