Il 13/04/2015 00:17, Geoff Maciolek ha scritto: > Sorry if this got replicated. "Short version: someone stuck a PHP shell onto > one of the oVirt download servers." > > Long version - probably worth reading in its entirety: > > Folks, there's a "suspicious" file I saw when browsing > plain.resources01.phx.ovirt.org > > Specifically, _h5ai_research.php appears to be a shell - it identifies itself > as "c99madshell v.2.0 madnet edition" and prompts for login. It is EXTREMELY > unlikely that this is there intentionally. >
David, isn't h5ai the template engine running as file indexer on resource.ovirt.org server? Following the link on http://resources.ovirt.org/pub/ it lands to http://larsjung.de/h5ai/ Do you remember when the template engine has been installed there? > Distressingly, the file has been there since 2014-09-26. > > Now, it doesn't seem most download links point to that server; for example, > the main download page (ovirt.org/Download) link for 3.5 points to > "http://resources.ovirt.org/pub/ovirt-3.5/"; - I didn't notice anything there, > but I didn't dig. > > BUT - over on ovirt.org/Quick_Start_Guide - there's a link to > "http://resources.ovirt.org/releases/stable/iso/"; - which redirects to > http://resources01.phx.ovirt.org/releases/stable/iso/ - the server mentioned > above. > > On http://resources01.phx.ovirt.org/releases/ there's a link to an html file > which redirects you to "plain.resources01.phx.ovirt.org" - which is where I > saw the file in question. > > Visible in this index: http://plain.resources01.phx.ovirt.org/releases/ > The filename is _h5ai_research.php - but it is most certainly not h5ai > related. > > If this phx server isn't in use any longer, as it seems may be the case, it > should be powered down & cleaned up, DNS entries to it should get removed, > and links updated. Fun fact: "resources01.phx.ovirt.org (66.187.230.19)" > appears to be in a RedHat NOC, whereas "resources.ovirt.org > (173.255.252.138)" which seems fine & shares list functions? Lives at Linode. > > --Geoff Maciolek > > This e-mail does not reflect the position of PVDC Hosting, LLC or any > affiliated companies. > > Replies may be directed to this address or to [email protected], > _______________________________________________ > Infra mailing list > [email protected] > http://lists.ovirt.org/mailman/listinfo/infra > -- Sandro Bonazzola Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com _______________________________________________ Infra mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/infra
