Re: Exploited mirror/server - resources01.phx.ovirt.org

From: "Ewoud Kohl van Wijngaarden" <ewoud+ovirt(a)kohlvanwijngaarden.nl&gt; To: infra(a)ovirt.org Sent: Monday, April 13, 2015 1:23:20 PM Subject: Re: Exploited mirror/server - resources01.phx.ovirt.org On Sun, Apr 12, 2015 at 10:17:50PM +0000, Geoff Maciolek wrote: > Sorry if this got replicated. "Short version: someone stuck a PHP shell > onto one of the oVirt download servers." Thank you for bringing this to our attention. For the very short term I chmodded it 000 so at least it can't be opened now. We will investigate further and try to find out how it got there. > Long version - probably worth reading in its entirety: > > Folks, there's a "suspicious" file I saw when browsing > plain.resources01.phx.ovirt.org > > Specifically, _h5ai_research.php appears to be a shell - it identifies > itself as "c99madshell v.2.0 madnet edition" and prompts for login. It is > EXTREMELY unlikely that this is there intentionally. > > Distressingly, the file has been there since 2014-09-26. > > Now, it doesn't seem most download links point to that server; for example, > the main download page (ovirt.org/Download) link for 3.5 points to > "http://resources.ovirt.org/pub/ovirt-3.5/" - I didn't notice anything > there, but I didn't dig. > > BUT - over on ovirt.org/Quick_Start_Guide - there's a link to > "http://resources.ovirt.org/releases/stable/iso/" - which redirects to > http://resources01.phx.ovirt.org/releases/stable/iso/ - the server > mentioned above. > > On http://resources01.phx.ovirt.org/releases/ there's a link to an html > file which redirects you to "plain.resources01.phx.ovirt.org" - which is > where I saw the file in question. > > Visible in this index: http://plain.resources01.phx.ovirt.org/releases/ > The filename is _h5ai_research.php - but it is most certainly not h5ai > related. > > If this phx server isn't in use any longer, as it seems may be the case, it > should be powered down & cleaned up, DNS entries to it should get removed, > and links updated. Fun fact: "resources01.phx.ovirt.org (66.187.230.19)" > appears to be in a RedHat NOC, whereas "resources.ovirt.org > (173.255.252.138)" which seems fine & shares list functions? Lives at > Linode. We plan on migrating away from the linode machine, but this is a long process. That's why you see both. IIRC /releases/ is the old directory structure which we archived. This also means that the mirror network should not be affected.

_______________________________________________ Infra mailing list Infra(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/infra