Hi, I just found my Moodle site was blocked by my browsers, with a message saying it was infected with a malware from unrestrictedtouchpad.ru.
Since there's no way to access the admin interface anymore, I wonder where to start to find a fix. I'm running Moodle 2.2 (Build: 20111205).
Thanks for helping!
Sorry to hear your site was hacked. This can be hard to fix or it may be an easy fix. When you have a site redirecting to a url like unrestrictedtouchpad.ru, it is commonly due to code being injected into your .htaccess file.
Start at the .htaccess in your root directory and open it in a text editor. Look for code referencing the hack url and remove it. You may need to look throughout the file structure to see if any other .htaccess files were compromised as well.
If this does not fix it, you may need to search through command line for and base_decode Hacks. Check this article on how to do this. Hope this helps.
Thank you James – this is useful information. Well, after some investigation into my htaccess and other files via FTP and phpMyAdmin, I have found no file that could contain the incriminated code. So it seems the hard way is now open before me... And I have no ssh access to my server (hosted website).
By the way, this is the first time ever that one of my Moodle websites is hacked. I'm really surprised that it happened – I thought Moodle was way more secure than other CMSs I'm used to. It took me days to put up and implement my site, and I wonder if Moodle is still the way to go, moreover if I can't find a fix!!
Your welcome Luca!
I wouldn't necessarily blame Moodle for the hack. Its possible that a shell script could have been uploaded to your server that allows access through a base64_decode control panel. The file could have been uploaded to a directory thats outside of the Moodle installdirectory . The hacker would be able to add malicious scripts anywhere on your server.
If you can contact your hosting company, they should be able to scan your files through shell and find hacks. This is common request at InMotion hosting. Wordpress is infamous for having hacks uploaded to the server due to out of date themes or plugins being used with a newer version. I hope you can get the hack removed.
I would check all the descriptions and anything that has been added to the page in question. I had a similar issue and found it in one of the course descriptions (and in several places within the course). View the source on the page where the link is showing up and search for the code there. It should point to where the code has been inserted.