Moodle in English: Hacked? (AddFreeStats link embedded on my front page)

Hacked? (AddFreeStats link embedded on my front page)

by Jason Hollowell - Sunday, June 13, 2010, 8:38 AM

I've started to document this here but thought maybe I should start a new forum thread. I just noticed late last night that all images on my site no longer load. This includes images embedded on the front page in the "topic section" as well as profile images and images that were in a lightboxgallery. Additionally, the html editor no longer appears anywhere (forum posts, etc.).

At the same time I notice that a link to the following address:

http://new.addfreestats.com/?usr=00911093

has been embedded in the top left of my front page. It's only about a pixel in width and maybe ten or so pixels in height. There is no visible link but mousing over that area shows the destination in the browser status window.

I've checked the server logs and the only thing that I can find so far that looks suspicious is a single call to

mydomain.com/help.php?module=data&file=fields.html

from an IP in Russia.

This is a very low traffic site. (www.moodlemootmishima.com) that is used for a Moot we held yesterday. I don't know if someone decided to be cute by hacking the site on the day of the Moot or what but if that is the case I guess it is quite imperative to figure out how.

I don't think I am posting a vulnerability here.....as I don't know how this was achieved?

If anyone has any info. or advice I would be most appreciative.

Also, checking the source of the front page reveals the following

<script type="text/javascript">
var AFS_Account="00911093";var AFS_Tracker="auto";var AFS_Server="www9";var AFS_Page="DetectName";var AFS_Url="DetectUrl";
</script>
<script type="text/javascript" src="http://www9.addfreestats.com/cgi-bin/afstrack.cgi?usr=00911093">
</script>
<noscript>
<img src="http://www9.addfreestats.com/cgi-bin/connect.cgi?usr=00911093Pauto" border=0 width=0 height=0>

</noscript>

Jason

Re: Hacked? (AddFreeStats link embedded on my front page)

by Jason Hollowell - Sunday, June 13, 2010, 8:46 AM

A little more information.

I have made a copy of the 'view source' results from the front page of my site that can be provided in the event that the current situation on my front page changes.

Also, I have some of the server log files as well. This site is hosted on Bluehost and they revolve the raw server logs every 24 hours so I have a couple of logs that overlap, I think, but there may be a little time void in between downloads of the logs.

I'm trying to keep as much data as possible in the event that this is an actual manipulation of a vulnerability.

If it isn't, great! Just want to be thorough.

Hopefully it is just a huge oversight on my part but I can't figure out what it would be as this is a pretty standard site. I think the only custom mod installed in lightboxgallery and all settings are pretty tight. Guests not allowed, etc.

Auto account creation is on but I didn't notice any strange activity from any users that logged in yesterday during the Moot....

Jason

Average of ratings: -

Re: Hacked? (AddFreeStats link embedded on my front page)

by Howard Miller - Sunday, June 13, 2010, 6:28 PM

Jason,

A link to the site you are talking about would be helpful. It does have all the hallmarks of a hack unfortunately.

Most of these issues (that I have seen) have come down to making sure you set appropriate permissions for your Moodle files. In particular, your Moodle program files must *never* be writeable by the web server user account.

The safest way forward is to completely replace the code by a fresh download and then carefully check your permission settings

More advice at Security

Average of ratings: -

Re: Hacked? (AddFreeStats link embedded on my front page)

by Jason Hollowell - Sunday, June 13, 2010, 7:36 PM

Howard,

Thanks. The site address is in the first post above. It is www.moodlemootmishima.com

I haven't done anything with it yet but will look at directory settings. I set it up with Fantastico and didn't really pay enough attention to the details of the setup. My mistake. I should have known better as I do painstakingly make sure that everything is tight on our school site but was a bit lax with this one.

I'd rather not wipe the site but maybe that is going to be the only resort.

Jason

P.S. I just checked and my datadirectory (that is outside of the web server directory) was set to 755 but the directories and files inside it were all set to 777. The thing is, shouldn't this be only accessible to the web server since it's outside of the served directory? I changed everything to 755 but am confused about how the user was able to use the "write" permission granted via 777.

Average of ratings: -

Re: Hacked? (AddFreeStats link embedded on my front page)

by Howard Miller - Sunday, June 13, 2010, 8:57 PM

Jason,

I'm not talking about the data files - I'm talking about the actual Moodle code files. They *must not* be world writeable (or owned by the web server user account).

I see the alleged hacked code. It seems a bit neat. There's no chance that this is something Fantastico puts in, is there? I'm not a big fan of Fantastico (and similar) at all. I would always download the code from moodle.org. It might be a bit more hassle but you know where you are.

I'm also noting that you are running 1.9.4. There have been a LOT of security fixes since then. Get it upgraded - you can kill two birds with one stone

EDIT:

To be safe it is absolutely vital that you junk the program code and replace with new (from a reliable source). If this is an issue (for any reason) then it means that you can't do regular updates and that's another problem all by itself.

