Our Moodle site has been hacked today (see attachment). It seems to be that all databases have been erased so Moodle cannot find them and run accordingly.
Is there anything we could do to retrieve them?
Any help would be welcome.
For a glimpse of the problem visit: http://cjs072.upf.es/moodle
Are you sure it is crackers who led to this problem? You can get the same error message if you have changed the database (either the moodle user or the name of the moodle database or the permissions of the moodle user)
Also make sure that your database is running, if it is not Moodle would give the same error.
If it is crackers that got into your site, you would have to use backups to recreate your site. It is important to make sure that you protect the password of the root user in MySQL. Also make sure that only the root and moodle users have drop modify and access permissions on the moodledatabase -- do not give this password to anybody. Also check the permissions on your moodle directory!
Not much help, I know, but I have a feeling that it is a problem with MySql, I do not think that you have been Cracked (Hackers are guru Unix/Linux/GNU/BSD /php/etc/etc/etc developers). Crackers tend to deface a site, rather than destroy it. How else would they be able to claim fame from their deeds?
Riaan
Also make sure that your database is running, if it is not Moodle would give the same error.
If it is crackers that got into your site, you would have to use backups to recreate your site. It is important to make sure that you protect the password of the root user in MySQL. Also make sure that only the root and moodle users have drop modify and access permissions on the moodledatabase -- do not give this password to anybody. Also check the permissions on your moodle directory!
Not much help, I know, but I have a feeling that it is a problem with MySql, I do not think that you have been Cracked (Hackers are guru Unix/Linux/GNU/BSD /php/etc/etc/etc developers). Crackers tend to deface a site, rather than destroy it. How else would they be able to claim fame from their deeds?
Riaan
<sheepish> Ok so maybe your site has been cracked 
I did not see the image included in your mail--- I thought it may be your signature 
--
</sheepish>
The best advice I can give you is to talk to the person administrating the webserver that you use to host your Moodle site. Ask him to restrict the permissions to your data directory and the moodle directory so that only the Apache daemon has access to the files in those directories.
Then also make sure that you keep your database password secure. Do not give it to anyone you do not trust completely.
I hope you get your site up and running very soon.
Riaan
--</sheepish>
The best advice I can give you is to talk to the person administrating the webserver that you use to host your Moodle site. Ask him to restrict the permissions to your data directory and the moodle directory so that only the Apache daemon has access to the files in those directories.
Then also make sure that you keep your database password secure. Do not give it to anyone you do not trust completely.
I hope you get your site up and running very soon.
Riaan
....and finally, if your database is set up with only default user (root) without a password, make sure you correct this.
Your site has everything visible for the world to see.
I entered http://cjs072.upf.es/ and was presented with the entire structure of your site including the moodle folder **and** phpMyAdmin!! I then entered phpMyAdmin without entering any password and could directly inspect the tables.
Now there is still a set of moodle tables there called "helene" but there is no longer one called 'moodle' or whatever you had named it.
To prevent this in the future, there are at least two things you must do:
1) password protect your mySQL database
2) create a document called "index.html" at the highest level of your site so that the bare directory structure is not shown. The URL for this file would be:
http://cjs072.upf.es/index.html
I entered http://cjs072.upf.es/ and was presented with the entire structure of your site including the moodle folder **and** phpMyAdmin!! I then entered phpMyAdmin without entering any password and could directly inspect the tables.
Now there is still a set of moodle tables there called "helene" but there is no longer one called 'moodle' or whatever you had named it.
To prevent this in the future, there are at least two things you must do:
1) password protect your mySQL database
2) create a document called "index.html" at the highest level of your site so that the bare directory structure is not shown. The URL for this file would be:
http://cjs072.upf.es/index.html
Francesc, Thomas is right ...
Even a trespasser could damage your site severe ..., no cracker needed
Even a trespasser could damage your site severe ..., no cracker needed
Francesc,
You can create an .htaccess file that you upload to your public or root web directory that will disable others from viewing any directory content. Here's the procedure:
Create the .htaccess
Warning: If you are using FrontPage to publish your site and have the FrontPage extension turned ON, turn it OFF. Leaving it turned ON might corrupt your FrontPage Extensions. Use at your own risk. If you don't use FrontPage then you will be fine.
