Security and privacy

 
 
Picture of Lance Hinds
Trying to see if I have been hacked!
 

Hello All,

We are based in Guyana, South America. Over the past couple of weeks we are experiencing some most peculiar issues. emails have been sent from our VLE site to participants and facilitators without any rhyme or reason. We are now experiencing another issue where users are saying they are the only ones in the chat rooms but the course information shows other participants from other courses. We were running version 1.8. We then upgraded to Version 1.9 and now it is happening again.  Has anyone experienced this?  Please advise

 

 
Average of ratings: -
Picture of Ken Task
Re: Trying to see if I have been hacked!
Group Particularly helpful Moodlers

Not a security expert, but have, unfortunately, had first hand 'experience' - a few years ago.   Yes, when running 1.8 and before I learned about making sure Moodle was updated everytime a security announcement was made from Moodle HQ (register your site and that automagically subscribes the EMail address to a notifications list concerning security issues).

It would probably help to know what operating system, but ....

If a site has been hacked, the malicious code could be anywhere on the system ... not necessairly in the moodle directory or code.

While there is a doc on this topic (link below and note it's not specific to 1.9):

http://docs.moodle.org/23/en/Hacked_site_recovery

Sometimes the only way one can be absolutely sure the server is clean it to wipe it clean ... ie, format disk and re-install the operating system (before that, however, making a full Moodle site backup ... code directory ... especially the config.php file), the data directory, and an SQL dump of the DB for Moodle.  Before restoring the backup, inspection of all parts of the backup is also in order.

We all learn ... sometimes the hard way. sad

'spirit of sharing', Ken

 
Average of ratings: -
Picture of Lance Hinds
Re: Trying to see if I have been hacked!
 

Thanks Ken,

The site is being run on Centos. This looks like it is going to be a lot of stress.

Best regards

 

 
Average of ratings: -
Picture of Ken Task
Re: Trying to see if I have been hacked!
Group Particularly helpful Moodlers

CentOS ... that's a start! (and good in that it might be fairly easy to 'fix', depending upon factors - less stressful than you think).

Are you remotely hosted?  IF so, with whom (who is provider)?

Do you have command line access to the server? (ssh)

Could be that your server has been targeted by a bot of some kind.  Check users on the system for 'strange' (by that I mean not normal) users with EMail addresses not normally used by your 'typical clients'.  Delete the ones that are un-confirmed - and take note of their domains (funnyuser@some.info - the 'some.info' are the domains).

If server is set up for EMail based registration, one might have to limit the EMail addresses to known domains of your typical clients - reject those domains you noted above.

You say you've upgraded to version 1.9 … the highest/most secure version: 1.9.19+.
How did you do that?  Reason I ask, could be, the file/files of the 'infection' *could* (not saying they are) still there and accessible by whom ever.

Does this involve only chat?  ie, that's the only place one sees 'strange behavior'?

'spirit of sharing', Ken

 

 
Average of ratings: -
Picture of Ken Task
Re: Trying to see if I have been hacked!
Group Particularly helpful Moodlers

Not heard back, so maybe you've already started the cleanup or strategizing ... but, thought I'd ask a few more questions ...

The teachers and participants that are rec. EMails ... are the EMails really sent from a forum in a course of your Moodle?  The message body could be made to look like that's the case.  Check the full header of one of those message to see from where the message originates.  Read the header looking at the Received lines ... bottom up ... not top down.

Have any forums in any courses where one has managed to set permissions on those for guest access where guest accounts can also post?

As far as mail goes, Moodle only requires an MTA (mail transfer agent) which means your Moodle server doesn't need to be setup to receive mail other than from itself. 

Also, one place to check is server logs ... for mail on CentOS:

/var/log/maillog

Also suggest opening any .php file you find in the Moodle code directory at it's root (as well as any .php file in forums and chat - since you mentioned those) to see if there a base64 eval lines ... it will be at the top of the file.

Anyway ... let's hear back on your progress ... or lack of ... of latest events.

'spirit of sharing', Ken

 

 
Average of ratings: -
Picture of Lance Hinds
Re: Trying to see if I have been hacked!
 

Hi Ken, We have taken the server and investigating. Mails appears to come from the Moodle platform but will take a look as per your suggestion. Will let you know what we find out. Thanks for the input.

Best regards

Lance

 

 

 
Average of ratings: -