A bit of background first...
Last week, the machine hosting our Moodle Web Server crashed. Since then, we've been investigating the possible cause. We've seen spikes in the CPU, and I've noticed some odd requests to SCORM modules using API's which I know we do not use or have enabled.
Anyway, the above could all be completely unrelated to what I'm about to share with you...
Reports > Logs
Here I've discovered some very suspicious activity. 66 Password Resets from 1200 till - well, now. Resets performed by the Main Administrators account for User1 from the Origin of CLI, strange because aren't resets always made through the Web Origin? A Spanish language pack was also updated by the Main Administrator at 0400 and this can only be done by an admin, right? I've since changed the Main Administrators password, and reset the password for User1. Obviously after finding this I went and checked back further through the logs, it happened in February as well, I'm currently downloading a full log to check for all and any other suspicious activity.
Is and if so, how is User1 gaining access to the CLI
We have SSH enabled on our server, so surely she needs this to get to the command line?
Our team noticed that in the cron.php file it states:
// This is a fake CLI script, it is a really ugly hack which emulates
// CLI via web interface, please do not use this hack elsewhere
define('CLI_SCRIPT', true);
define('WEB_CRON_EMULATED_CLI', 'defined'); // ugly ugly hack, do not use elsewhere please
define('NO_OUTPUT_BUFFERING', true);
Could the issue and the user accessing our CLI somehow relate to the above?
Is the System Compromised?
Time | User full name | Affected user | Event context | Component | Event name | Description | Origin | IP address |
12 Apr, 00:15 | Alex Legg | User1 | User: User 1 | System | User password updated | The user with id '4606' changed the password of the user with id '571'. | cli |