URGENT HELP!! ADMIN ACCOUNT HACKED

URGENT HELP!! ADMIN ACCOUNT HACKED

by Deb Smith -
Number of replies: 18

This past Friday or Saturday my admin account was hacked.  Saturday I was unable to login, but at that point there were no outward signs that it had been hacked.  I requested a password reset, but never received an email regarding this.  So I tried to set up the Admin account again and was successful....EXCEPT that it is an ordinary student account with the username Admin, NOT the administrator's account. That shouldn't have happened, as there had been an account with the username admin on the site up until two days before, so this really concerned me.

 

HELP!  I cannot add new courses, grade papers or anything because I cannot access the administrator's account.  Does anyone have any advice?  I obviously cannot put the site in maintenance mode without admin privileges, and support can't seem to figure out the problem.  They tried restoring the site with a database backup, but for some reason that restored the site to a point 222 days ago instead of to the date of the database backup.  I am frantic, as this is a busy time of year for enrollments, and I'm afraid the hacker is stealing money that should be coming to me.

 

Does anyone know how I can locate the hacker's password and login info so that I can regain control of my classroom?  I have cPanel and FTP access still, so I can access the databases, but I am at a loss where to look.

 

I am using 1.9.10+

Average of ratings: -
In reply to Deb Smith

Re: URGENT HELP!! ADMIN ACCOUNT HACKED

by Grant Mucha -

Hello Deb,

Well since Moodle runs on PHP/MySQL I would simply access phpmyadmin and reset the admin password to start. Then see if you can login.

Check the table mdl_user for the user admin

"password" - 98c16a9065081a69b8425a57b04c09b0

user - admin

pass - password

Simply replace and test this for the admin login.

Good luck!

PS - I just saw this if for 1.9.10+ (We are using 2.0.2)

Average of ratings: -
In reply to Grant Mucha

Re: URGENT HELP!! ADMIN ACCOUNT HACKED

by Deb Smith -

Hmmm, not working, but the site just isn't functioning correctly ever since the hack.  I just don't know what else has been messed with.  I was able to login, but it just took me to the student admin account, which doesn't allow me to access the Administrator's panel.  I assume there would be no delay after I edit the database?

Yesterday support used database backups I had made a week or so ago to replace the hacked ones, but for some reason they restored it to a point 222 days ago, so no students who had enrolled since then were included.  Then they restored it with a more recent backup, but that simply restored the hacker login and my Admin login that was to a student account.   Is there anywhere I can access other users and their passwords to identify who is now using the system administrator account that should be mine?

I have daily backups of all my courses up to the time of the hack, so I can restore grades, etc with that, but not the user names and accounts for anyone who enrolled after the backup was done.  I don't have a problem asking students to recreate their accounts and I manually enroll them, but I sure hate to do that for students who enrolled months ago.  That would be a last resort.

Average of ratings: -
In reply to Deb Smith

Re: URGENT HELP!! ADMIN ACCOUNT HACKED

by Grant Mucha -

ok next,

Yes the database changes should be instant.

If you don't mind can you send me the link to your website (private message) if you need to. The reason I ask is to check if you have any third party javascript files running.

In the past I have seen hackers edit actual html pages, .htaccess pages which result in all kinds of fun stuff.

Without knowing what the hacker actually did you may want to download 1.9.10 again and overwrite the core moodle files. Obviously take note of your config file so the database settings and connections work fine.

You may want to also make sure that you updated the mdl_user table and even compare the data to a standard install. You could even go as far as just backing up your current mdl_user and replaceing it with the default moodle mdl_user and see if you can gain access (probably best doing this after you've made sure the files are default.

Perhaps confirm

mdl_rold_assignments (check userid) matches the id for admin in mdl_users

I have userid = 2 (admin) in mdl_users

I have roleid = 1 for userid 2 in mdl_role_assignments

Anyway, that is a start...

