Moodle site corrupt?

Moodle site corrupt?

by Mitchell Jeffery -
Number of replies: 8

Hey guys,

When I've logged in and the site has redirected me to the home page this error was output:
Undefined index: u035c0 in /home/mastercourse/public_html/moodle/question/type/randomsamatch/version.php on line 1

but when I tried to edit a quiz, moodle output these errors to me:

Warning: require_once(HTML/QuickForm/element.php): failed to open stream: No such file or directory in /home/mastercourse/public_html/moodle/lib/pear/HTML/QuickForm/input.php on line 22

style Fatal error: require_once(): Failed opening required 'HTML/QuickForm/element.php' (include_path='/home/mastercourse/public_html/moodle/lib/zend:/home/mastercourse/public_html/moodle/lib/pear:.:/usr/lib/php:/usr/local/lib/php') in /home/mastercourse/public_html/moodle/lib/pear/HTML/QuickForm/input.php on line 22

and when I've tried to access the site administrator I was given two AJAX errors:
* line 77 of /lib/ajax/ajaxlib.php: coding_exception thrown
* line 52 of /lib/ajax/getsiteadminbranch.php: call to ajax_check_captured_output()

This site was working last friday and nothing has been changed from what i've heard, I've called our hosting service and they aern't able to help with the issue.

Sorry for throwing all these errors at you guys but I honestly don't know what to do for this one, thankyou in advance!
Average of ratings: -
In reply to Mitchell Jeffery

Re: Moodle site corrupt?

by Mitchell Jeffery -

I looks like the site has been comprimised. I've noticed the "element.php" has been changed to "element.php.suspected". What does this mean?

Average of ratings: -
In reply to Mitchell Jeffery

Re: Moodle site corrupt?

by Ken Task -
Picture of Particularly helpful Moodlers

Ohhhhh ... so something did change ... but now the question appears to be how, by whom, and when?

What version of Moodle?   And a bunch of other questions to follow ... like php version?  OS upon which hosted?   Remotely hosted?  If so, where/with whom?   Who else has access to account via command line?   Got any AV scanner running?   Although I've not heard of a scanner that would leave the file in place and rename it with .suspected.   Moodle certainly not programmed to do that!   Do you have a WordPress in front of the Moodle?   Has the WordPress site been upgraded and is it secure?  If a bot or whatever has gotten into the WP it's possible that from that access, other bot scripts have been injected into files contained in Moodle.

Have you opened the file that's suspect in an ONLINE text editor to inspect the first lines ... top line should be a beginning php tag ... the second line ... if it's been injected might be wwwwwwwaaaaayyyy out the right such that a text editor might display a $ at the right of the editor on that line.   Might also begin with a base64 line and then a bunch of what appears to be jiberish letters/numbers/characters (which isn't really jiberish).   Most 'infections' on a PHP box isn't really a virus per say (as in Winders), but code that could be called by a spam bot or other bot network.

What is owership/permissions on files on your site?   Too liberal?

Is it Linux?   Install ClamAV on the box and clamscan the moodlecode/question/type/randomsamatch/ first.  ClamAV will ID many of the php 'infections'.

So we begin the back and forth ... :\

'spirit of sharing', Ken

Average of ratings: -
In reply to Ken Task

Re: Moodle site corrupt?

by Mitchell Jeffery -

So many questions, but i'm going to try to answer them as best as I can.


What version moodle?

The version number is 2015051103.01 and the version name is 2.9.3+ (Build: 20151110)

What version PHP?

5.4.45

OS upon which hosted?

linux (No version number)

Remotely hosted?

Yes, with Digital Pacific in Sydney, Australia.

Who else has access to account via command line? 

No one

Got any AV scanner running?

Digital Pacific provides protection from specific attacks. The website itself doesn't have one though.

Do you have a WordPress in front of the Moodle?

Yes, I also connect users between Moodle and Wordpress with the Edwiser Bridge plugin

Has the WordPress site been upgraded and is it secure?

No I currently have WordPress 4.3.3 running The7 theme. Is it secure? Well i'm not too sure about that now

What is owership/permissions on files on your site?

Not too sure on that one

Is it Linux?

Yes, but it's hosted on a 3rd party server


Other information

I've done a bit of digging and have noticed that someone has attempted to do a ddos to the "/xmlrpc.php" directory of worpress. They attempted this 1533 times for around 2 hours, i've got the ip in which attempted it (I say attempted but im not sure if they were successful or not) but it looks like they were using a VPS. If i remove the ".suspected" filename and that works but i still have the AJAX issue and the non existing index issue.


Thanks again for taking the time to reply!

Average of ratings: -
In reply to Mitchell Jeffery

Re: Moodle site corrupt?

by Ken Task -
Picture of Particularly helpful Moodlers

Providers are great for 'easy install' ... but many fail to provide customers with easy ways to upgrade.  Some of that difficulty due to package (shared host or VPS) purchased.   I use wp-cli which enables 'easy' updates to not only plugins of WordPress but core code of WP.   Sorry ... no GUI to that.  You might suggest that to your provider.

