Exploited mirror/server - resources01.phx.ovirt.org
Sorry if this got replicated. "Short version: someone stuck a PHP shell onto one of the oVirt download servers." Long version - probably worth reading in its entirety: Folks, there's a "suspicious" file I saw when browsing plain.resources01.phx.ovirt.org Specifically, _h5ai_research.php appears to be a shell - it identifies itself as "c99madshell v.2.0 madnet edition" and prompts for login. It is EXTREMELY unlikely that this is there intentionally. Distressingly, the file has been there since 2014-09-26. Now, it doesn't seem most download links point to that server; for example, the main download page (ovirt.org/Download) link for 3.5 points to "http://resources.ovirt.org/pub/ovirt-3.5/" - I didn't notice anything there, but I didn't dig. BUT - over on ovirt.org/Quick_Start_Guide - there's a link to "http://resources.ovirt.org/releases/stable/iso/" - which redirects to http://resources01.phx.ovirt.org/releases/stable/iso/ - the server mentioned above. On http://resources01.phx.ovirt.org/releases/ there's a link to an html file which redirects you to "plain.resources01.phx.ovirt.org" - which is where I saw the file in question. Visible in this index: http://plain.resources01.phx.ovirt.org/releases/ The filename is _h5ai_research.php - but it is most certainly not h5ai related. If this phx server isn't in use any longer, as it seems may be the case, it should be powered down & cleaned up, DNS entries to it should get removed, and links updated. Fun fact: "resources01.phx.ovirt.org (66.187.230.19)" appears to be in a RedHat NOC, whereas "resources.ovirt.org (173.255.252.138)" which seems fine & shares list functions? Lives at Linode. --Geoff Maciolek This e-mail does not reflect the position of PVDC Hosting, LLC or any affiliated companies. Replies may be directed to this address or to geoffmaciolek@gmail.com,
Il 13/04/2015 00:17, Geoff Maciolek ha scritto:
Sorry if this got replicated. "Short version: someone stuck a PHP shell onto one of the oVirt download servers."
Long version - probably worth reading in its entirety:
Folks, there's a "suspicious" file I saw when browsing plain.resources01.phx.ovirt.org
Specifically, _h5ai_research.php appears to be a shell - it identifies itself as "c99madshell v.2.0 madnet edition" and prompts for login. It is EXTREMELY unlikely that this is there intentionally.
David, isn't h5ai the template engine running as file indexer on resource.ovirt.org server? Following the link on http://resources.ovirt.org/pub/ it lands to http://larsjung.de/h5ai/ Do you remember when the template engine has been installed there?
Distressingly, the file has been there since 2014-09-26.
Now, it doesn't seem most download links point to that server; for example, the main download page (ovirt.org/Download) link for 3.5 points to "http://resources.ovirt.org/pub/ovirt-3.5/" - I didn't notice anything there, but I didn't dig.
BUT - over on ovirt.org/Quick_Start_Guide - there's a link to "http://resources.ovirt.org/releases/stable/iso/" - which redirects to http://resources01.phx.ovirt.org/releases/stable/iso/ - the server mentioned above.
On http://resources01.phx.ovirt.org/releases/ there's a link to an html file which redirects you to "plain.resources01.phx.ovirt.org" - which is where I saw the file in question.
Visible in this index: http://plain.resources01.phx.ovirt.org/releases/ The filename is _h5ai_research.php - but it is most certainly not h5ai related.
If this phx server isn't in use any longer, as it seems may be the case, it should be powered down & cleaned up, DNS entries to it should get removed, and links updated. Fun fact: "resources01.phx.ovirt.org (66.187.230.19)" appears to be in a RedHat NOC, whereas "resources.ovirt.org (173.255.252.138)" which seems fine & shares list functions? Lives at Linode.
--Geoff Maciolek
This e-mail does not reflect the position of PVDC Hosting, LLC or any affiliated companies.
Replies may be directed to this address or to geoffmaciolek@gmail.com, _______________________________________________ Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra
-- Sandro Bonazzola Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com
On Sun, Apr 12, 2015 at 10:17:50PM +0000, Geoff Maciolek wrote:
Sorry if this got replicated. "Short version: someone stuck a PHP shell onto one of the oVirt download servers."
