Our site was hacked, delete the Moodle files, Fortunately we still have the database.

Our site was hacked, delete the Moodle files, Fortunately we still have the database.

Sasuke Uchiha發表於
Number of replies: 10
Warmest Greetings!

Hi to all my co beloved educators, our moodle site was hacked yesterday and the hacker manage to delete all the files under our home folder, fortunately we still have the database.

My Questions are:

1. Is there a possibility that I can recover all the data from my old eLearning moodle site? If yes, on what percentage?

2. How can I recover my eLearning site? Where should I start?


I am very frustrated about what happen yesterday, I almost decided to gave up using moodle as our first Online Classroom Management, I dont know where to start, the quiz grade, attendance are all there and the only thing left is our database. I hope none of you should experience the scenarios that happened on our eLearning site.

Thank you guys, I am very frustrated right now, honestly speaking. I hope that you can manage to help me with this problem.


Sincerely yours,
Confulity
評比平均分數: -
In reply to Sasuke Uchiha

Re: Our site was hacked, delete the Moodle files, Fortunately we still have the database.

Mauno Korpelainen發表於

Rule number one for all web sites and hosts is that they should take regular backups. All those hosts that I have seen take them and keep for a while - so you could contact your host and ask if they have created site backups somewhere. If they find proper backups they should be able to restore (almost) all data.

If there are no backups and you have only database left you may be able to restore the site itself but will probably loose attachments and files saved to moodledata sub folders (images, resource documents etc)... Did you ever take course backups?

http://docs.moodle.org/en/Security

In reply to Sasuke Uchiha

Re: Our site was hacked, delete the Moodle files, Fortunately we still have the database.

Don Hinkelman發表於
Particularly helpful Moodlers的相片 Plugin developers的相片
Dear Sasuke,

It's too bad this happened to you. And actually it happened to us too. It was not due to Moodle, but because one of our administrtors had a common username and a common password. The hacker used a program to guess login information and was able to enter in less than a day of trying.

The first thing to do is report the details of your Moodle setup and how it happened. It will help us determine why this happened. Later we can see if this should be reported to Moodle Security. Moodle Security is very vigilant in stopping hackers and an up-to-date Moodle as a whole is virtually un-hackable. But it requires constant bugfixing and hackers are always finding new ways to break in. So Petr Skoda and the security team are always busy.

Generally, the reasons for a hacked site are related to:
- username/password guessing
- old version of Moodle
- old version of PHP, MySQL or Apache
So be sure to report all of this version information. Then we can help you. If someone can check your server logs, they can tell if the breakin was due to password guessing or another tactic.

With sympathy,
Don
In reply to Don Hinkelman

Re: Our site was hacked, delete the Moodle files, Fortunately we still have the database.

Sasuke Uchiha發表於
Thanks Mauno Korpelainen, we dont have full backups for the moodle site, and I forgot to take some course backups, all we have left now is the database for the hacked moodle site. I think it will fine for me If I will lost few data as long as I can recover the accounts and grades of my students that will be ok.

Thanks to Don Hinkelman too, I believe that we are using updated version of moodle before 1.3, I think the hacker manage to hack our site by bruteforcing our password. Thats our mistake, we forgot to change our password regularly.

I felt better today because there are some people that understand my situation, thanks to all of you guys.

@problem

Can I resolve the problem by just installing a new moodle site and using the old recovered database instead of its new database? If this is possible how can I do that? Where should I start?

Thank you very much guys and more power!

Yours sincerely,
Confulity
In reply to Sasuke Uchiha

Re: Our site was hacked, delete the Moodle files, Fortunately we still have the database.

Don Hinkelman發表於
Particularly helpful Moodlers的相片 Plugin developers的相片
Unfortunately, you can no longer get a Moodle 1.3 system to download. 1.6 is the oldest available now that is safe from hacking. In Moodle 1.6 the switch to unicode began, so the data in your database will be in an older format and need conversion. Hopefully, Moodle 1.6 will automatically convert your database.

Does anyone have any advice about how to put a 1.3 database into a 1.6 system? That is beyond my knowledge. A step-by-step instruction would be useful for Confulity.
In reply to Don Hinkelman

Re: Our site was hacked, delete the Moodle files, Fortunately we still have the database.

Mauno Korpelainen發表於

The old versions are still available:

http://download.moodle.org/stable13/

http://download.moodle.org/stable14/

http://download.moodle.org/stable15/

http://download.moodle.org/stable16/

Step-by-step instructions might get long, http://docs.moodle.org/en/Upgrade is a good start and some old posts from these forums should explain the first steps from moodle 1.3 to 1.6

If I had a similar situation I might try to get moodle 1.3 up first and then upgrade step by step or take course backups to upper versions of moodle. But it will definitely take some time to do all that...

In reply to Mauno Korpelainen

Re: Our site was hacked, delete the Moodle files, Fortunately we still have the database.

Sasuke Uchiha發表於
Thanks, my bad, my bad..

I am using 1.9.2 not 1.3, I am very sorry guys.. is it better that I have 1.9.2?
In reply to Sasuke Uchiha

Re: Our site was hacked, delete the Moodle files, Fortunately we still have the database.

Richard Enison發表於
SU,

Yes, it is possible to use the old database with a new Moodle. Just create a config.php file containing the correct parameters for the database. The usual method is to make a copy of config-dist.php and rename it config.php, then edit that. Fill in the appropriate values for wwwroot, dirroot, dataroot, dbtype, etc. When you access your site, because config.php exists the install script (install.php) will be bypassed, and because the database is populated the script that creates the tables (admin/index.php) will be bypassed. Just make sure all the files are in the same place (directory pathnames) as they were before; otherwise, you might have to run admin/replace.php to change references in the database.

RLE
In reply to Richard Enison

Re: Our site was hacked, delete the Moodle files, Fortunately we still have the database.

Robert Brenstein發表於
The recommended way of installing Moodle places the course files in a directory outside the internet-reachable directory. If that was done, your course files may be still available.

As others state, restoring your site using only old database will work with one caveat: any activities and resources referring to user and course files will produce an error when users try to open files which are not there.
In reply to Richard Enison

Re: Our site was hacked, delete the Moodle files, Fortunately we still have the database.

Sasuke Uchiha發表於
Thanks guys, as of now I am just reading the documentation with regards to installing moodle, and I just thought that maybe I can just rename the old database to the name that my automated installation from my fastastico assigned. But the question is, is that possible guys?

by the way, my previous moodle version is 1.9.2 then now I am using moodle 1.9.3.

Many thanks people, I appreciate your replies..

In reply to Sasuke Uchiha

Re: Our site was hacked, delete the Moodle files, Fortunately we still have the database.

Richard Enison發表於
SU,
  1. To answer your question in a previous post, yes, it is way better that you have 1.9.x than 1.3.
  2. Yes, what you propose doing is possible (you can always name your Moodle database anything you want, just be sure to edit config.php accordingly), but I wouldn't recommend it. Please search this forum for posts of mine containing Fantastico. I'm getting tired of repeating myself. Bad news, big time.
RLE