I have received a message from our Network Administrator saying:
The IPS is sometimes detecting the following attack signatures for traffic addressed to Moodle:
Why is he intercepting such signatures? Are these false positives?Or is it really some bugs or security holes in moodle?
I do appreciate your help on this topic...
They are old, known vulnerabilities that should have been fixed a long time ago if you have upgraded your moodle (report release dates Sep 14, 2005 - Sep 11, 2006 - Mar 10, 2008)
Sounds like some old spammer user profile and pressed link there - but this was just my guess.
For example the last report says: "This indicates an attempt to exploit a remote code execution vulnerability in PHP. The vulnerability may allow attackers to execute arbitrary code on remote systems by including PHP sequences in some parameters."
It does not say that the attack was successful...
I am running Moodle 1.9.5 on Linux RHEL 5.4, PHP5.3 and MySQL5.0.45
Sometimes connection to Moodle from Offcampus is lost. From offcampus,The user might be saving his work on Moodle and Moodle stops responding. So thats why they are going over the IPS logs. When the IPS detects something wrong, it will drop the connection with the user.
I just need to know,if these IPS logs are true, there are security holes on Moodle, or should i just consider them false positives.
I appreciate your replies so i know how to go on from here.
I don't know the settings of your system but at least that memory limit issue sounds like a false alert. The original advisory said:
"The memory_limit functionality in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, under certain conditions such as when register_globals is enabled, allows remote attackers to execute arbitrary code by triggering a memory_limit abort during execution of the zend_hash_init function and overwriting a HashTable destructor pointer before the initialization of key data structures is complete."
Too low php memory limit or a couple of other php/server settings can cause troubles - moodle can stop responding or particularly IE (browser) can stop responding for various reasons and they don't mean an attack. For example administrator or teacher tries to take course backup from a very large course or user tries to paste directly a very large document from word to wiki...
If your IPS drops regularly particular users or connections it might be good to check other logs of moodle and server to find out what actually happened.
Another thing is that when people save something that is copied or uploaded from net or other programs you may sometimes find malicious links, worms/viruses, iframe attacks, injected images or direct attack attempts ... and sometimes false positive alerts.
Moodle may have some vulnerabilities that nobody has noticed before (for example latest upgrade fixes several of them) but the links you gave can be considered "false alerts" - in my opinion...
Server access logs, error logs and auth logs may show more info about bots or direct attacks from particular ips - and you might check once more that settings of http://docs.moodle.org/en/Security_overview are ok.
I thank you for your reply and appreciate it.
Today i have a meeting with the network admin to update him. I hope i get all details about this issue to know how to support Moodle vs. the network team...