I was hacked!

I was hacked!

by Robert Leonard -
Number of replies: 3

Sometime in the last 3 days or so.. somebody was able to get into my Moodle 1.9.13 installation and change the text in my "Course/Site Description" block on my site front page!!  I have a couple questions regarding this..  If anybody can give me pointers on this, I sure would appreciate it!

1) Where is this text stored?  Is it in a table in mysql, or in a text file somewhere in htdocs?

2) Where would the change of this block be logged?  Could I find when and possibly who changed this, if it was done through the Moodle Admin interface?

3) If it wasn't done through Moodle, is there any way to determine when it was done?

I am the only Administrator on the site that has the rights to make that change and as far as I was able to determine, nobody logged in as me during the last week, which is when that block was somehow hacked.

Thanks so much!

-Robert

Average of ratings: -
In reply to Robert Leonard

Re: I was hacked!

by Tim Hunt -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

The contents of that block is the 'Description' of the 'Front page couse'. So, it is stored in the mdl_course table in the 'summary' column. The row for the front page course is the one with category = 0.

You set this in the admin inteface using the page 'Front page settings'.

Changes to many admin settings are recorded in the config_log table. Sadly, this particular setting is a special case, so changes are not logged there. Neither are changes logged in the Moodle log table. That could be considered a bug.

Average of ratings: -