Upgrade? Hostmonster? Malware? Help?

Upgrade? Hostmonster? Malware? Help?

by Clark Moodler -
Number of replies: 3

Hi everyone,

So I recently had all my sites shut down by Hostmonster - some were out of date and apparently had some malware via Wordpress and Moodle. 

I'm currently seeing a couple things that I'd either like to fix, or know how to upgrade (without losing all my courses, etc.)... please help!

First, in the error log on Hostmonster, I'm seeing a bunch of these from the last month or two

[20-Jan-2016 02:28:54 America/Denver] PHP Warning:  Creating default object from empty value in /home6/mydirectory/public_html/mysite/moodle/theme/standardlogo/config.php on line 9
[20-Jan-2016 08:39:01 America/Denver] PHP Warning:  Creating default object from empty value in /home6/mydirectory/public_html/mysite/moodle/theme/standardlogo/config.php on line 9

Next,

I see there are tons of these email messages to the account, 4 of them every 15 minutes, having something to do with the cron.php:

Return-path: <root@host305.hostmonster.com>
Envelope-to: me@host305.hostmonster.com
Delivery-date: Sat, 23 Jan 2016 02:15:03 -0700
Received: from me by host305.hostmonster.com with local (Exim 4.84)
	(envelope-from <root@host305.hostmonster.com>)
	id 1aMuHe-0001oR-NR
	for me@host305.hostmonster.com; Sat, 23 Jan 2016 02:15:02 -0700
From: root@host305.hostmonster.com (Cron Daemon)
To: me@host305.hostmonster.com
Subject: Cron <me@host305> cd '/home/mydirectory/public_html/mysite/moodle/admin/' ; /ramdisk/bin/php4 -q 'cron.php' > /dev/null ;
Content-Type: text/plain; charset=UTF-8
Auto-Submitted: auto-generated
X-Cron-Env: <LANG=en_US.UTF-8>
X-Cron-Env: <MAILTO=me>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/home6/me>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=cme>
X-Cron-Env: <USER=me>
Message-Id: <E1aMuHe-0001oR-NR@host305.hostmonster.com>
Date: Sat, 23 Jan 2016 02:15:02 -0700
X-Identified-User: {3088:host305.hostmonster.com:me:mysite.com} {sentby:program running on server, non-smtp}

/bin/sh: /ramdisk/bin/php4: No such file or directory
Notably, 1 of the 4 messages I'm getting like that is from a different instance of Moodle and a different directory which I deleted last week (and I also deleted the database...) 
Anyway, I'm wondering how to deal with this, and/or how I can upgrade (BTW, I can't get to the web sites via the web right now, have to do everything via CPanel until it's all cleaned... to a newer version of Moodle, which, I was hoping, would take care of all this... would appreciate your assistance!
clark



Average of ratings: -
In reply to Clark Moodler

Re: Upgrade? Hostmonster? Malware? Help?

by Usman Asar -
Picture of Plugin developers Picture of Testers

Clark, what versions were you on as when your Moodle was working?

also you mentioned deleting all databases, where database can't get any virus for they are simply text files, if there is any malware, then it should be in Moodledata folder if someone has uploaded an infected file.

one possibility, it seems like they are upgrading their core O/S from CentOS to CloudLinux, for I have seen CloudLinux showing false positives on Moodle (as with one of my hosting providers are making use of it and giving false positives).

Have you checked your sites with online malware tools? there are few free available, I believe Ken will be able to point you in right direction to check malware. but here are few listed

https://www.virustotal.com/

https://app.webinspector.com/

http://scanurl.net/

One thing what i can suggest is, getting things that you deleted, restored as I think HostMonster keeps 1 months of backups as complimentary. Then downloading files on to local system, and then doing upgrade meanwhile checking for any malware/viruses, you will be able to do the upgrade locally as well, then you can upload to Host as new moodle installation.

Average of ratings: -
In reply to Clark Moodler

Re: Upgrade? Hostmonster? Malware? Help?

by Ken Task -
Picture of Particularly helpful Moodlers

A couple of clues in what info shared so far ... 'standard' theme is from a version 1.9 of Moodle.   Using cPanel (I don't use cPanel so you'll have to figure out what app to use), open the version.php file located in the moodle code directory
/home/mydirectory/public_html/mysite/moodle/version.php That file contains the version of Moodle.  Please verify it is a version 1.9.x.

The other clue ... is the EMail about cron ... shows a /ramdisk/bin/php4 in it.   Didn't think *anyone* ran PHP 4 anymore.   Hosting provider needs to check into that one.

