hacking of moodle learning platform

hacking of moodle learning platform

by henri pelissier -
Number of replies: 16

Hello,

Today one of our students has broken into our Moodle learning platform and made substantial changes.

According to the activity report, he was able to enter "course editsection" ("1"), and "course delete mod" ("37"). As he does not know my (the administrator) userid or password, I do not understand how he could hack our site and create a mess. Is Moodle not secure enough to prevent hacking? Not all students are "bona fide"!

We would greatly appreciate an answer, as the site is "fair game" now for this student and all the others to who he boasts about his hacking.

Thanks!

H. Pelissier

 

Average of ratings: -
In reply to henri pelissier

Re: hacking of moodle learning platform

by Mary Cooch (personal account) -
Picture of Documentation writers Picture of Testers

Well the first thing would be to check his account details  -does he have any other rights above that of a student in individual courses? Was he recorded as having logged in as another user, a teacher perhaps? What version of Moodle are you using?

Average of ratings: -
In reply to Mary Cooch (personal account)

Re: hacking of moodle learning platform

by henri pelissier -

The only right he has is that of a student, with the default permissions and preventions. The "course delete mod" and "course editsection" activity was on his own activity report, as a student. Moodle version: 1.8.

Thanks HP

Average of ratings: -
In reply to henri pelissier

Re: hacking of moodle learning platform

by Helen Foster -
Picture of Core developers Picture of Documentation writers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers Picture of Translators

Please see the documentation Hacked site recovery for advice on what you can do.

Please note that, as stated on the Moodle downloads page, support for the 1.8 branch has been discontinued. To prevent your site being hacked in future, you need to upgrade your site.

Average of ratings: -
In reply to Helen Foster

Re: hacking of moodle learning platform

by henri pelissier -

Thanks for the info about recovery and the advice.

Meanwhile I have discovered how the student could get in, by myself emulating his "role". On the front page for the student (after his logging in) the button "turn editing on" (privilege of administrator) appears in the top right corner, to my great surprise. After all, one would expect the default security setting (site administration > permissions > define roles > student) for students to make that impossible. Yet the default "legacy role: student" doesn't take care of that, apparently! So I have to manually "prevent" or "prohibit" a host of unwanted permissions in the long list. Is this the normal way? Or have I overlooked something? I cannot remember having had this problem in a previous version, in which the students were accurately blocked from undesirable (editing, deleting...) permissions.

Thanks again for the help!

H. Pelissier

Average of ratings: -
In reply to henri pelissier

Re: hacking of moodle learning platform

by Mary Cooch (personal account) -
Picture of Documentation writers Picture of Testers

Hello Henri -no-this is not the normal way -  can you check in users>permissions>assign system roles that your student doesn' have a role there such as student or teacher? Also -what is the default role for the front page if you look in front page settings?

Average of ratings: -
In reply to Mary Cooch (personal account)

Re: hacking of moodle learning platform

by henri pelissier -

The point is, I left all the students to the default "legacy role", which I thought would be secure. Yet the button "turn editing on" remained on the front page, which shouldn't have been the case! The hacker has taken advantage of this and made a few blocks disappear. Worse even, when I click "turn editing on" the administration block disappears. Also the add blocks drop down menu has disappeared. I am at my wit's end. Any suggestions as to how I can turn eth. back to normal are greatly appreciated. Cheers HP

Average of ratings: -
In reply to Mary Cooch (personal account)

Re: hacking of moodle learning platform

by henri pelissier -

The problem is, that even if the frontpage role is set as "administrator", the "turn editing button" remains on the opening frontpage (upper right corner), so that students can click it and have access to everything. I don't understand this. The version is Moodle 1.9. I wonder if this experience is recognizable. Thanks. H. Pelissier

 

Average of ratings: -
In reply to henri pelissier

Re: hacking of moodle learning platform

by Mary Cooch (personal account) -
Picture of Documentation writers Picture of Testers

Hi Henri. Your front page role should not be set to administrator - it should be set to "none" Then your students should not have the turn editing on button. Can you try that please? If you want, send me a private message through my profile with an admin login and I will take a look at your Moodle site to see if I can spot anything major in terms of security. Up to you

Average of ratings: Useful (1)
In reply to Mary Cooch (personal account)

Re: hacking of moodle learning platform

by Chris Pangelinan -

I have tried setting the default Frontpage role to Guest just so that visitors can view the announcements and calendar. I noticed that they don't show unless you are an authenticated user and the Guest account is the least intrusive.

