----- Original Message ----- > From: "Ewoud Kohl van Wijngaarden" <[email protected]> > To: [email protected] > Sent: Monday, April 13, 2015 1:23:20 PM > Subject: Re: Exploited mirror/server - resources01.phx.ovirt.org > > On Sun, Apr 12, 2015 at 10:17:50PM +0000, Geoff Maciolek wrote: > > Sorry if this got replicated. "Short version: someone stuck a PHP shell > > onto one of the oVirt download servers." > > Thank you for bringing this to our attention. For the very short term I > chmodded it 000 so at least it can't be opened now. We will investigate > further and try to find out how it got there. > > > Long version - probably worth reading in its entirety: > > > > Folks, there's a "suspicious" file I saw when browsing > > plain.resources01.phx.ovirt.org > > > > Specifically, _h5ai_research.php appears to be a shell - it identifies > > itself as "c99madshell v.2.0 madnet edition" and prompts for login. It is > > EXTREMELY unlikely that this is there intentionally. > > > > Distressingly, the file has been there since 2014-09-26. > > > > Now, it doesn't seem most download links point to that server; for example, > > the main download page (ovirt.org/Download) link for 3.5 points to > > "http://resources.ovirt.org/pub/ovirt-3.5/"; - I didn't notice anything > > there, but I didn't dig. > > > > BUT - over on ovirt.org/Quick_Start_Guide - there's a link to > > "http://resources.ovirt.org/releases/stable/iso/"; - which redirects to > > http://resources01.phx.ovirt.org/releases/stable/iso/ - the server > > mentioned above. > > > > On http://resources01.phx.ovirt.org/releases/ there's a link to an html > > file which redirects you to "plain.resources01.phx.ovirt.org" - which is > > where I saw the file in question. > > > > Visible in this index: http://plain.resources01.phx.ovirt.org/releases/ > > The filename is _h5ai_research.php - but it is most certainly not h5ai > > related. > > > > If this phx server isn't in use any longer, as it seems may be the case, it > > should be powered down & cleaned up, DNS entries to it should get removed, > > and links updated. Fun fact: "resources01.phx.ovirt.org (66.187.230.19)" > > appears to be in a RedHat NOC, whereas "resources.ovirt.org > > (173.255.252.138)" which seems fine & shares list functions? Lives at > > Linode. > > We plan on migrating away from the linode machine, but this is a long > process. That's why you see both. IIRC /releases/ is the old directory > structure which we archived. This also means that the mirror network > should not be affected.
just update: we're still waiting for the memory upgrade on the hypervisors in order to push this migration. > _______________________________________________ > Infra mailing list > [email protected] > http://lists.ovirt.org/mailman/listinfo/infra > > > _______________________________________________ Infra mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/infra
