I stumbled across this spam while working on http://moodle.org/mod/forum/discuss.php?d=122212
<i style="none">
xeex511205
<a href="http://erasmus.redlands.edu/moodle/search.php?query=soma">soma</a>
<a href="http://erasmus.redlands.edu/moodle/search.php?query=buy+soma">buy soma</a>
<a href="http://erasmus.redlands.edu/moodle/search.php?query=generic+soma">generic soma</a>
...
A Google search for "moodle buy ambien" gets more than 332,000 hits: http://www.google.de/search?q=ambien+moodle+buy
Viagra sells even more: http://www.google.de/search?q=moodle+buy+viagra (472,000 hits).
The problem persists as you can see if you have a look at the source of http://www.jeffmehring.com/login/index.php using your browser.
I have already created an issue in the tracker: MDL-19122
Frank
PS
Sorry for using plain text format, everything else gets broken with all those HTML tags.
A large number of those hits you found are old user profile spam and most of the rest are hacked old non upgraded sites - fore example during last December/January some thousands of sites were hacked using old vulnerabilities & wrong settings and permissions.
During the last year most php file injections have been made with hidden code that has broken in some cases editor javascripts (editor not visible) or css is lost. Methods change but spam obviously stays as long as people are not worried about upgrading their sites to the latest stable code or security ovreview http://docs.moodle.org/en/Security_overview . 
I have found this code in config.php in Moodle Site of a School
<!-- ouregrauqqiuvciml-->
<u style="display:none;">
<a href="http://chicago.metromix.com/registered_users/Bielilikl">Buy Viagra Jelly</a>
<a href="http://atlanta.metromix.com/registered_users/Feomqidpo">Buy Vermox</a>
<a href="http://www.quizilla.com/lyrics/9327955/cheap-ceftin">Cheap Ceftin</a>
<a href="http://www.quizilla.com/poems/9327954/order-zoloft">Order Zoloft</a>
<a href="http://www.quizilla.com/stories/9327953/buy-actos">Buy Actos</a>
<a href="http://chicago.metromix.com/registered_users/Nuiscoevfa">Buy Ceftin</a>
<a href="http://www.kaboodle.com/orderpropranololr">Order Propranolol</a>
...........................................................................
The problem is that people dont worry about and dont upgrade
<!-- ouregrauqqiuvciml-->
<u style="display:none;">
<a href="http://chicago.metromix.com/registered_users/Bielilikl">Buy Viagra Jelly</a>
<a href="http://atlanta.metromix.com/registered_users/Feomqidpo">Buy Vermox</a>
<a href="http://www.quizilla.com/lyrics/9327955/cheap-ceftin">Cheap Ceftin</a>
<a href="http://www.quizilla.com/poems/9327954/order-zoloft">Order Zoloft</a>
<a href="http://www.quizilla.com/stories/9327953/buy-actos">Buy Actos</a>
<a href="http://chicago.metromix.com/registered_users/Nuiscoevfa">Buy Ceftin</a>
<a href="http://www.kaboodle.com/orderpropranololr">Order Propranolol</a>
...........................................................................
The problem is that people dont worry about and dont upgrade
Hi Mauno,
Thanks for that information.
With Drupal you get a status report similar to the one from Moodle (Site Administration > Server > Environment), but instead of checking only if the minimum requirements are met it tells you whether you are using an outdated version of Drupal (see screenshot).
What if Moodle provided similar information? IMO you can't blame people for not acting on information their Moodle installation doesn't provide them.
Cheers,
Frank
Thanks for that information.
With Drupal you get a status report similar to the one from Moodle (Site Administration > Server > Environment), but instead of checking only if the minimum requirements are met it tells you whether you are using an outdated version of Drupal (see screenshot).
What if Moodle provided similar information? IMO you can't blame people for not acting on information their Moodle installation doesn't provide them.
Cheers,
Frank
It's a good idea - some kind of a regular check of updates.
So far moodle (Martin) has sent email for registered sites about security updates - yet no new system will help those sites that use old code from past years and have never upgraded or dare not upgrade or don't know how to do it or administrators are worried about loosing some data if sites have some modifications.
Frank, can you check if there are any tracker issues for this kind of improvements?
There seems to be something along those lines in the making (initiated by Petr Škoda):
- Security overview report (MDL-17222)
- META: Security overview report STABLE (MDL-18039)
- Provide a feedback for the admin in order to explain him/her what to do to fix the security problem rised up by the security report (MDL-18078)
- Security overview report (MDL-17222)
- META: Security overview report STABLE (MDL-18039)
- Provide a feedback for the admin in order to explain him/her what to do to fix the security problem rised up by the security report (MDL-18078)
http://tracker.moodle.org/browse/MDL-18039 is still open...
