Issues with a virus in Moodle 3.0.2+

Issues with a virus in Moodle 3.0.2+

by Luis Pu -
Number of replies: 7

Hello,

I have an plataform Moodle in version 3.0.2+. One month ago I had issues with a virus in my site  and I had a lot of files infected.  

I deleted files infected but currently my website is infected again. I go to delete this files infected again but I have a questions. 

How I see vulnerability in my website?

How can I protect my website and avoid future attacks? Because I don't want have issues again with a virus.

If the database is infected? (This is possible?) .How can I fixed it?

Thanks you.

Regards



Average of ratings: -
In reply to Luis Pu

Re: Issues with a virus in Moodle 3.0.2+

by Bret Miller -
Picture of Particularly helpful Moodlers

Honestly, 3.0.2+ has some security issues. I would follow the steps to upgrade to 3.0.5+ so you have the latest security patches. Other places to look would be at PHP. PHP also regularly releases security fixes. If you don't keep it updated, hackers can use the vulnerabilities to infect your site.

3.0.5+ shouldn't contain any major changes--just fixes from the 3.0.x branch.

Average of ratings: -
In reply to Bret Miller

Re: Issues with a virus in Moodle 3.0.2+

by Luis Pu -

Thank you for answer.

I will update in version 3.0.5+.

About my questions mentioned before. Can you answer me? Please.

Thanks you.

Regards.



Average of ratings: -
In reply to Luis Pu

Re: Issues with a virus in Moodle 3.0.2+

by Ken Task -
Picture of Particularly helpful Moodlers

About the only thing any knows is what you've shared so far ... moodle version.  So that's about the only thing anyone could advise upon - which Bret did.

Same virus as before?   What was it?  Trojan affecting php scripts or ?

Got other apps running on server ... like Word Press or  a Joomla?   Are they the hole?

What are ownership/permissions on all files/folders pertaining to anything accessible by users with a web browser?

Operating system updates?

Have a look here: https://docs.moodle.org/31/en/Security

https://docs.moodle.org/31/en/Security_FAQ

DB ... https://www.google.com/search?q=virus+that+affects+MySQL&ie=utf-8&oe=utf-8

'spirit of sharing', Ken


Average of ratings:Useful (1)
In reply to Luis Pu

Re: Issues with a virus in Moodle 3.0.2+

by James McLean -

Do you run any other services/vhosts on your server? WordPress, Drupal, Joomla etc? These are a more likely avenue for an attacker, especially if you have 3rd party plugins - Wordpress is famous for the relative insecurity of 3rd party plugins.

Moodle itself is very secure out of the box and quite hard to actually get uploaded 3rd party code to execute on the server - again this is the core distribution, and assuming you have your permissions configured correctly. 3rd party modules may not be as secure and may have holes in them.

At this point however if you've had malicious code on your server, all data - especially user passwords and content in Moodle and other apps installed - should be considered compromised and your users must be advised so they can take specific steps to protect themselves. You should also consider all shell passwords compromised and all must be changed immediately. Where you are located may also have legal requirements around data breach notifications.

My recommendation is to build a new server, and move any data across very very carefully, starting from a fresh install from a trusted source (ie github.com/moodle/moodle). If you do not wish to do this, there is a major risk of the attackers coming back as they often establish persistence, which can be difficult to find; and it would be advised to have a professional security company clean up the system at the very least as they will know what to look for and what to remove when cleaning up the system.

Average of ratings: -
In reply to James McLean

Re: Issues with a virus in Moodle 3.0.2+

by Luis Pu -

Sorry for not sharing more information before. I explain better.

My Moodle is inside my main website. Example: www.website.es/Moodle

My main website running in Wordpress but is always updated.  My hosting said the hole derive from Moodle. 

The infection was a trojan with code inject in database.  I did have files .php with a lot of new caracters and files not oficial Moodle.

The users don't have permissions write on all files/folders pertaining to anything accessible, only read.  

I don't understand because I have been victim of a hacker, I did have all activate security recommendations. 

So I installed Modle again in other server without Wordpres because I will follow yours advice.

Thank you much Ken Tarea and James McLean.

Regards.

Average of ratings: -
In reply to Luis Pu

Re: Issues with a virus in Moodle 3.0.2+

by Ken Task -
Picture of Particularly helpful Moodlers

Hope your new installation of Moodle code was via git.   One thing I've learned about using git to update/upgrade moodles ... it has an un-intended 'malware detect feature'.   Git does keep track of the byte size of moodle code ... all of it.   One time there was a plugin for authentication that required just one additional line added to an HTML form file.  After installation and some time passed  there was an update to Moodle code which I attempt to acquire.   Git wouldn't let me saying the file I had manually edited didn't match what it knew about and that to keep changes I'd have to commit the changes to my local copy of git.    Showed me the file location/name.

Since I knew I had done that then no problems.

Injected data into DB tables is possible but that means there existed another in-security related ... XSS or other ... vulnerability.   DB server localhost only accessed by only 1 user with that user being in the tables for MySQL as the ONLY user ... those sorts of protections would have to be discovered malware and either altered or used.

So there is more than meets the eye to security now-a-days.

That's why Moodle needs to develop what WP and Joomla already has ... ability to update core code right inside Moodle.

What might seem to be trival/not important turns out  to be not so trivial and more important than one thought.

Git will enable the command line user to easily and efficently, with little muss or fuss, keep the core code up to date in a matter of minutes.   No excuse, IF you have CLI,.

'spirit of sharing', Ken

Average of ratings: -