Hello,
I think we were hacked this Friday, April 27, users have complained about not being able to connect to Moodle. After
checking the moodle logs, I found that a user with the same IP address changed
the passwords of several users as if he logged in with their own
account and changed their password. I would like to know how did this happen and how should I fix this problem?
I posted the same problem in the french forum
thank you in advance for your help
Moodle version is?
Operating system is? Makes a difference in what I could share to block that IP address IF linux ... and you have command line ssh access as root user.
Versions of PHP/MySQL/Apache?
Think it might be wise of you to put the site in the maintainence mode until you have time to investigate.
Turn off things like web services.
IP adddress appears to be from gorcomnet.ru and a Windows machine - nmap scan of that IP. What does an nmap scan of that IP from your location show?
Search your apache/web service logs for that IP address. If linux, CentOS, example:
fgrep '81.200.22.136' /var/log/httpd/*
Search your DB mdl_user table for lastip that's the same to see what Moodle user that
might be:
mysql> select username,lastip from mdl_user where lastip like '81.200.22.136';
Is the user an admin level user?
'spirit of sharing', Ken
In addition, that IP address appears to be an 'elite proxy'.
Still think I'd block it ... as far out as I could ... (boundary router).
If there are other admin level users on your system, you might inquire if they were using a proxy.
'spirit of sharing',Ken
Thank you for the reply
the IP address is already blocked
I have never enabled web services
unfortunately I can't do all the checks now because I don't have access to the server from home, I'll do it tomorrow
Sounds like you have linux. So one more suggestion ... copy all the httpd logs out to an archive directory for inspection ... and any other logs for any service for which there is outside the server access. Whoever/whatever could have been poking and probing a long time and waited until a weekend to do their nasty deed - when they thought nobody would be watching/using/notice.
You didn't mention what authentication ... assuming manual accounts where users are granted permissions to change their own password but other means of authentciations can be set to allow users the ability to change their password.
If server is hosted with a hosting company, might also check with them about 'noisy neighbors' possibility ... it, your server has an internal to hosting network a private IP address ... which is used by hosting provider technical folks to support you or monitor your server. From the date and time stamp in moodle logs (what you shared) looks to be something scripted ... obviously a human can't possibly change passwords of several users in the same minute.
Have all the most recent updates to your server? One of the major reasons for server breaches and other such is simply admin didn't fix/patch OS as they should have. If that's you ... shame on you!
Good luck!
'spirit of sharing', Ken
I have run the following sql command on the table as you suggested to me :
"select username,lastip from mdl_user where lastip like '81.200.22.135';"
the result is what is displayed on the image bellow:
yes, we have debian and we create the accounts manualy, and all users can modify their password
it seems like this hacker used this IP address to connect to all these accounts (almost 3000 accounts), then he changed their passwords, I just want to clarify one thing, the affected accounts are the accounts of the first year students who haven't changed their default password, as we hadn't required them to do it. In my opinion, this is a person who knows the default usernames and passwords of these students.
the only log file where i found the date of April 27, 2018 is the file error.log.1 and no trace of this IP address inside it, I did not find this address anywhere. Does this mean this person did not access the server?
I am also interested to know how he proceeded. In the first screenshot that I posted in the tab "Origin" it is indicated "Web" so, this person could have done that through the web and not by accessing the server, right?
"the affected accounts are the accounts of the first year students who haven't changed their default password"
Well., that would certainly allow anyone who had that knowledge to use the 'web' (which, according to Moodle logs) means remotely accessed the server via web browser. In looking at the date/time, I'd say it was some script. Don't think a human can access accounts and change passwords that quickly.
If your access logs record browser info those references might give you more insight into what was used ... lynx/elinks other command line browsers can be scripted for example. But since that IP appears to be a proxy you might never really know.
You might look into settings for how long an account should remain in 'never accessed' nor 'not modified' state in the future.
Plugins *like*: https://moodle.org/plugins/auth_emailadmin might be of use.
So all in all, site wasn't really 'hacked' but someone did take advantage of what was allowed. That's good news ... in a way.
'spirit of sharing', Ken
I hope so, I will check if we have this kind of info in the logs
In the moodle logs for the day of April 27, 2018 I found lines like these: (I modified the image so that the student's real name doesn't appear
and I also found about 4 lines like this but without the same IP address:
what do you think of that
When the Moodle was first installed, user ID 0 was set up for 'guest' user and was a manual account automatically setup. It should remain manual and the password should not be changed ... even if you do not allow guest access to the Moodle.
Your log reference that shows user ID 0 (guest with no password) changed a password indicates to me some admin level user has been playing around with users.
User ID 1 was the person who installed (assuming it was installed by a human). Default username for the account was admin. That account should remain manual. It was also set as the 'primary' admin Moodle user.
Some installers (human or script) change the default 'admin' username to something other ... many not really understanding it's purpose actually change the admin user name to what they want as a username ... like Bob Jones Installed it ... bjones.
Check the permissions/abilities on all roles. Yes, that's a lot. But if they got in and changed passwords they could have easily messed with roles.
While it might break things, you might have to reset roles to their defaults and work on whatever tweaks you might have done there again.
'spirit of sharing', Ken
