Hacked site recovery: Difference between revisions

Revision as of 13:25, 19 February 2009

This article is a stub. Please help improve Moodle Docs by editing it and adding some content.

Organise to take your site off-line temporarily until you know you've fixed everything.
Find all available older database and file backups
Backup php files, database and data files (Do not overwrite older backups.)
Contact your hosting provider, if you have one.

Look for any modified or uploaded files on your web server.
Check your server logs for any suspicious activity, such as failed login attempts, command history (especially as root), unknown user accounts, etc.

Find out when exactly was the site hacked.
Restore last backup right before the incident.
Download the latest stable version and upgrade your site.
Change your passwords.
Run the Security overview report (Administration > Reports > Security overview) in Moodle 1.8.9 and 1.9.4 onwards.

Use the Spam cleaner tool (Administration > Reports > Spam cleaner) in Moodle 1.8.9 and 1.9.5 onwards, to find and clean up any leftover mess.

Always keep your site up-to-date and use the latest stable version.

It is very safe to go from 1.9.3 to 1.9.4+, for example, at any time. CVS is an easy way to do this.

@@ Line 14: / Line 14: @@
 ==Recovery==
+* Find out when exactly was the site hacked.
+* Restore last backup right before the incident.
 * [http://download.moodle.org/ Download the latest stable version] and [[Upgrade|upgrade]] your site.
 * Change your passwords.
 * Run the [[Security overview]] report (''Administration > Reports > Security overview'') in Moodle 1.8.9 and 1.9.4 onwards.
+==Dealing with spam==
 * Use the [[Spam cleaner]] tool (''Administration > Reports > Spam cleaner'') in Moodle 1.8.9 and 1.9.5 onwards, to find and clean up any leftover mess.