- Open Notepad (or equivalent software depending on your OS. If you are using Notepad remember to disable the Word Wrap before proceeding - Format Menu) and paste the required text.
- You only need to type one line in this file to prevent others from listing your directory contents:
- IndexIgnore*
- Save the file as .htaccess (the .txt extension will be appended).
Uploading the .htaccess file
- Upload the .htaccess.txt file via FTP in ASCII mode and place in the htdocs folder (or as requested by the tutorials).
- After uploaded (right) click on this file (server copy) and choose rename.
- Edit the file name, so that it will be .htaccess (without the .txt extension).
- Now make sure to test the .htaccess.
Note: The same procedure is applied to create an .htpasswd
Covers Head >>>> Closes Eyes >>>>
and asks, do you have a back up of your database. If so you may be in luck, if
not, then I dont know what you can do. Is the moodle database there at all. I
mean have you gone into the server and give the command, SHOW DATABASE.
If it is gone totally, then you will have to rebuild from a
back up or scratch. Gee 
this stinks, why do some have to do this kind of thing,
I have no idea, it truly dose not show how great you are to hack a web server,
yet some feel they need to do this kind of thing I guess. At any rate, yes you
need something at your top level as already noted and you need to turn off directory
browsing. A htaccess file will slow them down but they still can get around
that if they really want your moodle site. At any rate, let me know if I can
help in anyway.
Made me think about security, especially outsiders getting to see moodle/config.php.
By making apache in my site display a directory listing, I have found that clicking on or 'saving target' for any .php file always interprets the php file, so protecting php code and passwords, which is some relief.
I assume this would break if php ever broke, like if you were re-installing the web server and messed up the php, as I have done!
Does anyone know:
By making apache in my site display a directory listing, I have found that clicking on or 'saving target' for any .php file always interprets the php file, so protecting php code and passwords, which is some relief.
I assume this would break if php ever broke, like if you were re-installing the web server and messed up the php, as I have done!
Does anyone know:
- How to guarantee that the directory listing is never shown to a user? Is havign an index.html file enough? (I know that this is a single tick box in IIS, can't find anything so global in apache)
- If there is any search software/site caching etc, that can be used to download unprocessed .php files
Look two post up in the discussion.
. create a .htaccess file and you solve the problem. Or did I missunderstand you questions?
. create a .htaccess file and you solve the problem. Or did I missunderstand you questions?
Another thing to beware of is that when you edit config.php on your server, the editor may create a backup of the original in the same directory. For example, if you edit it with emacs, emacs will create a backup file named config.php~ (with tilde appended to the end). [In some exceptional circumstances emacs may also create another backup named something like #config.php#.] This may be accessible over the web as a text file via the url http://yourmoodlesite/config.php~ and will contain the mysql password for your moodle database. [Note if you are careful with setting up permissions in mysql to restrict access to the database only from the server machine, this will protect your database even if the password is compromised.]
I used the IndexIgnore Directive.
IndexIgnore* gave error message
IndexIgnore * worked
On apache .htaccess advice, I then placed it in httpd.conf, as, for example
<Directory "C:\wdrive\wwwrootapache">
IndexIgnore *
</Directory>
as I found that htaccess files slow things too much, and I have the access to httpd.conf
and yes, my editor (Programmer's file editor) does create backups with $$$ extensions, so now I know.
Thanks for advice, Andy D
IndexIgnore* gave error message
IndexIgnore * worked
On apache .htaccess advice, I then placed it in httpd.conf, as, for example
<Directory "C:\wdrive\wwwrootapache">
IndexIgnore *
</Directory>
as I found that htaccess files slow things too much, and I have the access to httpd.conf
and yes, my editor (Programmer's file editor) does create backups with $$$ extensions, so now I know.
Thanks for advice, Andy D
In httpd.conf find
<Directory /usr/local/httpd/htdocs>
Options Indexes FollowSymLinks
</Directory>
Remove "Indexes"
Save
Restart web services
Test!
Hope this helps
<Directory /usr/local/httpd/htdocs>
Options Indexes FollowSymLinks
</Directory>
Remove "Indexes"
Save
Restart web services
Test!
Hope this helps