Thank you for bringing this to our attention. For the very short term I chmodded it 000 so at least it can't be opened now. We will investigate further and try to find out how it got there.
Long version - probably worth reading in its entirety:
Folks, there's a "suspicious" file I saw when browsing plain.resources01.phx.ovirt.org
Specifically, _h5ai_research.php appears to be a shell - it identifies itself as "c99madshell v.2.0 madnet edition" and prompts for login. It is EXTREMELY unlikely that this is there intentionally.
Distressingly, the file has been there since 2014-09-26.
Now, it doesn't seem most download links point to that server; for example, the main download page (ovirt.org/Download) link for 3.5 points to "http://resources.ovirt.org/pub/ovirt-3.5/" - I didn't notice anything there, but I didn't dig.
BUT - over on ovirt.org/Quick_Start_Guide - there's a link to "http://resources.ovirt.org/releases/stable/iso/" - which redirects to http://resources01.phx.ovirt.org/releases/stable/iso/ - the server mentioned above.
On http://resources01.phx.ovirt.org/releases/ there's a link to an html file which redirects you to "plain.resources01.phx.ovirt.org" - which is where I saw the file in question.
Visible in this index: http://plain.resources01.phx.ovirt.org/releases/ The filename is _h5ai_research.php - but it is most certainly not h5ai related.
If this phx server isn't in use any longer, as it seems may be the case, it should be powered down & cleaned up, DNS entries to it should get removed, and links updated. Fun fact: "resources01.phx.ovirt.org (66.187.230.19)" appears to be in a RedHat NOC, whereas "resources.ovirt.org (173.255.252.138)" which seems fine & shares list functions? Lives at Linode.
We plan on migrating away from the linode machine, but this is a long process. That's why you see both. IIRC /releases/ is the old directory structure which we archived. This also means that the mirror network should not be affected.
----- Original Message -----
From: "Ewoud Kohl van Wijngaarden" <ewoud+ovirt@kohlvanwijngaarden.nl> To: infra@ovirt.org Sent: Monday, April 13, 2015 1:23:20 PM Subject: Re: Exploited mirror/server - resources01.phx.ovirt.org
On Sun, Apr 12, 2015 at 10:17:50PM +0000, Geoff Maciolek wrote:
Sorry if this got replicated. "Short version: someone stuck a PHP shell onto one of the oVirt download servers."
Thank you for bringing this to our attention. For the very short term I chmodded it 000 so at least it can't be opened now. We will investigate further and try to find out how it got there.
Long version - probably worth reading in its entirety:
Folks, there's a "suspicious" file I saw when browsing plain.resources01.phx.ovirt.org
Specifically, _h5ai_research.php appears to be a shell - it identifies itself as "c99madshell v.2.0 madnet edition" and prompts for login. It is EXTREMELY unlikely that this is there intentionally.
Distressingly, the file has been there since 2014-09-26.
Now, it doesn't seem most download links point to that server; for example, the main download page (ovirt.org/Download) link for 3.5 points to "http://resources.ovirt.org/pub/ovirt-3.5/" - I didn't notice anything there, but I didn't dig.
BUT - over on ovirt.org/Quick_Start_Guide - there's a link to "http://resources.ovirt.org/releases/stable/iso/" - which redirects to http://resources01.phx.ovirt.org/releases/stable/iso/ - the server mentioned above.
On http://resources01.phx.ovirt.org/releases/ there's a link to an html file which redirects you to "plain.resources01.phx.ovirt.org" - which is where I saw the file in question.
Visible in this index: http://plain.resources01.phx.ovirt.org/releases/ The filename is _h5ai_research.php - but it is most certainly not h5ai related.
If this phx server isn't in use any longer, as it seems may be the case, it should be powered down & cleaned up, DNS entries to it should get removed, and links updated. Fun fact: "resources01.phx.ovirt.org (66.187.230.19)" appears to be in a RedHat NOC, whereas "resources.ovirt.org (173.255.252.138)" which seems fine & shares list functions? Lives at Linode.
We plan on migrating away from the linode machine, but this is a long process. That's why you see both. IIRC /releases/ is the old directory structure which we archived. This also means that the mirror network should not be affected.
just update: we're still waiting for the memory upgrade on the hypervisors in order to push this migration.
