My Moodle site infected with malware: how to fix it?

Re: My Moodle site infected with malware: how to fix it?

by Luca Oppizzi -
Number of replies: 2

Thank you James – this is useful information. Well, after some investigation into my htaccess and other files via FTP and phpMyAdmin, I have found no file that could contain the incriminated code. So it seems the hard way is now open before me... And I have no ssh access to my server (hosted website).

By the way, this is the first time ever that one of my Moodle websites is hacked. I'm really surprised that it happened – I thought Moodle was way more secure than other CMSs I'm used to. It took me days to put up and implement my site, and I wonder if Moodle is still the way to go, moreover if I can't find a fix!!

Sincerely,

L.

Average of ratings: -
In reply to Luca Oppizzi

Re: My Moodle site infected with malware: how to fix it?

by James Richardson -

Your welcome Luca!

I wouldn't necessarily blame Moodle for the hack. Its possible that a shell script could have been uploaded to your server that allows access through a base64_decode control panel. The file could have been uploaded to a directory thats outside of the Moodle installdirectory . The hacker would be able to add malicious scripts anywhere on your server.

If you can contact your hosting company, they should be able to scan your files through shell and find hacks. This is common request at InMotion hosting. Wordpress is infamous for having hacks uploaded to the server due to out of date themes or plugins being used with a newer version. I hope you can get the hack removed.

Best regards
James R

 

Average of ratings: -
In reply to Luca Oppizzi

Re: My Moodle site infected with malware: how to fix it?

by Emma Richardson -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Plugin developers

I would check all the descriptions and anything that has been added to the page in question.  I had a similar issue and found it in one of the course descriptions (and in several places within the course).  View the source on the page where the link is showing up and search for the code there.  It should point to where the code has been inserted.

Average of ratings: -