Average of ratings: -
In reply to Grant Mucha

Re: URGENT HELP!! ADMIN ACCOUNT HACKED

by Glenys Hanson -

Hi Deb,

Thanks to Colin Fraser - Friday, 11 February 2011, 07:27 AM

"If all else fails and you can access the database via phpMyAdmin, go to the mdl_user table and copy the guest password into the Admin password field. It is encrypted, but the default password for Guest is "guest". You can then log in and change the password. That should get you out of trouble."

In some more detail:

This is what worked for me :

In phpMyAdmin

Click on the moodle database on the left.

In the new window, in the list on the left, find the table mdl_user (it may be on a following page)

Select the file to edit with the "pen" icon.

Change the username to whatever you want but not "admin" (on an online site because of security risk)

Change the password to: guest

Click on the "Go" button at the bottom of the screen.

Log in to your Moodle site with the password "guest"

Change the password in your profile to a very strong one.

If this doesn't work:

Insert:

d41d8cd98f00b204e9800998ecf8427e

as a password. Because MD5("") = d41d8cd98f00b204e9800998ecf8427e, so now your passoword is a empty string. Then login with nothing in the password field.  (Note: don't select MD5)

Thanks to Seiti Yamashiro - Tuesday, 20 March 2007, 11:08 PM

Cheers,

Glenys

Average of ratings: -
In reply to Glenys Hanson

Re: URGENT HELP!! ADMIN ACCOUNT HACKED

by Deb Smith -

I'll try it, but I can log into the account with the username Admin, but the problem is, it is just a student account now that doesn't give me access to the administrator's control panel.  So I can't put the site into maintenance mode, edit, add or do anything to courses, grade papers, etc.  All I could do if I chose is to enroll in a course!  I need to be able to access the admin account that the hacker obviously took control of, presumably by changing the username but retaining control of the administrator's control panel.

Average of ratings: -
In reply to Glenys Hanson

Re: URGENT HELP!! ADMIN ACCOUNT HACKED

by Deb Smith -

Changing the username to something other than admin won't let me login at all.  That is entered in the database mdl_user and saved, and in the config.php file and uploaded, but it isn't letting me into the site at all, let alone the System Administrator account.

Strangely, with the same password and admin as the username I was at least able to login, but not into the Administrator's control panel, just into a student account, although the database has it marked as System Administrator.

Average of ratings: -
In reply to Deb Smith

Re: URGENT HELP!! ADMIN ACCOUNT HACKED

by Glenys Hanson -

Hi Deb,

Who is your site hosted with? Have you asked them for help? They should be worried about accounts getting hacked.

Cheers,

Glenys

Average of ratings: -
In reply to Glenys Hanson

Re: URGENT HELP!! ADMIN ACCOUNT HACKED

by Deb Smith -

Yes, I checked with them, TMDHosting, and until this occurred, I had been happy with them.  They have some other urgent thing going on and all the support team have been pulled away to work on that.  They have pretty much ignored me the past two days, so I am tearing my hair out.

I would move to another good, affordable host in a heartbeat, but I need to get this site restored first so that I have something left.  I have pre-hack backups of all courses, but if I can't enroll students manually who need to re-register for courses, I am in deep doo-doo.  I have 5 universities currently enrolling in courses, and I am worried that the hacker is hijacking the money that should be coming to me.

Average of ratings: -
In reply to Glenys Hanson

Re: URGENT HELP!! ADMIN ACCOUNT HACKED

by Deb Smith -

Is there any other place I need to change the username I assign to the System Administrator other than in the mdl_user file of the database and the config.php file?  That is the only reason I can figure why I cannot login now at all.

Average of ratings: -
In reply to Grant Mucha

Re: URGENT HELP!! ADMIN ACCOUNT HACKED

by Deb Smith -

Grant,

Thanks for the advice, but I checked the mdl_role_assignments database settings and I too have userid = 2 for admin in mdl_users and roleid = 1 for userid d in mdl_role_assignments, so that doesn't seem to be the problem.

I assume that overwriting the core moodle files is what is described in recovering from a hacked site?  If so, I guess I'd better read up on how to do that as my host support team is useless.  I hate the thought of trying that, but I'm not sure I have much choice.

