Moodle in English: Teachers account compromised and course files deleted

Teachers account compromised and course files deleted

by Stephen Bloomer - Friday, March 8, 2013, 4:59 AM

We have just had a teachers account compromised and the students involved deleted the default backup files prior to destroying the data in the course (don’t you love those kids…..)

I have backups of both the front end and back end servers and I thought the easiest way to restore those courses without messing with other courses would be to get one of the course backup files from prior to the attack. My problem is how do I identify the files from the server backup when they are encrypted?

I just thought I would ask the question in case there is an easy way that I have missed prior to bringing the complete backup of the server online which will be a major pain. I asked the question in the security are rather than the backup area as backups are working fine and it is more about finding the encrypted file.

I think it may be time to block teachers form the backup and restore areas…..

Re: Teachers account compromised and course files deleted

by Tim Hunt - Friday, March 8, 2013, 5:34 AM

The file is not encryped.

The file name is, however, unhelpful. (It is a SHA1 hash of the file contents, if you are interested.)

To find the right file, you need to restore your database backup, and if you are going to do that, why not restore the entire site onto a spare server, and just download the file you need from that clone.

If you don't want to got that route, then in the restored database, look in the mdl_files table, and you should be able to find a row for the backup file you are after. That will give you the SHA1 hash that is the filename in moodledata/filepool.

Average of ratings: -

Re: Teachers account compromised and course files deleted

by Stephen Bloomer - Friday, March 8, 2013, 8:28 AM

Thanks for the advice. I thought that would be the case but I thought it would be worth asking the question before putting in a lot of work.

Average of ratings: -

Re: Teachers account compromised and course files deleted

by Ken Task - Friday, March 8, 2013, 7:54 AM

Since you appear to be running a version 2.3.x, the backup file might actually still reside on your server.

Has the cron job run and trash been emptied? Unless you've changed defaults, a file is deleted from the trashdir approximately 4 days from it's placement there.

Logged on as root user and in mooodledata directory:

cd trashdir
ls -lR

Might show something like this:

[root@sos trashdir]# ls -lR
.:
total 4
drwxrwxrwx 3 apache apache 4096 Mar 7 17:42 ab

./ab:
total 4
drwxrwxrwx 2 apache apache 4096 Mar 7 17:42 a3

./ab/a3:
total 2232
-rw-rw-rw- 1 apache apache 2281426 Jan 27 18:50 aba3d3338e892addf8d0127849c587323e31dc82

Then run this:

file -b ab/a3/aba3d3338e892addf8d0127849c587323e31dc82

If the output is:

Zip archive data, at least v2.0 to extract

It's a .mbz backup of a course that can be copied out of the trash and renamed to something.mbz.
One could temporarily copy to web root:
cp ab/a3/aba3d3338e892addf8d0127849c587323e31dc82 /var/www/html/something.mbz

Then, the something.mbz file can be downloaded and through a restore process of your choosing, the something.mbz file can be restored.

You might have quite a few files in the trash, however, to look at. :|

'spirit of sharing', Ken

Average of ratings: -

Re: Teachers account compromised and course files deleted

by Stephen Bloomer - Friday, March 8, 2013, 9:30 AM

Thanks for the help. Looks like we are opening up the full backup. A good test of our recovery

Average of ratings: -

Re: Teachers account compromised and course files deleted

by Steve Kleine - Friday, March 8, 2013, 8:50 PM

I'm not sure of .au law, but in the USA the kid (and by extension, his/her parents if it's a minor) would be on the hook for a federal felony and damages under UCC 1340 as well as other laws.

While it might be above your pay grade, track your time and effort on the recovery and suggest the school bill the parents for recovery time.

Stupidity and criminal activity should be made as painful as possible.

Average of ratings: -

Security and privacy

Teachers account compromised and course files deleted