I suddenly found that our hosted Moodle site had been attacked (along with many other sites hosted on the same server). All logins gave blank screens. I should have asked for advice on recovery, but have now deleted and reinstalled the site (I had backed up data folder and database but couldn't remember how to reinstall. (Should have practiced this).
The error reported by our ISP was:
During a recent security audit of the web server that hosts your site, a large number of compromised .htaccess files were detected. These .htaccess files all contained a single line "ErrorDocument 404 /path/to/this/directory/12345.php".
This was a common exploit used in conjunction with a trojan downloader 12345.php (filename was all numerical). Links were injected in pages all over the web with random filenames and, when clicked on, as they didn't actually exist a 404 was triggered and the ErrorDocument directive served up the actual downloader file.
These infected .htaccess files were all removed as they were being actively exploited.
I apologise that you were not notified of this but it was necessary to take immediate action as this was quite a severe security risk.
I realise now that I should have increased the security of some files/folders by changing to more secure permissions. Can anyone advise which permissions should I check and reset (and on which folders or files) to avoid this happening again?
I have read documentation on this but am not sure which setting applies.
Any help welcome,
Problem solved. Answered in General Problems Forum.