General developer forum

I've Been Hacked - How to Secure Moodle Login

 
Picture of joseph zabrosky
I've Been Hacked - How to Secure Moodle Login
 

Hi, 

My course has been hacked into a couple times. I changed the password via my server database, but the hacker has wired my login page so the next time I log in he will get my password just like he did the last time. See attached. 

Thus, I don't want to login until I can secure the login. Any help is appreciated.

Thanks,

joseph


 
Average of ratings: -
Picture of James McLean
Re: I've Been Hacked - How to Secure Moodle Login
Core developers

The message "this connection is not secure" is not placed by any malicious 3rd party.

It is intentionally displayed by the Firefox browser, because, well, the connection is not secure. Your username and password are transmitted in clear text across the internet to the server, and can be viewed in plain text. 

The details are outlined here: https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/

If you're now concerned about the username/password being seen in transit, then the message has done its job, and you should migrate to a TLS connection.

 
Average of ratings: Useful (1)
Picture of joseph zabrosky
Re: I've Been Hacked - How to Secure Moodle Login
 

Hi James, Thanks for your response. My course has been hacked into by a former developer. I'm positive. I haven't been able to login after I have changed the password twice and i can see in admin that he has changed the password and put himself and his email address  in charge of the site. joseph

 
Average of ratings: -
Picture of James McLean
Re: I've Been Hacked - How to Secure Moodle Login
Core developers

How did you change the password previously? How can you see he changed the password? What do you mean "see in admin"?

You can change the admin password with the reset_password.php script on the server command line so that you don't have to login to moodle directly.

Also, I assume you're also choosing good passwords based on random uppercase and lowercase letters, numbers and symbols, not based on any dictionary word - and also not using passwords you may have used on other sites?


 
Average of ratings: -
Picture of joseph zabrosky
Re: I've Been Hacked - How to Secure Moodle Login
 

I changed the password previously by going into my server and into the database for the moodle course using the MD5 function and changing the Value, thus the password. After doing so and logging in successfully I saw that he made himself and his email the admin in my moodle site admin. This when i knew he got in. 

Furthermore, a week later I tried logging in and couldn't do so. Hence, i knew he got in and changed it. In fact, when i went back to the database - mdl_user there was no admin any longer when there was an admin selection previously when i clicked on my course in the database. It was the second selection from the top as everything is in alphabetical order.

So, i know the password was changed because i couldn't log in, after i logged in successfully a week before.

'see in admin' - when i click on 'users' in moodle site admin i see he made himself site administrator with his email address as stated above.

Yes, the passwords are very random.


 
Average of ratings: -
Picture of James McLean
Re: I've Been Hacked - How to Secure Moodle Login
Core developers

Did you test the login after you changed the password manually?

md5 hasn't been used as the password hashing algorithm in Moodle for many years. If you hashed your password manually then updated the database record for the admin user, this is likely the reason you're now locked out. 

What version of Moodle are you running?

 
Average of ratings: -
Picture of joseph zabrosky
Re: I've Been Hacked - How to Secure Moodle Login
 

Sorry for the delay. It was about 1:30 am last night when we were communicating and i had to get to bed.

Yes, I tested the login and was able to login after i manually changed the password via Md5 function in database.  During that login i updated the admin user by changing the name and the email address of the main admin user. I did this because the hacker changed it to his email address. This is one of the main reasons i know he hacked into it because i know his email address and it was the one used for the main admin user. I tried to delete it but there was no way to do so relative to my limited knowledge on the matter.

Additional to this, i added my username to site admin so that there were now two users for site admin. 

My version is 3.13 - i may be wrong on the last two numbers but it's 3. something.

Thanks for your help.



 
Average of ratings: -
Picture of Marcus Green
Re: I've Been Hacked - How to Secure Moodle Login
Core developersParticularly helpful MoodlersPlugin developersTesters

If you have been hacked by a former employee/developer the most likely route in is through them retaining a username/password, possibly directly to a database, e.g. through phpMyAdmin or similar tool. Although switching to https is a very good idea, the lack of encryption with http is unlikely to be how they got in. Most hacking does not depend on extensive technical knowledge but exploiting human habits in securing systems. It is really hard to secure against a person who has been a developer and so has a great deal of access.

In my view there should be a large supply of grand pianos/anvils available to drop on developers who compromise systems they have been trusted to work on.

It would be a very good idea to monitor the Moodle logs and the web server logs for unusual activity. On the plus side this is just a very good idea in general so you know what is happening on your system.


 
Average of ratings: Useful (3)
Picture of joseph zabrosky
Re: I've Been Hacked - How to Secure Moodle Login
 

How do I switch to https?

 
Average of ratings: -
Picture of Richard Oelmann
Re: I've Been Hacked - How to Secure Moodle Login
Core developersParticularly helpful MoodlersPlugin developersTesters

Agree with Marcus - if this is a former emloyee/developer, then he/she hasn't really needed to 'hack' anything. They are probably simply using existing authentications that have not been properly reset.

It would be nice to think of a level of professional trust - but cynically, that doesn't necessarily exist, and in some circumstances of 'former' employees, a complete reset of user passwords, right through to the basic server hard metal admin access needs to be reset (depending on what level of access they may have had, officially or unofficially, previously).

Any kind of user and password that they may have had access to, on any system, needs to be changed, including server access, ftp/ssh, database users, moodle (and other system) admins etc. But if they've had that level of access you will also need to go through carefully to make sure they haven't given another user (or even a new user role) the kind of permissions normally reserved for a site admin.

Also, if you suspect illegal access and activity, you may want to contact the police!


Richard

 
Average of ratings: -
Picture of joseph zabrosky
Re: I've Been Hacked - How to Secure Moodle Login
 

The developer has a vendetta against me. It's a long story. I hired him to do a job and he never finished, but wants to be paid. Before finishing he hacked into my fiver account and created PayPal transactions to the tune of 10 times the amount of the job i hired him for. It created a lot of work to stop the transactions. In terms of police, he lives in Indonesia thus i'm not sure there's anything i could do lawfully?


I changed all passwords and credentials on my server that he had access to. So i believe the only things he had access to was my moodle course.

Thanks for your help.

 
Average of ratings: -
Picture of James McLean
Re: I've Been Hacked - How to Secure Moodle Login
Core developers

Sounds like you should pay him for the work he actually completed. Yes, he's stepped over the line with all this - but if he's done some work for you in good faith, and you didn't pay him, then you are also stepping over the line.

I suggest you contact the developer and negotiate compensation for the work he completed.

 
Average of ratings: -
Picture of joseph zabrosky
Re: I've Been Hacked - How to Secure Moodle Login
 

i paid him in full for a job he didn't finish.

 
Average of ratings: -
Picture of Richard Oelmann
Re: I've Been Hacked - How to Secure Moodle Login
Core developersParticularly helpful MoodlersPlugin developersTesters

That message doesn't mean you've been hacked, it means you are using http and not https

To improve your security on your site, get a certificate and switch your site to using https

 
Average of ratings: Useful (1)
Picture of joseph zabrosky
Re: I've Been Hacked - How to Secure Moodle Login
 

Hi Richard, Thanks for your response. My course has been hacked into by a former developer. I'm positive. I haven't been able to login after I have changed the password twice and i can see in admin that he has changed the password and put himself and his email address  in charge of site of the site. joseph

 
Average of ratings: -