Contact Site Support - Ransomware Threat

Contact Site Support - Ransomware Threat

by Deryck Walker -
Number of replies: 9

Hi Everyone

I run a small business (sole trader) using MoodleCloud.

This morning I received my first ransomware threat. After investigating, it looks like it is a fishing expedition, and there is no sign of access having been gained to my moodlecloud site (I checked activity logs, and the only activity is my own log in today)

It appears the ranomdouchebags have simply navigated to my sites "contact site support" area where you can fill out a form to contact the site administrator:

/user/contactsitesupport.php

They have filled in the form with the threatening email. My initial reaction was laughter, as the threatening email is so poorly written. See below. 




I guess I have two questions:
1) Has anyone else had this happen.
2) Does Moodlecloud log all admin activity? This is the best way I know to confirm if they have actually been in to my moodlecloud site, and cannot see any sign of any user activity (including under my name)

Average of ratings: -
In reply to Deryck Walker

Re: Contact Site Support - Ransomware Threat

by Ken Task -
Picture of Particularly helpful Moodlers

This is both a matter of Security *and* Moodle Cloud matter ... which has it's own forum:

https://moodle.org/mod/forum/view.php?id=8277

However, you might want to clarify if your Moodle Cloud site actually functions ... any errors? (might not provide those here in public forums if there are.  Might have to submit such things via another channel.) 

Could be a 'phising' exploratory kinda thing attempting to you the admin of your site to do something you shouldn't!

Let's hope it's the latter!

'SoS', Ken


Average of ratings: -
In reply to Ken Task

Re: Contact Site Support - Ransomware Threat

by Deryck Walker -
Thanks Ken, agree, it smelt very phishy to me.

No errors I can find, and nothing shown in logs outside of my own login and activity after I received the message. 

Im hoping I can disable the whole "contact site support" link, as I have no need for it (my clients all have my direct contact if they need help) - and this link just gives something for phishers to target for every single moodlecloud site, all they need to do is google "contact site support" with the moodlesite URL and it takes you straight there.
Average of ratings: -
In reply to Deryck Walker

Re: Contact Site Support - Ransomware Threat

by Deryck Walker -
Quick update - Simply adding a backslash to the below area disable the "contact support" form for external parties. If you don't do this, if someone googles " *yourmoodleurl* + support contact " it will land you at a contact form page which allows phishers to submit messages direct to admin. 


Average of ratings: -
In reply to Deryck Walker

Re: Contact Site Support - Ransomware Threat

by Ken Task -
Picture of Particularly helpful Moodlers

Glad you found a 'work-around', but would encourage you to contact MoodleCloud technical support and report.   If not for you for others who host on MoodleCloud.

I can also now add my 2 cents ...

Checking web services access logs for the access to that php script would have shown the IP address the request came from.   Doing whois on that IP would probably render an IP on a network and show the CIDR of that network.   Using the operating system's firewall (not the WAF) on could send all traffic from that CIDR to a drop zone ... meaning, your server is no longer seen by any IP address in that CIDR range of IP's.

To double check IP that is not a user on your system just messing with things [5th graders can bring a server to it's knees - all in good fun! sad], a query of moodle DB table mdl_user for last IP of all users should provide some info.

If the IP is one recorded by one of your users, then you have yet another problem ... but in that case, I'd block the single IP ... and wait for them to contact so you can 'discuss' (in a 'politically correct manner')!

Either 'block' can be removed from the drop zone ... so it's not permanent.

Anyhoo ... my 2 cents!

Again ... encourage contacting MoodleCloud Tech Support!

'SoS', Ken


Average of ratings: Useful (1)
In reply to Ken Task

Re: Contact Site Support - Ransomware Threat

by Deryck Walker -
Thanks Ken, you are a guru.

I will try to work out how to do what you have mentioned here, and I have also logged a case seeking moodle to shut the door on this to protect other users.
Average of ratings: -
In reply to Deryck Walker

Re: Contact Site Support - Ransomware Threat

by Ken Task -
Picture of Particularly helpful Moodlers

Sorry, but you don't have the access level necessary to do what I described on a moodlecloud setup.

But will mention another you should be able to do ... IF you are using the gmail.com account in your profile on the server where this occurred you have that message in your inbox still.

If so, look at the full header ... in google that's 'Show Original'.   That will popup in a new tab where you can see the header.   Scroll down until you see the subject line and read the header from that line upwards.   If it was coming from your moodle you would see a line or two about originating script on your server.   Also read each 'Received by' line upwards ... those are the mail servers that message ran through to get to your inbox on Google.  

Actually, I'd be kinda surprised that Google didn't send that message to your SPAM and when you open it to look, Google inserts a warning ... 'Looks suspicious blah' ... don't override.   Just look at the header.

You could copy and paste the header info out to a text file on your local computer and supply that to moodlecloud security folks for them to view/inspect/research.

Another 2 cents!

'SoS', Ken


Average of ratings: -
In reply to Deryck Walker

Re: Contact Site Support - Ransomware Threat

by Deryck Walker -
Brief update:


Average of ratings: Useful (2)
In reply to Deryck Walker

Re: Contact Site Support - Ransomware Threat

by Ken Task -
Picture of Particularly helpful Moodlers

Good to hear MoodleCloud is involved and fixing, but .... I'd still get the header information on both a phishing attempt AND a message that is 'normal' as well! smile

'SoS', Ken


Average of ratings: -
In reply to Ken Task

Re: Contact Site Support - Ransomware Threat

by Deryck Walker -
Just thought id close this one out. Moodle has updated so external parties do not have the ability directly contact the site owner, so closing a door on potential scammers/phishers. 

See below.


Average of ratings: -