Exploited mirror/server - resources01.phx.ovirt.org
Geoff Maciolek
GMaciolek at pvdchosting.com
Sun Apr 12 22:17:50 UTC 2015
Sorry if this got replicated. "Short version: someone stuck a PHP shell onto one of the oVirt download servers."
Long version - probably worth reading in its entirety:
Folks, there's a "suspicious" file I saw when browsing plain.resources01.phx.ovirt.org
Specifically, _h5ai_research.php appears to be a shell - it identifies itself as "c99madshell v.2.0 madnet edition" and prompts for login. It is EXTREMELY unlikely that this is there intentionally.
Distressingly, the file has been there since 2014-09-26.
Now, it doesn't seem most download links point to that server; for example, the main download page (ovirt.org/Download) link for 3.5 points to "http://resources.ovirt.org/pub/ovirt-3.5/" - I didn't notice anything there, but I didn't dig.
BUT - over on ovirt.org/Quick_Start_Guide - there's a link to "http://resources.ovirt.org/releases/stable/iso/" - which redirects to http://resources01.phx.ovirt.org/releases/stable/iso/ - the server mentioned above.
On http://resources01.phx.ovirt.org/releases/ there's a link to an html file which redirects you to "plain.resources01.phx.ovirt.org" - which is where I saw the file in question.
Visible in this index: http://plain.resources01.phx.ovirt.org/releases/
The filename is _h5ai_research.php - but it is most certainly not h5ai related.
If this phx server isn't in use any longer, as it seems may be the case, it should be powered down & cleaned up, DNS entries to it should get removed, and links updated. Fun fact: "resources01.phx.ovirt.org (66.187.230.19)" appears to be in a RedHat NOC, whereas "resources.ovirt.org (173.255.252.138)" which seems fine & shares list functions? Lives at Linode.
--Geoff Maciolek
This e-mail does not reflect the position of PVDC Hosting, LLC or any affiliated companies.
Replies may be directed to this address or to geoffmaciolek at gmail.com,
More information about the Infra
mailing list