Average of ratings: -
In reply to henri pelissier

Re: hacking of moodle learning platform

by Aaron Johnson -

If the site has indeed been hacked I would immediately restore from my most recent 'good' backup, reset the database password, and the admin password, and if you know the names of the student(s) who did this then you can disable their account(s) until your administration can learn how they accomplished the attack.

In your post you make clear that the hack happened today so I'm sure that loosing just one day of moodle course work would be better than loosing your entire site by claiming that it is now 'fair game'...

Also if you are running moodle 1.8 then you can rest assured most likely the hack was accomplished through one of the many security exploits that have been published since 1.8 located here: http://moodle.org/security

Once you get the site back online you should really consider upgrading to either 1.9.12+ or 2.0.3+

Average of ratings: -
In reply to henri pelissier

Re: hacking of moodle learning platform

by 天楊(Tin Yeung), Edwin 劉(Lau) -
I am a student from Hong Kong. Although it maybe too late for reply, but I just wanted to inform you that moodle is quite easy to hack if a student really wanted to hack it. WHAT THEY NEED ONLY IS TIME AND THE SKILLS. What they needed to to is just simple, "rip" the PHP and MySQL database than find out the "uid"(the user id) and "key" (password) and decrypt the md5(an encryption to plain text). Using this method they can get everybody's uid and key, including the administrator! But yeah it takes time, a week or something (because they have homework or they need to play)....................
Average of ratings: -
In reply to 天楊(Tin Yeung), Edwin 劉(Lau)

Re: hacking of moodle learning platform

by Richard Oelmann -
Picture of Core developers Picture of Plugin developers Picture of Testers

The theory might be good Edwin, but surely that presupposes the site being set up in such a way as to allow the student/hacker access to the php/database in the first place? Surely most sites should be set up in such a way as to prevent that happening in the first place?

If you give a hacker access to your core code and database then ANY site is going to be hackable on that basis! The key is whether or not a site is accessible with a modicum of decent security put in place, I would have thought!

Richard

Average of ratings: Useful (1)
In reply to 天楊(Tin Yeung), Edwin 劉(Lau)

Re: hacking of moodle learning platform

by Marcus Green -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers
Tim you are making vague and generic comments. Post again when you have something specific to say.
Average of ratings: -
In reply to 天楊(Tin Yeung), Edwin 劉(Lau)

Re: hacking of moodle learning platform

by Hubert Chathi -

Assuming they can get access to the database, which is a big assumption, if the site has a somewhat competent admin.  Of course, if you already had access to the database, why bother logging in, when you can just make changes directly?

Anyways, to start with, MD5 is not encryption; it is a hash.  Encryption is reversible, if you know the key, while a hash is not (aside from brute force).  And yes, there are known weaknesses in MD5 (e.g., it is too fast).  Future versions of Moodle will use a different hash (if you have a recent enough version of PHP), which will not be as succeptible to the same issues as MD5.

Average of ratings: -
In reply to 天楊(Tin Yeung), Edwin 劉(Lau)

Re: hacking of moodle learning platform

by crystal Lee -

Hi,


can u teach and explain some step . I have one assignment to do for penetration report for hack the moodle. I have one moodle under the VMware. 

are you have interesting to see information..  


tks

Average of ratings: -
In reply to crystal Lee

Re: hacking of moodle learning platform

by G. M. -

mixed -- wishful thinking...

Average of ratings: -