4:58 p.m.
--_000_A2D341A8808F024CAFA63F1287B9929CF1B98864EMBX01exchlocal_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Folks, there's a suspious file I saw when browsing plain.resources01.phx.ov=
irt.org
Specifically, _h5ai_research.php appears to be a shell - it identifies itse=
lf as "c99madshell v.2.0 madnet edition" and prompts for login. It is EXTR=
EMELY unlikely that this is there intentionally.
Distressingly, the file has been there since 2014-09-26.
--Geoff Maciolek
PVDCHosting, LLC
--_000_A2D341A8808F024CAFA63F1287B9929CF1B98864EMBX01exchlocal_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<html dir=3D"ltr">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html;
charset=3Diso-8859-=
1">
<style id=3D"owaParaStyle" type=3D"text/css">P
{margin-top:0;margin-bottom:=
0;}</style>
</head>
<body ocsi=3D"0" fpstyle=3D"1">
<div style=3D"direction: ltr;font-family: Tahoma;color: #000000;font-size: =
10pt;">Folks, there's a suspious file I saw when browsing plain.resources01=
.phx.ovirt.org<br>
<br>
Specifically, _h5ai_research.php appears to be a shell - it identifies itse=
lf as "c99madshell v.2.0 madnet edition" and prompts for login.&n=
bsp; It is EXTREMELY unlikely that this is there intentionally.<br>
<br>
Distressingly, the file has been there since 2014-09-26.<br>
<div><br>
<div style=3D"font-family:Tahoma; font-size:13px">--Geoff
Maciolek<br>
PVDCHosting, LLC<br>
</div>
</div>
</div>
</body>
</html>
--_000_A2D341A8808F024CAFA63F1287B9929CF1B98864EMBX01exchlocal_--
7:40 a.m.
New subject: Fwd: Proable exploited webserver: resources01.phx.ovirt.org
------=_Part_6604786_317443247.1428928821836
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Making sure you guys saw this.
----- Forwarded Message -----
From: "Geoff Maciolek" <GMaciolek(a)pvdchosting.com>
To: webmaster(a)ovirt.org
Sent: Sunday, April 12, 2015 5:58:57 PM
Subject: Proable exploited webserver: resources01.phx.ovirt.org
Folks, there's a suspious file I saw when browsing
plain.resources01.phx.ovirt.org
Specifically, _h5ai_research.php appears to be a shell - it
identifies itself
as "c99madshell v.2.0 madnet edition" and prompts for login. It is EXTREMELY
unlikely that this is there intentionally.
Distressingly, the file has been there since 2014-09-26.
--Geoff Maciolek
PVDCHosting, LLC
_______________________________________________
Infra mailing list
Infra(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/infra
------=_Part_6604786_317443247.1428928821836
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit
<html><body><div style="font-family: times new roman, new york, times,
serif; font-size: 12pt; color: #000000"><div>Making sure you guys saw
this.</div><div><br></div><hr
id="zwchr"><blockquote style="border-left:2px solid
#1010FF;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><b>From:
</b>"Geoff Maciolek"
&lt;GMaciolek(a)pvdchosting.com&gt;<br><b>To:
</b>webmaster(a)ovirt.org<br><b>Sent: </b>Sunday, April 12, 2015
5:58:57 PM<br><b>Subject: </b>Proable exploited webserver:
resources01.phx.ovirt.org<br><div><br></div>
<style id="owaParaStyle">P {margin-top:0;margin-bottom:0;}</style>
<div style="direction: ltr;font-family: Tahoma;color: #000000;font-size:
10pt;">Folks, there's a suspious file I saw when browsing
plain.resources01.phx.ovirt.org<br>
<br>
Specifically, _h5ai_research.php appears to be a shell - it identifies itself as
"c99madshell v.2.0 madnet edition" and prompts for login. It is
EXTREMELY unlikely that this is there intentionally.<br>
<br>
Distressingly, the file has been there since 2014-09-26.<br>
<div><br>
<div style="font-family:Tahoma; font-size:13px">--Geoff
Maciolek<br>
PVDCHosting, LLC<br>
</div>
</div>
</div>
<br>_______________________________________________<br>Infra mailing
list<br>Infra@ovirt.org<br>http://lists.ovirt.org/mailman/listinfo/infra<br></blockquote><div><br></div></div></body></html>
------=_Part_6604786_317443247.1428928821836--
7:54 a.m.
yes.
and we're currently investigating how to mitigate and ensure
not more issues are found.
thanks,
Eyal.
----- Original Message -----
From: "Greg Sheremeta" <gshereme(a)redhat.com>
To: "infra" <infra(a)ovirt.org>, "Eyal Edri"
<eedri(a)redhat.com>, "David Caro Estevez" <dcaroest(a)redhat.com>
Sent: Monday, April 13, 2015 3:40:21 PM
Subject: Fwd: Proable exploited webserver: resources01.phx.ovirt.org
Making sure you guys saw this.
----- Forwarded Message -----
> From: "Geoff Maciolek" <GMaciolek(a)pvdchosting.com>
> To: webmaster(a)ovirt.org
> Sent: Sunday, April 12, 2015 5:58:57 PM
> Subject: Proable exploited webserver: resources01.phx.ovirt.org
> Folks, there's a suspious file I saw when browsing
> plain.resources01.phx.ovirt.org
> Specifically, _h5ai_research.php appears to be a shell - it identifies
> itself
> as "c99madshell v.2.0 madnet edition" and prompts for login. It is
> EXTREMELY
> unlikely that this is there intentionally.
> Distressingly, the file has been there since 2014-09-26.
> --Geoff Maciolek
> PVDCHosting, LLC
> _______________________________________________
> Infra mailing list
> Infra(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/infra
3506
days inactive
3507
days old
2 comments
3 participants
participants (3)
-
Eyal Edri -
Geoff Maciolek -
Greg Sheremeta