How to secure Moodle website from being hacked

How to secure Moodle website from being hacked

by K.James Mathai -
Number of replies: 6

I have created a  website using moodle and hosted on a webserver. but one fine morning I found it hacked. The site index.php file is overwritten by:

pwned By Mor-r0ver + Wizardz at email com +
gr33tz to aLL friendZ

I find above message when i visit site.  How to reactivate the site without loosing the content and database connectivity.

I also found number of websites using LAMP technologies are now being hacked. searching the above message through google/search engine will display different sites.

Any solution to protect the site.

Thanks

Average of ratings: -
In reply to K.James Mathai

Re: How to secure Moodle website from hacking

by Marcus Green -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers
I assume from your mention of LAMP that you are running on Linux. Are you hosting yourself or have you got an ISP to do it for you?. Two ways of breaking into remote systems are either passwords left unchanged or easily guessable or software flaws, e.g. mysql or the underlying operating system.

Security is very much a "from the ground up" issue. Its unlikely that the source of your problem is the actual Moodle code as the Moodle folk take security very seriously and it is not a big target so fewer people are trying to compromise it. Why target Moodle when if you can break into the web server, OS or scripting language you can take over Moodle from there.

The chances are that the hackers just put up the boast notice and did not actually change the data underneath. There is a good chance that they know almost nothing about Moodle itself, just the significance of an index.php file.

Marcus
Average of ratings: -
In reply to Marcus Green

Re: How to secure Moodle website from hacking

by K.James Mathai -

Ya! my site is running on Linux and hosted through ISP. I do not say the hackers might have targeted moodle but some how they managed to intrude and change index.php file. The hackers might have rooted through OS.  I do not know for sure. All I want to know how is to set right my site and way to know so that hackers do not again change index.php.

If you search internet, you will find many other targeted site. I belive index.php is the file that is being targeted.

thanks

Average of ratings: -
In reply to K.James Mathai

Re: How to secure Moodle website from hacking

by Marcus Green -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers
A good place to start might be to get hold of the log files to try to see where they came in from. A typical place to find this is
/home/youraccountname/logs with the most current log possibly being called access_log. If you have shell access (command line) there is a unix command called tail and that will show you the end of the file instead of loading a huge file up in an editor. If you don't have shell then you might be able to download the log via ftp and browse through it locally.


Average of ratings: -
In reply to K.James Mathai

Re: How to secure Moodle website from hacking

by Robert Gulledge -
Rename your bad index.php as index.old and then run admin.php to recreate index.php
Average of ratings: Useful (1)
In reply to K.James Mathai

Re: How to secure Moodle website from hacking

by Petr Skoda -
Picture of Core developers Picture of Documentation writers Picture of Peer reviewers Picture of Plugin developers
Hello,

there is no guaranteed way to recover site from attack I am afraid.

If your site was not hacked through Moodle and no database changes were done, then deleting all files from your web hosting account and uploading a fresh cvs nightly/weekly should help.

If you have full database dump before the accident you should restore it. If you are running own server full OS reinstall is sometimes recommended too.

In any case taking a snapshot of database and all files is highly recommended, otherwise there is no way to investigate the incident later.

Petr
Average of ratings: -