Has anybody else experienced anything like this? Any clues have how I might proceed to rectify the situation.
AARGGHHH David! (edit: postscript): my curiosity got the better of me, so I clicked on that link again - and got exactly the same virus alert
Check Front Page > Settings, and make sure that the Default Front Page role is set to "none". Check Users > Permissions > User Policies and make sure all role settings are set to their defaults.
Perhaps it was coincidence, I had a lot of stuff going on and hadn't rebooted for several days, but I'm not going to try it again. Norton never triggered and it's upd to date.
Nice looking design for both sites.
I've managed to put everything back, more or less as it was; however, I'm concerned about what might have caused this. I've been using Moodle since '03 and have never experienced an issue like this.
Mary is right - but it's not a typical virus, it looks like a new trojan and similar like Ben had in http://moodle.org/mod/forum/discuss.php?d=100303
Infection via iframe code infection means that most likely you need to clean all html and php files on your site - they all may have iframes ( ...pinoc.org/count.php... ) at the bottom - for example like in http://www.post1.net/lowem/entry/wsxhost_net_php_virus_trojan_infection_via_iframe_code_injection
My other site, TogetherApart.com, is on a dedicated server in Canada that I use to host courses for colleagues. It is the server where I had the strange disappearing admin blocks problem. This site does not appear to have a virus.
Thanks for the information regarding Mysandbox.net Mauno. I've passed this information on to my Web site host in the US.
what version of Moodle was installed on those servers? Was there any other software installed?
Here's a link to a pdf (175KB) of the logs for the guest account dating back to late August this year: guest_logs.pdf
I think that's when the account must have been changed.
My guess is that some cracker who is interested in gamemaker and content of your courses has used some vulnerability of phpMyAdmin or some other trick to be able to get in (directly to database?) and change data in database. Did you use same (ftp/database/moodle) admin usernames/passwords on your sites? If you did, this guest might have got your username and password from other site through that trojan. Changing guest profile from moodle should not be possible even for administrators. Fri 24 October 2008, 10:52 AM 22.214.171.124 has been quite active but you might get more info about server access, error and auth logs. It might be good if some security expert like Petr or your host could check those logs...
Timothy, I don't think it's possible. If someone enters to moodle as a guest and changes language (or even if site admin changes the site default language) to Chinese it only changes titles and translation for the time of session but here Guest User is the first name of user guest and nobody should be able to edit that profile from moodle (and he saw some other changes too)
The only easy route to that profile is from database (directly or with some tool like phpMyAdmin) - table mdl_user and field firstname - so it sounds like a database hack.
EDIT: Unless David had site default roles totally wrong and guest could edit profile as a normal student/teacher/administrator. But I understood that he had not changed any site default role settings...
Yes, Timothy is right - meaning of those chinese letters is something like guest or visitor but I have never heard that moodle could translate your name: if you select Chinese to your language David Le Blanc should be shown as 大衛勒布朗 (Google translate)
On the contrary even if you change your language Guest User in profile always remains Guest User.
The simplest explanation could of course be that guest user was able to edit profile of guest because some role settings were wrong...but...
I visited your other site and you are right, there are no viruses but it might be good to check all files from that site too...
For example front page http://126.96.36.199/moodle/ has in source code before calendar
Does not look like standard code of moodle ( I did not press Login at all )
They are now looking back to see how/when the injection occurred. I'll have to email AVG and Norton to inquire why they didn't pick up on this infection.