Hack Detection and Repair

Hack Detection and Repair

by Avrila Klaus -
Number of replies: 1

This isn't Moodle-specific but it relates to the server I host Moodle on, and I'm hoping that the community will be able to point me in the right direction.

Some suspicious files have showed back up on my server after I deleted them about a month ago.  When I deleted them I also brought some outdated software up to current, so I thought that would keep it from happening again, but apparently not.

How can I find out where this is coming from, in order to plug the hole?  Is there a good scanning program for this that is also free or very affordable (startup on a shoestring here)?  Or is there something I could be looking for in log files?

Thank you!

Average of ratings: -
In reply to Avrila Klaus

Re: Hack Detection and Repair

by Timothy Kaemmerer -

Well, we need to know a little bit about your server and the nature of the problem first.

What OS is your server running? If Linux, do you have access to a command line shell? Also, what kind of files are they and where (ie. in /tmp or your home directory)? If Linux, run the command "file (path of file)" and post what kind of file it is and also give the name of the file. You might try uploading the suspicious files to http://www.virustotal.com

The Hacked Site Recovery page was just updated recently and has some pertinent information to get you started.

Average of ratings: -