This update check could be done for example with a simple form that posts current version(s) from some check file or files or database to moodle.org and gets back the current version(s) of latest files from moodle.org (some small script) and after comparison of versions suggestion of upgrading could be shown.
In practice code of moodle is upgraded weekly so if people are not using CVS only major changes could be used for this form feedback (security bug fixes etc)...
The security report should already be available:
"If you have Moodle 1.9.4 and later, you'll find a new Security Report under Admin -> Reports -> Security"
http://docs.moodle.org/en/admin/report/security/index
I think the current status report for the Moodle environment (Site Administration > Server > Environment) already has all the relevant information and must only be tweaked a little to give a warning if the Moodle version is too old (and insecure).
A Drupal installation even sends an automatic e-mail to the site administrator if there's a security update available so one can't miss it.
"If you have Moodle 1.9.4 and later, you'll find a new Security Report under Admin -> Reports -> Security"
http://docs.moodle.org/en/admin/report/security/index
I think the current status report for the Moodle environment (Site Administration > Server > Environment) already has all the relevant information and must only be tweaked a little to give a warning if the Moodle version is too old (and insecure).
A Drupal installation even sends an automatic e-mail to the site administrator if there's a security update available so one can't miss it.
Don't believe all this stuff is "old". Want to see some real Moodle irony?
http://cytrap.org/RiskIT/
http://cytrap.org/RiskIT/user/view.php?id=555
http://cytrap.org/RiskIT/
http://cytrap.org/RiskIT/user/view.php?id=555
Dear "Block my posts I'll still post when I want : - ) ",
I really did not say all this stuff is "old" - but most of those sites that get hacked or still have user spam are using old, non upgraded versions of moodle. We have seen that user profile spam for years and most likely are going to see it for years because attitudes don't change in 10 years.
Those administrators have not probably read or understood the settings of documentation like http://docs.moodle.org/en/Security_overview or http://docs.moodle.org/en/Reducing_spam_in_Moodle
All web applications - also current moodle - can have security holes and professional hackers and spammers can use the tiniest possible chance you give them but if settings are correct and you don't allow anybody (any bot) to self-enroll and fill user profiles with nasty stuff (this issue can be prevented with correct settings) or directly write to your php files (permissions of web accessible files can't allow writing to anybody) and your site is not otherwise open to attacks and injections (for example php setting register_globals is not enabled) your moodle site should be rather safe. The same holds good for other scripts and programs on your site (phpMyAdmin etc). The latest stable code is usually the best choice and upgrading should be routine for all administrators - not once in 5 years but regularly.
About that particular site - it does not show version of moodle but in source charset=iso-8859-1 so it can't be upgraded moodle 1.8 or moodle 1.9 (unicode required)
FactSheets (resources) are from year 2006 and otherwise it looks like a site that was quickly set up to get some cash with motto "Better protection at lower cost" - it is irony yes but not about moodle, it's irony about CyTRAP Labs - RiskIT
I'm not sure if my problem is the same or if anybody can help. I have just discovered that there are a number of registered users that are obviously using my site to try and sell viagra etc. User names are:
First name: nature medicine viagra
Surname: buy diet online phentermine pill viagra
email address: baedius9605@autosloansonlines.com
Country: Indonesia
Now my site is in Ireland and I have no connection with Indonesia (or Russia or Afghanistan where other 'users' came from). But I do have collaboration with some studetns in USA where others came from.
So I guess it is some kind of bot that is registering on my site. I am using version 1.9.3 and the last occurrance of this was today.
Can anybody advise? Can I block specific sets of registrations?
Thanks
First name: nature medicine viagra
Surname: buy diet online phentermine pill viagra
email address: baedius9605@autosloansonlines.com
Country: Indonesia
Now my site is in Ireland and I have no connection with Indonesia (or Russia or Afghanistan where other 'users' came from). But I do have collaboration with some studetns in USA where others came from.
So I guess it is some kind of bot that is registering on my site. I am using version 1.9.3 and the last occurrance of this was today.
Can anybody advise? Can I block specific sets of registrations?
Thanks
Hi Joe.
A couple of pages that might help you in the docs:
http://docs.moodle.org/en/Spam
I presume you're allowing users to register themselves ? Is it not possible to prevent that at all? If you have to use self -registration, there is something here too:
Mary
Thanks a million. Really helpful. I've already implemented some of this since you sent the links.
Joe
Thanks a million. Really helpful. I've already implemented some of this since you sent the links.
Joe