Hacked site recovery: Difference between revisions
From MoodleDocs
| Line 10: | Line 10: | ||
==Damage assessment== | ==Damage assessment== | ||
* Find out when exactly was the site hacked. | |||
* Look for any modified or uploaded files on your web server. | * Look for any modified or uploaded files on your web server. | ||
* Check your server logs for any suspicious activity, such as failed login attempts, command history (especially as root), unknown user accounts, etc. | * Check your server logs for any suspicious activity, such as failed login attempts, command history (especially as root), unknown user accounts, etc. | ||
Revision as of 13:31, 19 February 2009
Initial steps
- Contact your hosting provider, if you have one.
- Immediately put the site into Maintenance mode or completely off-line until you know you've fixed everything.
- Find all available older database and file backups
- Backup php files, database and data files (Do not overwrite older backups.)
Damage assessment
- Find out when exactly was the site hacked.
- Look for any modified or uploaded files on your web server.
- Check your server logs for any suspicious activity, such as failed login attempts, command history (especially as root), unknown user accounts, etc.
Recovery
- Restore last backup right before the incident.
- Download the latest stable version and upgrade your site.
- Change your passwords.
Dealing with spam
- Spam in profiles or forum posts does not mean your site was actually hacked.
- Use the Spam cleaner tool (Administration > Reports > Spam cleaner) regularly to find spam (Moodle 1.8.9 and 1.9.5 onwards).
Prevention
- Always keep your site up-to-date and use the latest stable version. It is very safe to go from 1.9.3 to 1.9.4+, for example, at any time. CVS is an easy way to do this.
- Regularly run the Security overview report (Administration > Reports > Security overview) (Moodle 1.8.9 and 1.9.4 onwards).
See also
Using Moodle forum discussions:
