A couple of thoughts here.
1: Sandro, David: Yes, h5ai is the template engine providing the indexes, but I'm
not sure there's anything related there other than the filename, possibly used to
"disguise" it. (My brief searches for known vulnerabilities in that release of
h5ai didn't turn anything up).
2: Ewoud: It's actually the machine within the redhat NOC (per its IP whois anyway)
that seems to be exploited, whereas the Linode machine didn't show up anything obvious
from a cursory look at the directory trees. (Certainly both deserve a search for php
shells!) Some notes on that below.
3: These machines host downloads, binary and src, I think? Hopefully none of them have
been toyed with, but that certainly bears an audit. Are any code *repositories* hosted
there?
It's worth running clamscan, as well as one of the regex monsters that searches for
php-shell telltale signs against all the webroots, ala:
grep
'((eval.*(base64_decode|gzinflate|\$_))|\$[0O]{4,}|FilesMan|JGF1dGhfc|IIIl|die\(PHP_OS|posix_getpwuid|Array\(base64_decode|document\.write\("\\u00|sh(3(ll|11)))'
/var/www/html/ /srv/https/whatever.you.use /var/www/some.otherdomain.maybe/ -lroE
--include=*.php
--Geoff Maciolek
PVDCHosting, LLC
________________________________________
From: Eyal Edri [eedri(a)redhat.com]
Sent: Monday, April 13, 2015 6:24 AM
To: Ewoud Kohl van Wijngaarden
Cc: infra(a)ovirt.org
Subject: Re: Exploited mirror/server -
resources01.phx.ovirt.org
----- Original Message -----
From: "Ewoud Kohl van Wijngaarden"
<ewoud+ovirt(a)kohlvanwijngaarden.nl>
To: infra(a)ovirt.org
Sent: Monday, April 13, 2015 1:23:20 PM
Subject: Re: Exploited mirror/server -
resources01.phx.ovirt.org
On Sun, Apr 12, 2015 at 10:17:50PM +0000, Geoff Maciolek wrote:
> Sorry if this got replicated. "Short version: someone stuck a PHP shell
> onto one of the oVirt download servers."
Thank you for bringing this to our attention. For the very short term I
chmodded it 000 so at least it can't be opened now. We will investigate
further and try to find out how it got there.
> Long version - probably worth reading in its entirety:
>
> Folks, there's a "suspicious" file I saw when browsing
>
plain.resources01.phx.ovirt.org
>
> Specifically, _h5ai_research.php appears to be a shell - it identifies
> itself as "c99madshell v.2.0 madnet edition" and prompts for login. It
is
> EXTREMELY unlikely that this is there intentionally.
>
> Distressingly, the file has been there since 2014-09-26.
>
> Now, it doesn't seem most download links point to that server; for example,
> the main download page (
ovirt.org/Download) link for 3.5 points to
> "http://resources.ovirt.org/pub/ovirt-3.5/" - I didn't notice
anything
> there, but I didn't dig.
>
> BUT - over on
ovirt.org/Quick_Start_Guide - there's a link to
> "http://resources.ovirt.org/releases/stable/iso/" - which redirects to
>
http://resources01.phx.ovirt.org/releases/stable/iso/ - the server
> mentioned above.
>
> On
http://resources01.phx.ovirt.org/releases/ there's a link to an html
> file which redirects you to "plain.resources01.phx.ovirt.org" - which is
> where I saw the file in question.
>
> Visible in this index:
http://plain.resources01.phx.ovirt.org/releases/
> The filename is _h5ai_research.php - but it is most certainly not h5ai
> related.
>
> If this phx server isn't in use any longer, as it seems may be the case, it
> should be powered down & cleaned up, DNS entries to it should get removed,
> and links updated. Fun fact: "resources01.phx.ovirt.org
(66.187.230.19)"
> appears to be in a RedHat NOC, whereas "resources.ovirt.org
> (173.255.252.138)" which seems fine & shares list functions? Lives at
> Linode.
We plan on migrating away from the linode machine, but this is a long
process. That's why you see both. IIRC /releases/ is the old directory
structure which we archived. This also means that the mirror network
should not be affected.
just update: we're still waiting for the memory upgrade on the hypervisors in order to
push this migration.
_______________________________________________
Infra mailing list
Infra(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/infra
_______________________________________________
Infra mailing list
Infra(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/infra