Hacked site recovery: Difference between revisions
From MoodleDocs
| Line 18: | Line 18: | ||
* [http://download.moodle.org/ Download the latest stable version] and [[Upgrade|upgrade]] your site. | * [http://download.moodle.org/ Download the latest stable version] and [[Upgrade|upgrade]] your site. | ||
* Change your passwords. | * Change your passwords. | ||
==Dealing with spam== | ==Dealing with spam== | ||
Revision as of 13:27, 19 February 2009
Initial steps
- Organise to take your site off-line temporarily until you know you've fixed everything.
- Find all available older database and file backups
- Backup php files, database and data files (Do not overwrite older backups.)
- Contact your hosting provider, if you have one.
Damage assessment
- Look for any modified or uploaded files on your web server.
- Check your server logs for any suspicious activity, such as failed login attempts, command history (especially as root), unknown user accounts, etc.
Recovery
- Find out when exactly was the site hacked.
- Restore last backup right before the incident.
- Download the latest stable version and upgrade your site.
- Change your passwords.
Dealing with spam
- Spam in profiles or forum posts does not mean your site was actually hacked.
- Use the Spam cleaner tool (Administration > Reports > Spam cleaner) in Moodle 1.8.9 and 1.9.5 regularly to find spam.
Prevention
Always keep your site up-to-date and use the latest stable version.
It is very safe to go from 1.9.3 to 1.9.4+, for example, at any time. CVS is an easy way to do this.
See also
Using Moodle forum discussions:
