General help

moodle virus?

Picture of Ray Morris
Re: moodle virus?

Before replacing the compromised files with a fresh copy, anyone hacked should save the old files via tar or zip.  It's important to save the exact timestamps on the files.  Also, take a note of the exact last modified time on the hacked file.  It would be wise to save your web server logs from that time, at least 20 minutes before and 20 minutes after. 

As Howard said, this indicates improper permissions on the files, allowing the web server to write to them (or suexec, which permits  any visitor to edit any file on the site).  Along with permission to edit the files the attacker must have had a mechanism to do so, probably a flaw in Moodle.  That second part, the mechanism, is something the Moodle community should address.


Victims can compare logs and a pattern should emerge with some hints as to where the flaw is.  If anyone has POST logs, that would probably be immensely helpful.


PS - I said it' most likely a Moodle flaw.  It could also be that all victims were also running some other package like Wordpress or Joomla and the flaw providing the mechanism is in that other package.   Comparing server logs would prove or disprove that.




Average of ratings: -
Picture of d.w jones
Re: moodle virus?

we have now sorted the permissions issue on the folders.

also upgraded from 2.2 to 2.3.3

and made the pages https , and all is well.

Average of ratings: -