It would help if your provider had clamav installed and scanned your code diretories.  Tell them NOT to attempt removing files just identifying which PHP files are 'infected'.  If they host linux, they should know how to do that!

Now what do to to clean things up .... double trouble IF you desire NOT to loose both the WP and the Moodle.   Since this is a Moodle forum, will attempt to address that first.

The most *important file* you have in the moodle code is the config.php file.   Download that file ... NOW ... not later.   Then open that file using a text editor on your local machine.  Normally, opensourced apps are 'infected' by 'injections' of malicious code lines that execute something.  Won't infect your local machine cause nothing on your machine 'executes' when opening config.php file with a text editor.   What we are looking for is lines that don't belong there.  I know, you don't know what doesn't belong and neither would I without seeing it.  But, they might contain line

eval(base64_decode ... and then a bunch of what looks to be random numbers letters.

If your config.php file does NOT contain such lines, it's NOT infected.

Also strongly advise making a backup of the data directory ... the moodledata directory for Moodle and downloading that as well.    Also, a DB dump of the DB used for Moodle.    There's a good chance that the data in there doesn't contain anything malicious.

How to do that with cPanel might require someone who uses cPanel and/or help from the technical support of the provider.

To eradicate such 'infections' one simply puts the new code in the moodle directory.   IF you have backed up, remove the contents of the moodle directory ... leave the moodle directory.  And put **in** the moodle directory of your site FRESHLY downloaded moodle files obtained from downloads.moodle.org.   Think you need the the 1.9 version - which will be the highest/most secure version of 1.9 and will result in a minor upgrade of your Moodle when hitting the cleaned up site the first time.  Once those files are in place, upload your checked config.php file, into the moodle directory.

Check ownerships/permissions on all files folders in the moodle code directory

Then hit the site with browser.   If everything done correctly then that should throw you into the upgrade mode.  Step through and upgrade.   Fingers crossed.   ** YOU DID BACKUP RIGHT? **

Now the WordPress stuff ... if it was word press that was the conduit to 'infecting' moodle if you leave an outdated WP then the bots come back and re-infect.

So the same general process with WP ... *BACKUP*, DB DUMP of the database for WP.  Download the backups.

Get the most important file for your WP downloaded and inspected: wp-config.php (like you did for the config.php file of Moodle).  That contains DB name, DB user, etc..

The version of WP you have should be in wp-includes/version.php.

IF you have uploaded any files to WP, they will more than likely be in wp-content/uploads/

Those FILES should be scanned first before downloading.   Download the files/diretories in uploads ... WP does create directories for years ... 2013,2014, etc. and the could contain files as well.

SCAN IT ALL - again, provider should be able to do that for you.   In this case, think I'd like to be informed as to what the file name was rather than get a copy of an infected file that I would have to clean locally (caution ... potential for infecting your own machine there).  Hopefully, you have a copy of that file locally or can re-quire it later - reupload, relink etc..

Then do the same thing WP files/diretories ... remove them all, upload new WP code, place your wp-config.php you had downloaded into the proper location then hit the sites admin side. 

Ok, check out WP info ... like:

https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

https://www.optimizesmart.com/malware-removal-checklist-for-wordpress-diy-security-guide/

Begin FINGER WAG ... keep your software up to date ... even though it's work ... and you'll not have to face this same issue in the future ... END FINGER WAG. ;)

If this is too much ... ask your provider how much it would cost if they did it!

'spirit of sharing', Ken


Average of ratings: -
In reply to Ken Task

Re: Upgrade? Hostmonster? Malware? Help? *CORRECTIONS - ADDITIONS*

by Ken Task -
Picture of Particularly helpful Moodlers

Timed out before I could author this addition ...

Did you do any recent backups of the 1.9 courses before they shut you down?

IF so, you have an option ... in the moodledata directory there are course ID directories ... 1, 2, etc.

1 is your front page and that cannot be restored so forget that one.  But, it might have pics that you uploaded and displayed on front page so get those (SCAN THEM with AV).

The other #'d directories might contain backupdata/ directories and inside there backup.zip files.

Ask provider to clamscan them.  Download those for sure.   **SCAN THEM again when/after downloading as clamscan AV definitions may not have been up to date **  for virus as they might contain truely infected files ... word docs, pppts, PDF's, even image files.  Remove infected files.

If the backups are clean you could wipe out ALL of Moodle ... data directory, code directory, DB and install a fresh/new 2.9 or whatever 2 Hostgator can host.   Then you could try your luck at restoring those 1.9 backups.  

Catch 22 ... student accounts won't be returned to the new, that means their work, quizzes, grades, etc. are also gone, but you'll have the majority of your courses back.

'spirit of sharing', Ken

Average of ratings: -