Moodle db server hacked

Moodle db server hacked

by manoj joseph -
Number of replies: 3

My moodle database server hacked.I keep both webserver and db server on diffrent machines. My db server hacked and showing the below message


All the data lost.


To recover your lost databases and avoid leaking it: visit http://hn4wg4o6s5nc7763.onion and enter your unique token 7fda976218461f7e and pay the required amount of Bitcoin to get it back. Databases that we have: webdata, moodledb. Your databases are downloaded and backed up on our servers. If we dont receive your payment in the next 9 Days, we will sell your database to the highest bidder or use them otherwise. To access this site you have use the tor browser https://www.torproject.org/projects/torbrowser.html


Any tool  for checking such vulnerability?

Average of ratings: -
In reply to manoj joseph

Re: Moodle db server hacked

by Thorsten Bartel -
Picture of Core developers
It is very, very hard to answer your question as nobody can say for sure which vulnerability has been exploited to gain access to your database server.

Was SSH access via password for root / a sudo user enabled? (Should allow only via PublicKey.)
Was SSH access allowed via iptables from everywhere? (Should allow only specific hosts.)

Which database server did you use? In case of MySQL / MariaDB:
Was there a "root" user with access to all databases that was not bound to 'localhost'?
Was access to the database server on the port it is listening on (default 3306) restricted to the hosts using the database (i.e. the Moodle server)? (Again, check iptables.)
Were there any unencrypted dumps of your databases stored on your system?

Finally, you should ask yourself:
1) Do you have any backups (mysqldump) from which to restore your Moodle? You would obviously want to do this on a better secured system.
2) How sensitive is the personal data that has been stolen? You should definitely contact authorities and notify your users about this security breach!
3) This is more of a security related issue rather than specific to Moodle - you might want to get input from other, more specialized communities.

Cheers and keep your head up
Thorsten
Average of ratings: -
In reply to Thorsten Bartel

Re: Moodle db server hacked

by manoj joseph -
Thank You Mr Thorsten Bartel

I was having backup and I implemented all the possible security features.Now it seems fine.Now I am allowing only port 3306 to db.My db was mariadb. Eariler i installed phpmyadmin and port 80 was open.That way may be the attack had come.Now I removed all such things.
Average of ratings: -
In reply to manoj joseph

Re: Moodle db server hacked

by Krys Learn -

Hi,

Sorry you experienced this! 

I'm new on the moodle owner side. Could you please give me some details on the different steps you took to secure moodle?

How do you allow only 1 port? Where do you configure it? (on the DB, on the server, in moodle?

Thanks for your help!

Krys

Average of ratings: -