Security and privacy

cli should indicate the running of a CLI script - moodlecode/admin/cli/reset_password.php but that's what you are saying right?   Who is user ID 4606?   Get user ID 4606's IP addresses used and backtrack them.

Check that script ... date and contents of the file itself.

Got ClamAV on server?   do a clamscan on code of Moodle.  That will find some code injections ... base64's.

Is webservices turned on?  Probably have that turned on for mobiles, but might consider checking into that area as well.  Smartphone and tables are capable today.

Think you might need to dig deeper info SSH access to server (which I gather is a Linux flavor, but you didn't mention OS details ... like 'flavor' and version).   Does OS have all the latest patches/updates?

If you were on a CentOS box, I'd suggest checking into the secure log.  How many persons have access to accounts on the server?   Has anyone, at any time shared their ssh login/password with another?

While you do have ssh access you've not mentioned if the server is remotely hosted somewhere or not.   The other day, I brought up a CentOS 7 virtual host on Google's cloud.   In less than 2 minutes, according to logs,  other Google VH boxen on the same class C IP block, were already poking and probing the ssh port and testing logins/passwords ... what is called 'noisy neighbor'!!!

'spirit of sharing', Ken

Another thought ... when moodle is first installed, it creates two users ... user 1 is originally the guest account and user 2 is the 'admin' account.  Depending upon the age of your Moodle and if the 'torch' for admin'ing has been passed ... have you checked into that original admin account?  It's set to manual so wouldn't be changed by most other authentication methods unless some did a global thang with all accounts.  Have seen this before ... installer in a hurry and used the same password for admin user of Moodle as root user or other user that could su to root or use sudo.

The table at the bottom of your post looks 'doctored' ... am guessing to obsecure 'sensitive' info?   Did you 'doctor' Affected user?  Shows a User 1 ... which is the guest account.

Did, at any time in the history of your Moodle, or was the admin account's password lost?   There were tricks one could do in version 1.9 whereby the password for guest ... which had to have a value in the db ... could be copied and pasted into something being used to edit the record for the admin user.   Thus admin user could login with no  password.

And, got phpMyAdmin on the box? There's a backdoor ready made if not kept up to date like other software.

Got anything in front of the Moodle ... like a WordPress or Joomla that is less than secure?

'spirit of sharing', Ken

So yesterday after hardening passwords, the password changes seem to have stopped.

Untitled Spreadsheet