Proable exploited webserver: resources01.phx.ovirt.org
--_000_A2D341A8808F024CAFA63F1287B9929CF1B98864EMBX01exchlocal_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Folks, there's a suspious file I saw when browsing plain.resources01.phx.ov= irt.org Specifically, _h5ai_research.php appears to be a shell - it identifies itse= lf as "c99madshell v.2.0 madnet edition" and prompts for login. It is EXTR= EMELY unlikely that this is there intentionally. Distressingly, the file has been there since 2014-09-26. --Geoff Maciolek PVDCHosting, LLC --_000_A2D341A8808F024CAFA63F1287B9929CF1B98864EMBX01exchlocal_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <html dir=3D"ltr"> <head> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-= 1"> <style id=3D"owaParaStyle" type=3D"text/css">P {margin-top:0;margin-bottom:= 0;}</style> </head> <body ocsi=3D"0" fpstyle=3D"1"> <div style=3D"direction: ltr;font-family: Tahoma;color: #000000;font-size: = 10pt;">Folks, there's a suspious file I saw when browsing plain.resources01= .phx.ovirt.org<br> <br> Specifically, _h5ai_research.php appears to be a shell - it identifies itse= lf as "c99madshell v.2.0 madnet edition" and prompts for login.&n= bsp; It is EXTREMELY unlikely that this is there intentionally.<br> <br> Distressingly, the file has been there since 2014-09-26.<br> <div><br> <div style=3D"font-family:Tahoma; font-size:13px">--Geoff Maciolek<br> PVDCHosting, LLC<br> </div> </div> </div> </body> </html> --_000_A2D341A8808F024CAFA63F1287B9929CF1B98864EMBX01exchlocal_--
------=_Part_6604786_317443247.1428928821836 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Making sure you guys saw this. ----- Forwarded Message -----
From: "Geoff Maciolek" <GMaciolek@pvdchosting.com> To: webmaster@ovirt.org Sent: Sunday, April 12, 2015 5:58:57 PM Subject: Proable exploited webserver: resources01.phx.ovirt.org
Folks, there's a suspious file I saw when browsing plain.resources01.phx.ovirt.org
Specifically, _h5ai_research.php appears to be a shell - it identifies itself as "c99madshell v.2.0 madnet edition" and prompts for login. It is EXTREMELY unlikely that this is there intentionally.
Distressingly, the file has been there since 2014-09-26.
--Geoff Maciolek PVDCHosting, LLC
_______________________________________________ Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra
------=_Part_6604786_317443247.1428928821836 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 7bit <html><body><div style="font-family: times new roman, new york, times, serif; font-size: 12pt; color: #000000"><div>Making sure you guys saw this.</div><div><br></div><hr id="zwchr"><blockquote style="border-left:2px solid #1010FF;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><b>From: </b>"Geoff Maciolek" <GMaciolek@pvdchosting.com><br><b>To: </b>webmaster@ovirt.org<br><b>Sent: </b>Sunday, April 12, 2015 5:58:57 PM<br><b>Subject: </b>Proable exploited webserver: resources01.phx.ovirt.org<br><div><br></div> <style id="owaParaStyle">P {margin-top:0;margin-bottom:0;}</style> <div style="direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;">Folks, there's a suspious file I saw when browsing plain.resources01.phx.ovirt.org<br> <br> Specifically, _h5ai_research.php appears to be a shell - it identifies itself as "c99madshell v.2.0 madnet edition" and prompts for login. It is EXTREMELY unlikely that this is there intentionally.<br> <br> Distressingly, the file has been there since 2014-09-26.<br> <div><br> <div style="font-family:Tahoma; font-size:13px">--Geoff Maciolek<br> PVDCHosting, LLC<br> </div> </div> </div> <br>_______________________________________________<br>Infra mailing list<br>Infra@ovirt.org<br>http://lists.ovirt.org/mailman/listinfo/infra<br></blockquote><div><br></div></div></body></html> ------=_Part_6604786_317443247.1428928821836--
yes. and we're currently investigating how to mitigate and ensure not more issues are found. thanks, Eyal. ----- Original Message -----
From: "Greg Sheremeta" <gshereme@redhat.com> To: "infra" <infra@ovirt.org>, "Eyal Edri" <eedri@redhat.com>, "David Caro Estevez" <dcaroest@redhat.com> Sent: Monday, April 13, 2015 3:40:21 PM Subject: Fwd: Proable exploited webserver: resources01.phx.ovirt.org
Making sure you guys saw this.
----- Forwarded Message -----
From: "Geoff Maciolek" <GMaciolek@pvdchosting.com> To: webmaster@ovirt.org Sent: Sunday, April 12, 2015 5:58:57 PM Subject: Proable exploited webserver: resources01.phx.ovirt.org
Folks, there's a suspious file I saw when browsing plain.resources01.phx.ovirt.org
Specifically, _h5ai_research.php appears to be a shell - it identifies itself as "c99madshell v.2.0 madnet edition" and prompts for login. It is EXTREMELY unlikely that this is there intentionally.
Distressingly, the file has been there since 2014-09-26.
--Geoff Maciolek PVDCHosting, LLC
_______________________________________________ Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra
participants (3)
-
Eyal Edri -
Geoff Maciolek -
Greg Sheremeta