I currently have what I think is a compromised Moodle site. Google's cache contains SPAM on my front page, when I view the site the SPAM isn't present. Changing my browsers user agent doesn't reveal the SPAM so I am guessing that the hack is also checking for Google's IP address.
The server's software is patched, but Moodle is on quite an old version - 1.8.2+!
I have read through the forums and I have checked for all the following within my server directory:
grep -R base64_decode *
grep -R gzinflate *
find . -name mdl_utf.php -print
In addition to this, my files have old time stamps, have the correct permissions and ownerships. I also can't find any entries in my config.php that shouldn't be there. I have checked quite a few files and I can't see the "extra line at the top" that a lot of people talk about removing either. I can't actually see where those links are even being introduced into the page!
I have a feeling this server has been comprimised for quite a while, and its only just been noticed. I have nightly backups, but I think its going to be best to just start a fresh. I was planning on migrating the server from a RedHat Enterprise server to an Ubunutu LTS server on new hardware, so I am thinking it might be best to leave fixing the problem and just build the new server and use an updated Moodle 1.8.12+ installation. I will also be building a test 1.9 environment, that our users will be migrating to over the summer, but we need to stay on 1.8.12+ for now.
However... I will still need to migrate the database and moodledata to the new server, and I don't want to migrate any hacks or comprimised files along with them.
I was hoping that someone could helpe me identify what I need to check for within the moodledata and database to ensure (or at least do my best!) that I don't migrate any hacked pages?
Thank you very much in advance.