Site Hacked

Site Hacked

by Seth Dickens -
Number of replies: 17
Hi there,

I recently discovered that my school's site has been hacked, our config.php is full of anchor links to online meds, there are lord knows how many "new" users all with very questionable content in their profiles and there are hundreds of pages of html inserted into a folder in my www directory, all about, you guessed it, online meds. *sigh*

EDIT: I have read through some of the other posting here and notice that I have the same Hackcheckstr problem as this posting here: http://moodle.org/mod/forum/discuss.php?d=115416

I have currently:

  • Switched the site into maintenance mode
  • I'm downloading the whole site locally in case they have access to the whole directory etc
  • I've backed up and downloaded the database locally
Next I plan to:

Go to a fresh hosting provider (we'd had many probs with this one anyway)

What I'd like to ask you guys is what should I do next?

either

Restore the corrupted Moodle and upgrade it to Moodle v1.9 ( This site was 1.7.1)

or

Set up a fresh Moodle install with a recent Moodle release and back up individual courses and users (we can suffer losing all the old non-teacher users if needed)


Also, is there anything else you recommend I do to make sure that everything runs smoothly after the re-install?

Thanks in advance for any help, suggestions or advice.

Seth.
Average of ratings: -
In reply to Seth Dickens

Re: Site Hacked

by Jon Witts -
Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers
Hi Seth,

Sounds like you have started going in the right direction. There are some more pointers here: http://docs.moodle.org/en/Hacked_site_recovery

Jon
Average of ratings: Useful (1)
In reply to Jon Witts

Re: Site Hacked

by Seth Dickens -
Thanks Jon,

Thanks for the speedy reply, it's much appreciated!

I had a look through the docs and there's some handy stuff there. Is there an easy way to check for the start of "unusual activity." The site has been going for a couple of years and there are heaps of records to look through (500+ pages) Could you give me a pointer of where to look and what to look for?

At the end of the day, my backups were hosted alongside the main Moodle. This could mean they're corrupted too, I guess?

So, do you think it would be safest just to go for a fresh install and restore my courses only?

Thanks again,

Seth.
Average of ratings: -
In reply to Seth Dickens

Re: Site Hacked

by Jon Witts -
Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers
You would first need a fresh install of version 1.7 to restore your courses to. Then once they are restored, upgrade the site to the latest version.

Diagnosing when you were first hacked would be the best way to tell which backups you could trust to restore...

I am afraid I do not have much experience in recovering from a hacked site, but I am sure there are others out there who can help you with this...
Average of ratings: -
In reply to Jon Witts

Re: Site Hacked

by Seth Dickens -
OKay, great, thanks Jon!

I'll wait to see if anyone has any hints as to how I can spot this doidgy activity's start.

Best,

Seth.
Average of ratings: -
In reply to Seth Dickens

Re: Site Hacked

by Frank Ralf -
Hi Seth,

Please use Security FAQ as a starting point for further information. There's a Security overview available with newer versions of Moodle which might help.

hth
Frank
Average of ratings: -
In reply to Frank Ralf

Re: Site Hacked

by Seth Dickens -
Thanks Frank!

I'm struggling through the upgrade and re-install at the moment. I'll definitely try the security overview asap after I've finished.

Seth.
Average of ratings: -
In reply to Frank Ralf

Re: Site Hacked

by Seth Dickens -
Hiya Frank,

I've just uploaded this week's Moodle install (1.9.5 ) and have managed to get it working after quite a bit of tinkering.

I did a spam search and found.. well the most vile, repugnant stuff mixed

I've noe gone to look for the Security Overvierw you mentioned at:

Administration > Reports > Security overview

but I don't see it listed there.

I just have the following in reports:

  • Backups
  • Question
  • Spam cleaner
Is the security review a plugin that I need to install, or should it already be there?

Thanks again for all your help so far.

Seth.
Average of ratings: -
In reply to Seth Dickens

Re: Site Hacked

by Tim Hunt -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
That is odd. In my 1.9.5+ install I have 10 reports listed, including 'Security overview'. Are you logged in with the admin account?
Average of ratings: -
In reply to Tim Hunt

Re: Site Hacked

by Seth Dickens -
HI there Tim,

I'm definitely in with the admin account as far as I can tell uless that's been hacked too (I am the only "official" admin of the site, the site is in maintenance mode and I can see the admin block, too) and yet all I get in the reports menu is Backups, question and Spam cleaner. Strange, heh?

