Went into Moodle view source and I found (see attached) this between the normal code.
What the heck happened here?
yeah sorry hit submit too quickly
Yes, you have.
Anyway to remove this without reinstalling the site?
I'd recommend you restore the site from your latest backups (before it was hacked) both the site data & database.
Then upgrade Moodle to the latest stable version and ensure you have permissions set correctly on files/folders, including having the moodledata/ directory outside of the website root.
I think I found the offending file and it's now alright just running a few tests on it though.
Which version of Moodle are you/were you running?
1.7.1+ I think, haven't upgraded for some time as we have some custom code inserted throughout the moodle code base.
I'd recommend getting to grips with diff() tools like examdiff (pro is definitely worth the money) and if you can, Subversion or CVS to manage your code updates so you can roll back in case of problems.
May also be worth checking the guest account access, as I think some vunerabilities used this account.
Did you have your moodle with email-based self authentication? If so that's how they'll have got in. The later versions of Moodle -1.9 onwards -have this turned off by default - and if you absolutely DO need it then you can set certain allowed email addresses and banned ones (spammers tend to use hotmail/gmail etc) and/or captcha. But I agree with the above posters: you absolutely must upgrade - 1.7 is really old now - 1.8 is really old even! And just because you've got rid of some stuff off your front page doesn't mean there isn't stuff elsewhere on your Moodle.
Authenticates via internal imap box.
There are currently 1 users browsing this thread. (0 members and 1 guests)