WordPress is a possible gateway/hole to the issue with Moodle.

https://codex.wordpress.org/WordPress_Versions

Highest, most secure version is now 4.5 (Apr. 2015)

Since the plugin you have interfaces with Moodle, then I'd say the "Edwiser Bridge plugin' also needs inspecting ... at least ask the providers of the plugin.

Since system is LInux, provider should be able to install clamav on that server - which installs a CLI app as part of that package called clamscan.   Provider should make sure they have the most recent virus definitions before scanning your space.

Provider will have to do that  for you unless you have a VPS and can install software yourself.

I hope that what you've found isn't true SQL injection code cause that would mean there are entries into the DB's for either WP or the Moodle now.   More like a code injection ... insert of malicious code in a php file.

Inspect xmlrpc.php file as well.  Make sure that one is only readable and not executable.   Matter of fact, I'd make sure that ALL/ANY files in both the WP and the Moodle are NOT executable.

Also ask provider to archive your server logs for inspection.   You've already found one culprit attempting access to xmlrpc too many times.   Ask provider to block that IP address.   Can do with Linux as it's capable of routing.

Get DB backups (sql dumps) now ... and a backup of your moodledata directory.

You might need to save your config.php file out into some other area.  Make notes on what other plugins you have for Moodle AND then move the moodle code directory to some other location.

Re-acquire the latest 2.9.5+ code ... copy the config.php file and the other plugins you added into new code directory ... including the Edwiser Bridge (after checking with the provider AND scanning that directory).   This is an upgrade.  Next access to the Moodle would then do an in-series upgrade from your current 2.9.x to the highest currently available 2.9.x.

Make sure NONE of the files in the moodle code are executable.    Ditto for WP files.

Why do that?   Well, you've manged to find .php files but what of hidden files ... those begining with 'dots' AND because Moodle code has sooooo many php files that could be injected/affected/infected the only way to assure you get them all is fresh code directory.

This is NOT fun, I know ... at the beginning of this year helped an ISD clean up 40 Joomla's that had not been kept up to date.  It took 2 weeks.

Get help from your provider.

Maybe this thread will attract the attention of some true Linux gurus who have had experience with 'cleaning up' a site and offer their advice as well.

'spirit of sharing', Ken


Average of ratings: -
In reply to Ken Task

Re: Moodle site corrupt?

by Colin Fraser -
Picture of Documentation writers Picture of Testers

Not surprising they have used WordPress to compromise your site, whomever is responsible. An acquaintance in the US was telling me that there are teams of cyberthugs just targeting WordPress to crack a site. Apparently, they take ownership then blackmail the owners into paying a fee to either "fix the problem" or to buy back their own site, returning control to the rightful owner. I have no idea how accurate this is, but he certainly seems to believe it. Some things on the Web are not really illegal in some parts of the world, so it seems. Best to be updating your WordPress regularly. 

Average of ratings: -
In reply to Colin Fraser

Re: Moodle site corrupt?

by Mitchell Jeffery -

Yeah i'm reinstalling moodle today probably goingto have to search all the wordpress websites too. I found 10 RAT's in the moodle folder itself Read Here. The next few weeks are going to be hell as i didnt setup these websites. Thanks for all your help guys.

Average of ratings: -
In reply to Ken Task

re: Re: Moodle site corrupt?

by kai wu -

There is the same issue on my moodle website. 

1. I logged in my cPanel interface provided by the web host. I clicked the [File Manager] , then accessed the folder [/public_html/moodle/lib/pear/HTML/QuickForm/]. I found that the file element.php had been renamed as [element.php.suspecked].

I renamed  [element.php.suspecked] to [element.php], it worked.

But the issue appeared on the next day, and I had to renamed the file again and again.


2. I contacted the technical staff of the web host. He told me that the web host scanned all the files on Linux server by clamAV(http://www.clamav.net/), an open source antivirus software. The element.php was identified as a virus, then the file was renamed. The technical staff told me he couldn't do anything to solve this issue.


3.I visited the clamAV(http://www.clamav.net/) website, and sent the element.php file and a message to  the administrator. I told them that the element.php file was good and unharmful. I hope they could add an exception for antivirus scanning. But I haven't got any answers.


4. At last, I installed moodle 3.1.1 and restored the backup of my moodle 2.8 courses. It works quite well. The element.php of  moodle 3.1.1 hasn't been renamed by clamAV  any more. smile

Average of ratings: -
In reply to Ken Task

Re: Moodle site corrupt?

by Mitchell Jeffery -

Just found an SQL Injection in the version.php file as you suspected so the Index error is gone, now it's just the AJAX error but I have no idea where to look.

Average of ratings: -