_______________________________________________ Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra
A couple of thoughts here. 1: Sandro, David: Yes, h5ai is the template engine providing the indexes, but I'm not sure there's anything related there other than the filename, possibly used to "disguise" it. (My brief searches for known vulnerabilities in that release of h5ai didn't turn anything up). 2: Ewoud: It's actually the machine within the redhat NOC (per its IP whois anyway) that seems to be exploited, whereas the Linode machine didn't show up anything obvious from a cursory look at the directory trees. (Certainly both deserve a search for php shells!) Some notes on that below. 3: These machines host downloads, binary and src, I think? Hopefully none of them have been toyed with, but that certainly bears an audit. Are any code *repositories* hosted there? It's worth running clamscan, as well as one of the regex monsters that searches for php-shell telltale signs against all the webroots, ala: grep '((eval.*(base64_decode|gzinflate|\$_))|\$[0O]{4,}|FilesMan|JGF1dGhfc|IIIl|die\(PHP_OS|posix_getpwuid|Array\(base64_decode|document\.write\("\\u00|sh(3(ll|11)))' /var/www/html/ /srv/https/whatever.you.use /var/www/some.otherdomain.maybe/ -lroE --include=*.php --Geoff Maciolek PVDCHosting, LLC ________________________________________ From: Eyal Edri [eedri@redhat.com] Sent: Monday, April 13, 2015 6:24 AM To: Ewoud Kohl van Wijngaarden Cc: infra@ovirt.org Subject: Re: Exploited mirror/server - resources01.phx.ovirt.org ----- Original Message -----
From: "Ewoud Kohl van Wijngaarden" <ewoud+ovirt@kohlvanwijngaarden.nl> To: infra@ovirt.org Sent: Monday, April 13, 2015 1:23:20 PM Subject: Re: Exploited mirror/server - resources01.phx.ovirt.org
On Sun, Apr 12, 2015 at 10:17:50PM +0000, Geoff Maciolek wrote:
Sorry if this got replicated. "Short version: someone stuck a PHP shell onto one of the oVirt download servers."
Thank you for bringing this to our attention. For the very short term I chmodded it 000 so at least it can't be opened now. We will investigate further and try to find out how it got there.
Long version - probably worth reading in its entirety:
Folks, there's a "suspicious" file I saw when browsing plain.resources01.phx.ovirt.org
Specifically, _h5ai_research.php appears to be a shell - it identifies itself as "c99madshell v.2.0 madnet edition" and prompts for login. It is EXTREMELY unlikely that this is there intentionally.
Distressingly, the file has been there since 2014-09-26.
Now, it doesn't seem most download links point to that server; for example, the main download page (ovirt.org/Download) link for 3.5 points to "http://resources.ovirt.org/pub/ovirt-3.5/" - I didn't notice anything there, but I didn't dig.
BUT - over on ovirt.org/Quick_Start_Guide - there's a link to "http://resources.ovirt.org/releases/stable/iso/" - which redirects to http://resources01.phx.ovirt.org/releases/stable/iso/ - the server mentioned above.
On http://resources01.phx.ovirt.org/releases/ there's a link to an html file which redirects you to "plain.resources01.phx.ovirt.org" - which is where I saw the file in question.
Visible in this index: http://plain.resources01.phx.ovirt.org/releases/ The filename is _h5ai_research.php - but it is most certainly not h5ai related.
If this phx server isn't in use any longer, as it seems may be the case, it should be powered down & cleaned up, DNS entries to it should get removed, and links updated. Fun fact: "resources01.phx.ovirt.org (66.187.230.19)" appears to be in a RedHat NOC, whereas "resources.ovirt.org (173.255.252.138)" which seems fine & shares list functions? Lives at Linode.
We plan on migrating away from the linode machine, but this is a long process. That's why you see both. IIRC /releases/ is the old directory structure which we archived. This also means that the mirror network should not be affected.
just update: we're still waiting for the memory upgrade on the hypervisors in order to push this migration.
_______________________________________________ Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra
_______________________________________________ Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra
participants (4)
-
Ewoud Kohl van Wijngaarden -
Eyal Edri -
Geoff Maciolek -
Sandro Bonazzola