EDIT EDIT:
Looking around... a lot of hosting sites seem to advertise both Fantastico and AddFreeStats. I'm definitely thinking that this is something added by the host as a little extra. I would want to be sure though before writing it off. Everything I say above still applies however!!

Average of ratings: -

Re: Hacked? (AddFreeStats link embedded on my front page)

by Jason Hollowell - Sunday, June 13, 2010, 9:27 PM

Howard,

Thanks again. I asked Bluehost about it and they said they knew nothing about it but I was/am suspicious nonetheless.

After I wrote that last message I realized you were talking about the Moodle root itself and not the datadirectory. I checked and it was 755 for directories and 644 for files, which is correct right? Or should everything be 555? I just changed it all to 555 and don't see any problems with my site so I guess that is even safer. Might just be me but it seems faster

Do you think it will be safe to ditch the code (Moodle directory) but retain the data directory and DB? That will be easy and allow me to keep my data. Or is there a chance that the DB and/or data directory have also been corrupted?

If that is sufficient, I will do a manual install and bypass Fantastico. I was lazy when I installed this site but that was the wrong attitude, I know. Just had a lot on my plate at the time and thought it would be sufficient.

Thanks again

Jason

Average of ratings: -

Re: Hacked? (AddFreeStats link embedded on my front page)

by Howard Miller - Monday, June 14, 2010, 4:21 AM

As I say, I'm beginning to think that this isn't a hack after all. Thinking logically, why would a hacker add a link to a free stats site when there are all those Viagra sites to go at

On that basis your data should be ok. Just keep an eye on it (which you should probably do anyway). Run the spam checker and security report regularly.

I'm afraid that your chmod settings don't mean anything without knowing who the owner and groups actually are. For example - you could set 700 but if the owner is the web server user (e.g. www-data) it's still writeable. However, 555, is fine (no write bits) if, perhaps, a little inconvenient.

Average of ratings: -

Re: Hacked? (AddFreeStats link embedded on my front page)

by Jason Hollowell - Tuesday, June 15, 2010, 2:31 PM

I've edited this message three times now

It seems like I'm making progress but....

I installed a new version (1.9.9) manually to get rid of any strange Fantastico dependencies and that brought the html editor back.

I used the settings from the old config file to enable access to the old db and data directory.

Also, profile pictures have returned. The strange thing is that I cannot embed/insert jpeg images into forum headings, the topic section at the top of the site page etc.

Even stranger is that png files will display properly. Just no jpegs....?

Jason

Average of ratings: -

Re: Hacked? (AddFreeStats link embedded on my front page)

by Howard Miller - Tuesday, June 15, 2010, 4:49 PM

IIRC... the ability to add markup in headings was severely restricted at some point. I have an even vaguer recollection that there's a config setting to override that.

JPEGs is normally a php/gd thing. I can't think what Moodle would do to cause that.

Average of ratings: -

Re: Hacked? (AddFreeStats link embedded on my front page)

by Glenys Hanson - Wednesday, June 16, 2010, 3:15 AM

Hi Jason,

Here's where to change the setting so you can put HTML tags in activity and resource names:

Administration
/ ► Appearance
/ ► HTML settings

Cheers,
Glenys

Average of ratings: -

Re: Hacked? (AddFreeStats link embedded on my front page)

by Jason Hollowell - Wednesday, June 16, 2010, 1:19 PM

Howard & Glenys,

I'm really starting to think that my host provider (Bluehost) made some changes to the php setup and/or some adjustments to Fantastico.

Things change on the site that don't seem to correspond with adjustments I am making.

The HTML tags setting shouldn't have any affect on inserting a picture using the html editor should it? I've toggled that setting on and off and it doesn't seem to change my ability to (or not to) insert a picture using the html editor. Which, for some reason, I can now do (jpeg in addition to png). I e-mailed my provider (Bluehost) about the issue yesterday and got a response asking for more information but I'm wondering if they didn't tweak (or 'reset') the gd library or something because now I can insert a picture (jpeg) via the html editor and it shows up the way it always has...

I'm baffled about what has happened over the past few days but think that Howard, you were right about it being related to Fantastico and my host provider. Hopefully now that I have installed the newest version (manually) and everything seems to be back on track, it will stay that way for a while.

Getting ready to compress videos of the Moot and put them on the site so I want to make sure it's secure. wink

Thanks for sticking with me on this and providing input.

Jason

Average of ratings: -

Re: Hacked? (AddFreeStats link embedded on my front page)

by Howard Miller - Friday, June 18, 2010, 3:18 PM

Basically, and sorry for repeating myself, this is why I would never use Fantastico, EasyScripts, SimpleScripts, deb files, rpm files etc. etc.

If you download it from moodle.org then you know you're getting the unmolested code. It isn't even much more difficult to install. Just about all of the above seem to fiddled with by people with limited knowledge of Moodle at one time or another.

Average of ratings: -

Security and privacy

Hacked? (AddFreeStats link embedded on my front page)