Average of ratings: -
In reply to Deb Smith

Re: URGENT HELP!! ADMIN ACCOUNT HACKED

by Grant Mucha -

Deb, I read that you also mentioned you saw "hacked by blah" on your website which means they definitely had access to your files somehow.

Use a FTP Client (FileZilla)

Setup the FTP with your credentials

Grab 1.9.11+ from the moodle downloads ( I don't expect much to have changed from 1.9.10 to 11 that would cause your website to not work)

Download the config.php file from your root so you can use it later.

Extract the files to your computer.

Upload the files and overwrite everything.

Replace the config.php file with your old config.php.

I also noticed you use a custom theme (you may want to activate the default theme) otherwise you will have to go through the themes code.

 

** NOTE **

If you have SSH access I would recommend doing a complete backup of all your data.

tar cvzf some-name.tgz *

Average of ratings: -
In reply to Grant Mucha

Re: URGENT HELP!! ADMIN ACCOUNT HACKED

by Deb Smith -

Thanks so much everyone for your help.  Support found a recent database backup and have restored the site.  Once students re-register I'm now able to manually enroll them and edit the gradebook.  What a nightmare!

Average of ratings: -
In reply to Deb Smith

Re: URGENT HELP!! ADMIN ACCOUNT HACKED

by Grant Mucha -

Excellent!

What is your plan to secure your current install?

Average of ratings: -
In reply to Deb Smith

Re: URGENT HELP!! ADMIN ACCOUNT HACKED

by Timothy Kaemmerer -

I know this thread is a month and a half old, but for the future reference of anyone else reading:

- you need to check the legal ramifications of possibly exposing users private data. You are probably required to notify your users and at least tell them to change passwords on any accounts with any service that shared the same password with their Moodle account.

- If you can ssh into the server, it is beneficial to first make a backup of the hacked/infected filesytem for later analysis so you can see how the person got in remove the vulnerability.

- At the first sign of intrusion (or even suspicion of intrusion), I don't think your users would mind too much if you take the site down while you get it sorted out. You're protecting their personal information. Just be sure to let them know so that there is minimal confusion.

- You can make a firewall rule to block connections to the server from all ip addresses and then allow only your ip address. Be careful when doing this since your ip address might change from time to time and you can lock yourself out. If that's the case, allow the block that your IP address is in instead.

- Everything on the system should be considered untrusted until you know to what extent the hacker was able to intrude (Does he have root server permissions or just access to modify certain files?)

- Also, check the modification dates on files (this is mentioned in the wiki as well). You're looking for any application files that were modified around the time of the initial intrusion. These files are suspect.

I'm new here, so if isn't good for me to post to a thread this old, just let me know.

Average of ratings:Useful (1)
In reply to Timothy Kaemmerer

Re: URGENT HELP!! ADMIN ACCOUNT HACKED

by Tim Hunt -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

This is really good advice. I don't think it matters where you put it.

I wonder if it is worth adding some of this to Hacked_site_recovery on the wiki?

Average of ratings: -
In reply to Tim Hunt

Re: URGENT HELP!! ADMIN ACCOUNT HACKED

by Timothy Kaemmerer -

Thank you,

A lot of the information I got was from reading through threads in the Linux-Security forum on linuxquestions.org

There was a very good example where the community helped someone who had their web server hacked to track down exactly where the hacker gained access. It had a lot of good information in it, but I can't find it now.

I agree with putting some of it into the hacked-site recovery page, especially about user notification. Maybe a checklist of things to do if you think you've been hacked.

Here's some other threads from linuxquestions.org that apply to this:

http://www.linuxquestions.org/questions/linux-security-4/dissecting-server-hack-crack-886872/

http://www.linuxquestions.org/questions/linux-security-4/security-references-45261/

Average of ratings: -
In reply to Timothy Kaemmerer

Re: URGENT HELP!! ADMIN ACCOUNT HACKED

by George Henley -

Thank's for the advises!

But it's really interesting to know, what "holes" can cause such a situation?

I think it's not a simple password-on-sticker-on monitor-writing...

Average of ratings: -