General help

 
 
Picture of d.w jones
moodle virus?
 

i hope somebody can help us

when we load moodle we get a red screen with the following:- content on this website has been reported as unsafe.

also we get the message Mal/HTMLGen-A has bee found on this website.

to make things worse the home screen now looks untidy as the windows on the left hand and right hand side of the screen.


 
Average of ratings: -
Picture of Rick Jerz
Re: moodle virus?
Group Particularly helpful Moodlers

I wonder if this has something to do with your website's SSL certificate. Is ydogtyuthwe.rr.nu where your Moodle normally is at?

 
Average of ratings: -
Picture of Cathleen White
Re: moodle virus?
 

This just showed up for us, too:

 

Content on this website has been reported as unsafe

ektloskgf.kwik.to
 
Hosted by:
 
Average of ratings: -
Picture of Bret Miller
Re: moodle virus?
Group Particularly helpful Moodlers

Someone has most certainly hacked your website. How they did it, I can't say from that message. It happened to our drupal website in August using a SQL injection flaw. You need to:

1. find and clean up the hacked code

2. reset you administrator passwords and ftp/ssh passwords

3. upgrade your code to close security holes so you don't get re-hacked.

If this is on a hosted account, your provider may be able to scan your account for known hacks. This will catch files, but may not catch code inserted into content if that's how it was done. That was where ours was.

HTH,
Bret

 
Average of ratings: -
Picture of d.w jones
Re: moodle virus?
 

we have gone into the moodle code in IE9 and in chrome. we noticed some randome code at the start of index.php in IE9 that was not there under chrome. deleted the code and the home screen in IE9 came back to normal. the virus aleart in sophos also went away, this explains why sophos had a virus aleart but no virus was found during the scan.

our moodle is run on our own servers.

 

thank you all for your advice and interest in helping

 
Average of ratings: -
Picture of d.w jones
Re: moodle virus?
 

Its back, the red screen sad

 
Average of ratings: -
Picture of Cathleen White
Re: moodle virus?
 
My network admin has been going through the main index pages manually looking for the code. The mystery page is the "Notifications" page under "Site Administration." It seems to be a redirect page, but we can't find its file. That's our last (known) red screen.
 
Average of ratings: -
Picture of Rob Johnson
Re: moodle virus?
Group Particularly helpful Moodlers

The notifications page should be /admin/index.php.

 
Average of ratings: -
Picture of Howard Miller
Re: moodle virus?
Group DevelopersGroup Documentation writersGroup Particularly helpful Moodlers

It won't do. You need to completely delete the Moodle code and replace it with clean code. Hopefully your database and moodledata are unaffected.

The most likely thing is that you had incorrect permissions on the Moodle code. It is vital that the web server user does NOT have permissions to write to the Moodle code area.

 
Average of ratings: -
Picture of d.w jones
Re: moodle virus?
 

a new issue has turned up, has anybody else had this appear for them?


 
Average of ratings: -
Picture of Ray Morris
Re: moodle virus?
Group DevelopersGroup Particularly helpful Moodlers

The message means you edited settings on that page and didn't save them.  It's asking if you are sure you want to leave the page without saving your settings.

 
Average of ratings:Useful (1)
Picture of Ray Morris
Re: moodle virus?
Group DevelopersGroup Particularly helpful Moodlers

Before replacing the compromised files with a fresh copy, anyone hacked should save the old files via tar or zip.  It's important to save the exact timestamps on the files.  Also, take a note of the exact last modified time on the hacked file.  It would be wise to save your web server logs from that time, at least 20 minutes before and 20 minutes after. 

As Howard said, this indicates improper permissions on the files, allowing the web server to write to them (or suexec, which permits  any visitor to edit any file on the site).  Along with permission to edit the files the attacker must have had a mechanism to do so, probably a flaw in Moodle.  That second part, the mechanism, is something the Moodle community should address.

 

Victims can compare logs and a pattern should emerge with some hints as to where the flaw is.  If anyone has POST logs, that would probably be immensely helpful.

 

PS - I said it' most likely a Moodle flaw.  It could also be that all victims were also running some other package like Wordpress or Joomla and the flaw providing the mechanism is in that other package.   Comparing server logs would prove or disprove that.

 

 

 

 
Average of ratings: -
Picture of d.w jones
Re: moodle virus?
 

we have now sorted the permissions issue on the folders.

also upgraded from 2.2 to 2.3.3

and made the pages https , and all is well.

 
Average of ratings: -