Security and privacy

 
 
DasNic
Possible Hack? What to do next?
 

I'm the only administrator for the website that we run using Moodle 2.5.1. I frequently look over the logs and today noticed that there were two "administrator" logins from IP addresses in Africa and China. I've attached what I'm seeing in the pics below.

It almost appears as if fake accounts are being deleted? But they aren't. I can still see them and delete them on my own.

My biggest concern is that this says "System Administrator" and it's being used by someone else. I don't want the course to be deleted, or altered. When I create a new account for the site, I'm still not able to enroll in any courses, so I think it's safe.

I've changed the password to my admin account. What else should I be doing? Should I be worried? Has my site been compromised?



 
Average of ratings: -
Gmads
Re: Possible Hack? What to do next?
Group Particularly helpful MoodlersGroup Testers

Hi Nic,

Along with the Moodle log, definitely start by taking a good look at the Web server error and access logs. Carefully review the settings at the Web server configuration file. Search for strange looking scripts or scripts that have been recently modified.

 
Average of ratings: -
DasNic
Re: Possible Hack? What to do next?
 

Thanks so much for the reply. So, I made sure to close any security warnings on the site. I'm going to keep an eye on the Moodle Log, and I am having my web server audit the site for malicious code. 

That should cover it, right?

 
Average of ratings: -
Gmads
Re: Possible Hack? What to do next?
Group Particularly helpful MoodlersGroup Testers

Did the web server access log showed anything useful about the unauthorized access?

Basically, yes. Doing a strict monitoring, restoring the original code of the web apps installed, keeping an eye on the logs and making sure about the server configurations.

 
Average of ratings: -
DasNic
Re: Possible Hack? What to do next?
 

Nothing weird showing up on the web server end. No unauthorized usage. I have another thought that just struck me, though ... is it possible that this is a system cleanup? 

The system is set to delete any unconfirmed accounts after 7 days. Is this report just the system deleting those accounts?

The IP Addresses being reported as 0.0.0.0 seems interesting to me. Also, when I click on those IP Addys, the geolocator still gives me a location (West Africa and China, almost always.) Is it that I am getting the geolocation of the "user" that was being deleted? Hmmmmm....


 
Average of ratings: -
Picture of Visvanath Ratnaweera
Re: Possible Hack? What to do next?
Group Particularly helpful Moodlers
Hi Nic

0.0.0.0 is not a valid IP address. Either your server is compromised and the traces deleted, or your server, being Microsoft, got confused: http://support.microsoft.com/kb/822123.

This is what Moodle Docs have to say: http://docs.moodle.org/en/Hacked_site_recovery.
 
Average of ratings: -
Picture of Tim Vaughn
Check Enrolment Period Setting - Re: Possible Hack? What to do next? -
 

I had exactly the same thing happen to me. My students were suddenly being un-enroled one by one ! The students suddenly started getting the message "You cannot enrol yourself in this course" when they tried to enter the course. I also found the "user delete" entries in the course log from an IP address of 0.0.0.0.  I too thought it was from Africa (Nigeria) because that is where Google maps it.

It turns out that it was not hackers, rather, I had an Enrolment Period set for 30 days for those courses.

The default enrolment duration for manual enrolment can be set in Settings > Course administration > Users > Enrolment methods > Manual enrolment. It can be amended from the default value when enrolling users manually in Settings > Course administration > Users > Enrolled users.

The enrolment duration for self enrolment can be set in Settings > Course administration > Users > Enrolment methods > Self enrolment.

Click on Enrolment duration (be sure to uncheck the box).

You can select how long the enrolment period lasts.  After this time, if a user tries to access the course they just get a message saying "You cannot enrol yourself on this course" .

Fortunately, Moodle keeps the records of the students and you can re-enrol them. When a user is unenrolled, their grades and other records are not deleted. If a user is unenrolled accidentally, their grades can be restored by going to Settings > Course administration > Users > Enrolled users, clicking 'Enrol users' and making sure that the 'Recover user's old grades if possible' checkbox is ticked in the enrolment options before re-enrolling the user.

 
Average of ratings: -