Security and privacy

Moodle hacked, file permissions in IIS

 
 
Picture of Dave Keller
Moodle hacked, file permissions in IIS
 

Hi all,

We are a school, self hosted Moodle version 2.2.2+, PHP 5.3.10, IIS6 on a Windows server.

Our front page of Moodle was suddenly skewed (blocks weren't lined up) and more importantly antivirus software flags a malicious URL on the page when you view the site in IE. I found a line of malicious code at the top of Moodle\index.php (starting with "php eval" then using the "gzinflate" function). The code is replaced back into the PHP files whenever I manually remove it.

For some reason Chrome/Firefox/Safari do not render the code at the top of the Moodle home page, so all appears well in these browsers. I have also found the malicious code in every index.php in the Moodle folder on the server.

To fix, I am going to upgrade to the latest version of Moodle. I am concerned however that this won't fix the issue.

Before I upgrade, I want to make sure the folder permissions on "C:\inetpub\moodledata" and "C:\inetpub\wwwroot\moodle" are watertight, but I'm struggling to find a guide on what these should be on a Windows server. I have attached a screenshot of the current permissions.

Could anyone be so kind as to give me some guidance. There are a few posts are here (this one has been helpful) but being new to Moodle I don't understand it 100%, and I want to get this spot on. TIA for any help!


 
Average of ratings:Useful (1)
Picture of Mauno Korpelainen
Re: Moodle hacked, file permissions in IIS
 

Correct me if I am wrong but most likely IUSR does not need write or modify permissions to C:\inetpub\wwwroot\moodle once moodle is installed - it should only need write permissions to moodledata folder (outside wwwroot) and php sessions folder.

 
Average of ratings: -
Picture of Howard Miller
Re: Moodle hacked, file permissions in IIS
Group DevelopersGroup Documentation writersGroup Particularly helpful Moodlers

Yep - the installation instructions (although somewhat Unix biased) tell you to make sure that the web server user cannot write to the Moodle program directory.

 
Average of ratings: -
Picture of Dave Keller
Re: Moodle hacked, file permissions in IIS
 

So you think completely removing the first entry (IUSR) will bring it in line with recommendations?

Thanks for the replies, much appriciated.

 
Average of ratings: -
Picture of Howard Miller
Re: Moodle hacked, file permissions in IIS
Group DevelopersGroup Documentation writersGroup Particularly helpful Moodlers

Just change it's permission to 'Read and execute'. What you don't want is write/modify etc.

Sorry, I don't speak Windows but that's the general idea.

 
Average of ratings: -
Picture of Dave Keller
Re: Moodle hacked, file permissions in IIS
 

Thanks for your time, it's much appreciated

 
Average of ratings: -