Seth.
Average of ratings: -
In reply to Seth Dickens

Re: Site Hacked

by Tim Hunt -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
If you look on disc in the admin/reports folder, how many sub-folders to you see. There should be one per report.

If you have not got that many, check against a fresh download of the Moodle code, and make sure you are not missnig anything else.
Average of ratings: -
In reply to Tim Hunt

Re: Site Hacked

by Seth Dickens -
How strange! I have 8 subfolders in my reports folder:

  • backups
  • courseoverview
  • log
  • question
  • security
  • spamcleaner
  • stats
  • unittest
Hmm.. worrying.. sad

I just tried to access directly by typing in mydomain.com/admin/report/security and got a "error/admin/accessdenied" error. I'm guessing this means that I'm not the admin of my own Moodle black eye

Um.. what do you suggest I do now Tim mixed or in other words "Yikes!"

Seth.
Average of ratings: -
In reply to Seth Dickens

Re: Site Hacked

by Seth Dickens -
Even more strange is: when I do a search for all the "System role - is administrator" users, my name comes up. So seems I'm an admin, but with no admin rights sad

*thinking what to do next*
Average of ratings: -
In reply to Seth Dickens

Re: Site Hacked

by Jon Witts -
Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers
Can you double check the permissions on the folders within the admin reports?
Average of ratings: -
In reply to Jon Witts

Re: Site Hacked

by Seth Dickens -
Hi Jon, I'll readily admit that I don't really understand what all the permissions mean, but they are as follows:

All folders in the report folder have:

permissions:0755
owner/group:23247 23247

The files in the Spamcleaner folder (working) have the following permissions:

index.php - permissions:0755 owner / group 23247 23247
settings.php - permissions: 0644 owner / group 23247 23247

All thhe files in the security folder (not working) have the following permissions:


index.php - permissions:0644 owner / group 23247 23247
settings.php - permissions: 0644 owner / group 23247 23247
etc

the db folder inside the security folder has:
permissions:0755
owner/group:23247 23247

and the access.php file in there has: permissions: 0644 owner / group 23247 23247

Is this all sounding right to you Jon?

Again, many thanks Jon and Tim for all your help. It's very much appreciated!

Seth.

Average of ratings: -
In reply to Seth Dickens

Re: Site Hacked

by Jon Witts -
Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers
The 0644 permission means Owner - Read / Write, Group - Read; Public - Read.
The 0755 permission means Owner and Group - Read, Write, Execute; Public - Read, Execute.

Maybe changing the index.php in the folders that are not working to 0755 would help...
Average of ratings: -
In reply to Seth Dickens

Re: Site Hacked

by Adam Turner -

If my site was also hacked with a similar problem, The front page now has text that reads like this:

Created before rooms las vegas nv death of Adolph Hitler, in this story Hitler hops on a U-boat and escape to South America only to be haunted by his victims.

Can you how learn to play loan interest rate uk practicing by in online the card rooms?

Curiosidades y crticas La razn que busc reconocimiento excepto de l Uzumaki Costumes Final Fantasy Game 66 Price 25 naruto tektronix phaser 840 ink 30 tp phn mt hng khc Viz Media.

Browse Parkway Drive music video codes and true stock market option trading below.

The Russian solar physicists Galina Mashnich and Vladimir Bashkirtsev have agreed the adventure travel national geographic with a British climate expert, James Annan.

But no other courses or files seem to have this problem.

Could someone summarize what I should do if I want a fresh install based on these posts? Should I reinstall the same version as I was using first and then upgrade to the latest? I don't have programming skills to fiddle with config. files etc. The service provider is doing the install.

Adam Turner

(Edited by Martin Dougiamas to remove spam links - original submission Tuesday, 16 June 2009, 12:00 PM)

Average of ratings: -
In reply to Adam Turner

Re: Site Hacked

by Jon Witts -
Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers
That sounds like you have been hacked. If the service provider was doing the install then you should speak with them about the incident in the first instance.The documentation and other links provided earlier in the post should give some good starting points.
Average of ratings: -