Year ago we had a long discussions in http://moodle.org/mod/forum/discuss.php?d=111710 about c99madshell v. 2.0 madnet edition EDITED BY MADNET (and v.2.1)
I fixed today one hacked CPanel site that was really old and was broken by injected code in index.php. It was a fresh crack, first injection was made on 18th of November and actual attack on 3rd of December but only 2 extra files were found from folder enrol + one empty file iin.php and injected index.php
Nothing new in actual method - but a little alarming thing was that scripts could be changed to familiar looking madshell script with eval(gzinflate(base64_decode( ... and title of this "file manager script" was
!C99madShell v. 5.0 MOODLE edition!
and in footer
--[ c99madshell v. 5.0 MOODLE edition EDITED BY MADNET, k1b0rg ]--
So it looks like we might see directly to moodle targeted attacks near Christmas again.
Searching the logs and tracing IPs lead to
188.8.131.52 (from Russia "Nevedomskiy Alexey Alexeevich" ) and
184.108.40.206 (from Ukraine "Victor Nastechenko")
but these guys are not necessarely the attackers. However the same ip.s have been active for example in http://www.ictedu.be/moodle/ and http://moodle.org/mod/forum/discuss.php?d=138394 during the last 2 weeks so I suspect they are real ips. Most server logs were cleaned but these IPs were found from actual logs of moodle - they (or bots) were trying to login as admin.
Christmas holidays are usually busy time for spammers but they are also good time for upgrading and cheking of settings and permissions http://docs.moodle.org/en/Security_overview