Hey folks. Got a very troubling problem here, and I'm hoping someone who knows more about Apache, etc. will be able to allay my fears.
I'm hosting Moodle 2.6.2 on a Mac running OS X Server 3.1. That uses Apache 2.2 and PHP 5.4.
The moodle directory is in the web root; the data directory is elsewhere on the hard disk. The site is only about a month old.
I woke up this morning to find that Moodle was throwing up the "dataroot is not writable" error.
This made no sense, since I have had it working since late March. I think I chmodded that directory to 707, and I have this line in config.php:
$CFG->directorypermissions = 0777;
I re-chmodded it to 707 remotely, but Moodle still said the directory was unwriteable. I also noted that the data directory was only 28MB!
Searching the Apache error log, I found that an IP address from Taiwan was trying to brute force my server via SSH, just trying one bogus username after the other.
I ran down to the office and was able to restore the data directory from backup, and after a lot of twiddling, I restored access to it by adding everyone execute permissions to the parent directory, despite the fact that I don't think I'd done that when I set it up (I had a lot of problems setting it up, but the data directory part was no problem). We seem to be back in business.
My question is this: With the permissions as I have them set, is there any way someone could have gotten in there and gutted the data directory and/or fiddled with the permissions? I can't find any record of a user being on the system proper during the critical period (I know it was working as of 12:54 AM, because a student submitted her homework then, and the last good copy of the data directory in backup was from 9:22 this morning), and the active firewall didn't block any IPs for multiple failures to login.
I've turned off FTP service, but that just goes to the webroot anyway.
I've turned off remote login via SSH, because I tend to just manage it from another copy of OS X Server and/or Screen Sharing through that.
I've changed the admin account password, but again, I don't see any indication that it was compromised.
Now I'm seeing occasional IPs from places we don't have users trying to do things like list directories and whatnot, which of course they can't.
Obviously this isn't a *NIX or Apache discussion board, but does anything about my setup on the Moodle end sound suspect? I don't understand how a bunch of data could disappear from moodledata, or permissions change. I've been administering Moodle for quite a few years now, but this is my first time administering the hardware/OS too...