Hacker intrusion on my site


#1

I recorded an intrusion on the site and discovered that some files have been added, as “style.php, 403.php” or added lines of code in a “config.php” file.

I’m using Moodle and I found some code also in a template files or on CSS.

The various codes added in various files are as follows:

<?@eval(@base64_decode("LyogZnVjayB5.... $THEME->resources = base64_decode('Jm5ic3A7PGEgaHJlZ...
<?php eval(stripslashes(base64_decode('ZWNobyBcJ096aW9HY $THEME->resources = base64_decode('Jm5ic3A7PGEgaHJlZj0iaHR0cDovL3d I used the command:[b] ack-grep-w "base64_decode" | more[/b] to find the lines of code, generally on PHP files. Of course I changed all passwords and I deleted all infected files. Questions: [list][*] Why did it happen? I do not think that my passwords have been stolen. :-( [*] What should I do to prevent it happening again? [/list] Thanks

#2

Give this a read:

Answers:

  1. I’d bet it’s an insecure PHP module, so start Googleing for vulnerabilities in your version of Moodle and its plugins
  2. Secure those vulnerabilities and turn off any services/modules you don’t need.

#3

Thanks for the reply. Now I installed the latest version of Moodle.
I followed the advice of the link.
I hope that does not happen again. I’ll be more careful.


#4

I just ran into this problem on my site today. No Moodle installs, but have a ton of WP and a drupal install. Not sure which caused the problem. Running clean up now.

Athos002: How did you run the: ack-grep-w “base64_decode” | more Command? I’m not a unix guru and couldn’t get this to work in my shell.

Thanks!