Security and privacy

 
 
Picture of Luca Oppizzi
My Moodle site infected with malware: how to fix it?
 

Hi, I just found my Moodle site was blocked by my browsers, with a message saying it was infected with a malware from unrestrictedtouchpad.ru.

Since there's no way to access the admin interface anymore, I wonder where to start to find a fix. I'm running Moodle 2.2 (Build: 20111205).

Thanks for helping!

L.

 
Average of ratings: -
James Richardson
Re: My Moodle site infected with malware: how to fix it?
 

Hello Luca!

Sorry to hear your site was hacked. This can be hard to fix or it may be an easy fix.  When you have a site redirecting to a url like unrestrictedtouchpad.ru, it is commonly due to code being injected into your .htaccess file.

Start at the .htaccess in your root directory and open it in a text editor. Look for code referencing the hack url and remove it. You may need to look throughout the file structure to see if any other .htaccess files were compromised as well.

If this does not fix it, you may need to search through command line for and base_decode Hacks. Check this article on how to do this. Hope this helps.

Sincerely

James R

 

 
Average of ratings:Useful (1)
Picture of Luca Oppizzi
Re: My Moodle site infected with malware: how to fix it?
 

Thank you James – this is useful information. Well, after some investigation into my htaccess and other files via FTP and phpMyAdmin, I have found no file that could contain the incriminated code. So it seems the hard way is now open before me... And I have no ssh access to my server (hosted website).

By the way, this is the first time ever that one of my Moodle websites is hacked. I'm really surprised that it happened – I thought Moodle was way more secure than other CMSs I'm used to. It took me days to put up and implement my site, and I wonder if Moodle is still the way to go, moreover if I can't find a fix!!

Sincerely,

L.

 
Average of ratings: -
James Richardson
Re: My Moodle site infected with malware: how to fix it?
 

Your welcome Luca!

I wouldn't necessarily blame Moodle for the hack. Its possible that a shell script could have been uploaded to your server that allows access through a base64_decode control panel. The file could have been uploaded to a directory thats outside of the Moodle installdirectory . The hacker would be able to add malicious scripts anywhere on your server.

If you can contact your hosting company, they should be able to scan your files through shell and find hacks. This is common request at InMotion hosting. Wordpress is infamous for having hacks uploaded to the server due to out of date themes or plugins being used with a newer version. I hope you can get the hack removed.

Best regards
James R

 

 
Average of ratings: -
Picture of Emma Richardson
Re: My Moodle site infected with malware: how to fix it?
Group Particularly helpful Moodlers

I would check all the descriptions and anything that has been added to the page in question.  I had a similar issue and found it in one of the course descriptions (and in several places within the course).  View the source on the page where the link is showing up and search for the code there.  It should point to where the code has been inserted.

 
Average of ratings: -