Hello, I have moodle 1.9 hosted at Siteground. I just received this message and they closed my site and my students and myself are stuck. Please any help !
"While conducting our regular server security audit, we detected that the Moodle application hosted on your account lmoughli.com has become vulnerable to exploits and hacks and creates a serious threat to the integrity of the shared server.
To ensure the overall security of the server and all websites hosted on it, we had to temporarily disable access to this application.
We are very much aware of the inconvenience this issue may cause you, so we would like to take a moment and explain the reasons for our actions: as you know, your account is hosted on a shared hosting server and thus sharing the resources of the server with other customers' accounts. If one account and even one application is hacked, this will endanger the integrity of the whole shared server and all other accounts on it. This is why the above explained precaution is absolutely necessary.
Very often sites are compromised because of outdated software or stolen login details. Please check the following article for more information:
http://kb.siteground.com/article/hacked_website.html
Next, you may wonder what SiteGround does to protect your site. The answer is:
- By default, we have set all sites to use the latest PHP 5.2 which has register_globals and allow_url_include turned off. This prevents remote code inclusion and variable poisoning.
- We are running a hardened apache version in chrooted environment with suexec. This makes sure that your website is isolated from the rest of the sites.
- We have compiled a secure Linux kernel with grsec enhancement. This secures the server against kernel exploits.
- We have sophisticated IDS / IPS systems which block malicious bots and attackers.
Unfortunately, the above is not always enough. Most web applications require constant attention and updates to resolve the latest security vulnerabilities.
In your case we can offer you 2 solutions:
1. Clean and secure the site by yourself. After that you should reopen the ticket about this case so that we can confirm the issue is resolved.
2. Security audit performed by our specialists. We have two options:
- malicious code cleaning - we will remove all the malicious scripts from your account. However, you will have to update your scripts to make sure they are not compromised again. The price is $99.95.
- malicious code cleaning + securing your scripts. This is the complete service in which we will clean all the malicious content and secure your site. If necessary, your scripts will be updated to the latest versions (up to 3 scripts). The price is $199.95.
Please note that if the issue is not resolved within the next 48 hours, we might be forced to take further actions in order to preserve the integrity of the shared server.
Thank you for your understanding and cooperation."
Vulnerable software detected on your account
Number of replies: 11Re: Vulnerable software detected on your account
Wow, that's interesting! Have you tied connecting to your site via ftp? If you can get in with ftp you can following the upgrade procedures located here:
http://docs.moodle.org/en/Upgrading.
You may also want to review the latest known security vulnerabilites in moodle:
It almost sounds like your moodle site may have been compromised some how, did the site get defaced before it went down? You will probably need to check the site over and remove any files that the attacker left behind and if it did get hacked you might even have to restore your mysql database from a backup...
Honestly if you don't know how to do any of this, the prices that they offer for fixing the site are reasonable. I'm not sure what they mean by "securing your scripts" for $199.95. Before buying in to anything I would contact your web host via a phone call and discuss the whole problem and repair process in detail.
Hopefully I've steared you in the right direction
Re: Vulnerable software detected on your account
Have they actually specified how it "has become vulnerable to exploits and hacks and creates a serious threat to the integrity of the shared server"?
I think knowing exactly what the problem is would be a requirement for fixing the perceived issues...
Re: Vulnerable software detected on your account
Good point...
Re: Vulnerable software detected on your account
This the message I received one wekke later:
"I am afraid that one week after we have informed you about the problem there is still no progress in solving it. Malicious files continue to appear on your site such as:
public_html/no.php
I am afraid we are forced to close again your site. Please let us know when you are ready to work on it and we will allow your IP.
Best Regards"
I am really frustrated because my students can not connect to moodle and I am affraid they will get demotivated
Re: Vulnerable software detected on your account
So is this file specifed (no.php) one you have added as I can't find it on our 1.9.x install of Moodle?
Re: Vulnerable software detected on your account
So... have you contacted your webhost to regain access to your site so that you can fix the problem?
Re: Vulnerable software detected on your account
They gave me access to my site and I upgraded to Moodle 1.9.10. Again they sent me this message. I don't lnow what to do especially that I have 2 courses running now.
Hello,
Be advised that there are still malicious files in your account, such as:
/home/lmoughli/public_html/no.php
Please clean your hosting account and update this ticket so we can confirm your actions.
We are looking forward to your reply.
Best Regards"
Re: Vulnerable software detected on your account
Time to clean up your site - using google, name of your site and "no.php" it took 1 second to find out cached file structure of your open site which is not at all secure, more likely it was hacked a long time ago.
Old Fantastico based installs have been vulnerable for crackers attacks many times before, uploaddata folder is inside web root and so on. In your position I would check first content of that file no.php - it might be the file that crackers have used to control your site (shell script file) - most likely you will find a couple of interesting folders inside your joomla install or some of your moodle folders with lots of spam files...
Those Siteground people who have reported about security issues on your site are right - so if you can't clean your site don't hesitate to ask some help from your host.
Re: Vulnerable software detected on your account
If you aren't comfortable with website security I'd suggest the $199.95 is value for money and will be the quickest way to get your website up and running again.
Re: Vulnerable software detected on your account
Thank you all for your help. Since I am not confortable with site security issues, I just asked Siteground people to do the job.
Re: Vulnerable software detected on your account
Last question, since I have to upgrade my moodle, is ti advisable to use moodle 2 or just moodle 1.9.10 ? thanks