Hacked site recovery: Difference between revisions
From MoodleDocs
| Line 5: | Line 5: | ||
* Organise to take your site off-line temporarily until you know you've fixed everything. | * Organise to take your site off-line temporarily until you know you've fixed everything. | ||
* Find all available older database and file backups | * Find all available older database and file backups | ||
* Backup | * Backup php files, database and data files (Do not overwrite older backups.) | ||
* Contact your hosting provider, if you have one. | * Contact your hosting provider, if you have one. | ||
Revision as of 13:22, 19 February 2009
Initial steps
- Organise to take your site off-line temporarily until you know you've fixed everything.
- Find all available older database and file backups
- Backup php files, database and data files (Do not overwrite older backups.)
- Contact your hosting provider, if you have one.
Damage assessment
- Look for any modified or uploaded files on your web server.
- Check your server logs for any suspicious activity, such as failed login attempts, command history (especially as root), unknown user accounts, etc.
Recovery
- Download the latest stable version and upgrade your site.
- Change your passwords.
- Run the Security overview report (Administration > Reports > Security overview) in Moodle 1.8.9 and 1.9.4 onwards.
- Use the Spam cleaner tool (Administration > Reports > Spam cleaner) in Moodle 1.8.9 and 1.9.5 onwards, to find and clean up any leftover mess.
Prevention
Always keep your site up-to-date and use the latest stable version.
It is very safe to go from 1.9.3 to 1.9.4+, for example, at any time. CVS is an easy way to do this.
See also
Using Moodle forum discussions:
