Trying to see if I have been hacked!

Re: Trying to see if I have been hacked!

by Ken Task -
Number of replies: 2
Picture of Particularly helpful Moodlers

Not a security expert, but have, unfortunately, had first hand 'experience' - a few years ago.   Yes, when running 1.8 and before I learned about making sure Moodle was updated everytime a security announcement was made from Moodle HQ (register your site and that automagically subscribes the EMail address to a notifications list concerning security issues).

It would probably help to know what operating system, but ....

If a site has been hacked, the malicious code could be anywhere on the system ... not necessairly in the moodle directory or code.

While there is a doc on this topic (link below and note it's not specific to 1.9):

http://docs.moodle.org/23/en/Hacked_site_recovery

Sometimes the only way one can be absolutely sure the server is clean it to wipe it clean ... ie, format disk and re-install the operating system (before that, however, making a full Moodle site backup ... code directory ... especially the config.php file), the data directory, and an SQL dump of the DB for Moodle.  Before restoring the backup, inspection of all parts of the backup is also in order.

We all learn ... sometimes the hard way. sad

'spirit of sharing', Ken

Average of ratings: -
In reply to Ken Task

Re: Trying to see if I have been hacked!

by Lance Hinds -

Thanks Ken,

The site is being run on Centos. This looks like it is going to be a lot of stress.

Best regards

 

Average of ratings: -
In reply to Lance Hinds

Re: Trying to see if I have been hacked!

by Ken Task -
Picture of Particularly helpful Moodlers

CentOS ... that's a start! (and good in that it might be fairly easy to 'fix', depending upon factors - less stressful than you think).

Are you remotely hosted?  IF so, with whom (who is provider)?

Do you have command line access to the server? (ssh)

Could be that your server has been targeted by a bot of some kind.  Check users on the system for 'strange' (by that I mean not normal) users with EMail addresses not normally used by your 'typical clients'.  Delete the ones that are un-confirmed - and take note of their domains (funnyuser@some.info - the 'some.info' are the domains).

If server is set up for EMail based registration, one might have to limit the EMail addresses to known domains of your typical clients - reject those domains you noted above.

You say you've upgraded to version 1.9 … the highest/most secure version: 1.9.19+.
How did you do that?  Reason I ask, could be, the file/files of the 'infection' *could* (not saying they are) still there and accessible by whom ever.

Does this involve only chat?  ie, that's the only place one sees 'strange behavior'?

'spirit of sharing', Ken

 

Average of ratings: -