Salut,
please excuse my bad English…
In short, we have Moodle - server which was attacked. I think it was
an SQL-Injection.
Early December the following user were created in the moodle database:
xxxxxxxxxxx
gui74f5qd | |
| http://some-inexistent-website.acu/some ... _name?.jpg | |
| '" | |
| set|set&set | |
| ;print(md5(security_test)); | |
| index.php | |
| ) | |
| 1some_inexistent_file_with_long_name%00.jpg | |
| 'fvb588hk9 | |
| http://testasp.vulnweb.com/t/fit.txt | |
| <!-- | |
| http://testasp.vulnweb.com/t/fit.txt%3f.jpg | |
| ';print(md5(security_test));$a=' | |
| ../../../../../../../../../../etc/passwd | |
| testasp.vulnweb.com | |
| 'set|set&set' | |
| !(()&&!|*|*| | |
| "zq86m240n | |
| ";print(md5(security_test));$a=" | |
| ../../../../../../../../../../../../../../../proc/version | |
| "set|set&set" | |
| ${@print(md5(security_test))} | |
| ..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%00.jpg | |
| ^(#$!@#$)(()))****** | |
| ../../../../../../../../../../etc/passwd%00.jpg | |
| ${@print(md5(security_test))}\ | |
| `set|set&set` | |
| ;set|set&set;
xxxxxxxxxxx
What you see are simply entries in the field „username" of the table „mdl_user"
Normally we have made the setting, that it is forbidden to create a user without
authentication. However somebody had managed to create users and I think
it was an SQL-injection.
We update our Debian on a regular basis and we ran Moodle 2.9.1.
By early December I can remember I updated for a couple of days to Moodle 2.9.2
and then (a week later) to Moodle 2.9.8.
What would recommend here ?
Is this a known bug which can be found on moodle.org ? So one can only fix it by updating
to Moodle 3.0 ? At the moment we can’t update to
Moodle 3.0 because of Plugins. Alternatives ?
My aim is to find out, wether there are damages in the existing Moodle systems.
A diagnosis so to speak...
Of course I want to secure our server in order to prevent SQL-injections an other assaults.
Can you get me started here ? That would be nice. We are just collecting
any useful information. Are there useful feeds /links to keep us up-date ?
Thanks a lot.
Kind regards,
Fabienne