Hacked site recovery
Note: You are currently viewing documentation for Moodle 3.1. Up-to-date documentation for the latest stable version of Moodle is probably available here: Hacked site recovery.
- Contact your hosting provider, if you have one.
- Immediately put the site into Maintenance mode or better completely off-line until you know you've fixed everything.
- Find all available older database and file backups
- Backup php files, database and data files (Do not overwrite older backups.)
- Make a list of all PHP software installed on the same server.
- Note main Moodle version and the date of last update
- Make a list of all contrib modules and custom modifications
- Find out when exactly was the site hacked.
- Look for any modified or uploaded files on your web server - look for oldest file that does not belong in Moodle.
- Check your server logs for any suspicious activity around that date or few hours before, such as strange page parameters, failed login attempts, command history (especially as root), unknown user accounts, etc.
- Restore last backup right before the incident.
- Download the latest stable version and upgrade your site.
- Change your passwords.
Dealing with spam
- Spam in profiles or forum posts does not mean your site was actually hacked.
- Use the Spam cleaner tool (Administration > Reports > Spam cleaner) regularly to find spam (Moodle 1.8.9 and 1.9.5 onwards).
- Always keep your site up-to-date and use the latest stable version. It is very safe to go from 1.9.3 to 1.9.4+ weekly build, for example, at any time. CVS is an easy way to do this.
- Regularly run the Security overview report (Administration > Reports > Security overview) (Moodle 1.8.9 and 1.9.4 onwards).
- Understand how to properly set permissions and file ownership to maximise security. If this is a mystery, you mustn't ignore it - read about it or ask in the forums!
Using Moodle forum discussions:
- Blank page appears when trying to edit or update a course.
- How to diagnose a Hacked Moodle Site?
- Security issue: source files hacked ("hackcheckstr")
- Have I been hacked? Strange happenings...
- Our site was hacked, delete the Moodle files, Fortunately we still have the database.
- Trojan:JS Type Obfuscation Exploits