I found a file in my Moodle directory called alfasc2.php
Is this a legitimate Moodle script?
Is alfasc2.php a legitimate Moodle PHP script or is is a sign of ALFA TeAM infection?
by Jim Ashton -
Number of replies: 2
In reply to Jim Ashton
Re: Is alfasc2.php a legitimate Moodle PHP script or is is a sign of ALFA TeAM infection?
by Ken Task -
In a git acquired core code of 4.5.1+ pulled just a few minutes ago, there is no file by name name in core code.
find ./ -name alfasc2.php
returns nothing.
Suggest opening the file with a true ascii editor and look at the header.
There is a shell php app with similar name.
Suggest acquiring the same version of moodle you have via git into another directory. Copy from old code to new code config.php and any additional themes/plugins you have.
Got clamav installed? Might want to clamscan the additional themes/plugin directories you have installed before assuming they are clean and free of any malicious code.
If you do find such files, consider investigating server logs to see if there has been any breach of other areas of server. Reduce the attack surface ... meaning no FTP, no setup for Moodle accepting email for content, etc.
Also who has access to server.
No science to this ... just have to dig and poke around ... almost every where! :|
Platform and hosting do make a difference!
'SoS', Ken
In reply to Ken Task
Re: Is alfasc2.php a legitimate Moodle PHP script or is is a sign of ALFA TeAM infection?
by Jim Ashton -
Thanks for the tips Ken.
I've started digging.