ATTENTENTION Webmasters - possible security vulnerability on school networks

[ZInventor]

curiously enough though (i forgot to mention this earlier) the list of links doesn't appear in the moodle system, it's currently appearing on a sepparate system, the newspaper, which was hand-coded by myself and a friend.

the reason we're pointing the finger toards moodle is because the links ALL go to sites using moodle!

also, if you look at the rendered source of the site (loaded in a browser) every page (categories etc...) has a different list of links, and the whole set changes every coupple days! but, without fail, they are all moodle!!!

if i were you, i'd have the tech person check every website and page on the domain.

-Z

[Andrew Schreiber]

That is strange.

Have you filed a report with the makers of Moodle?

Have you checked through all of the javascript on the page? A virus scan won't find AJAX calls to external pages. If the content is changing it has to have a source, if a virus scan found nothing chances are it isn't local to you. ( I did a quick scan through of it but being unfamiliar with the system I would have missed it)

Does that appear on every page or just certain ones?

A quick google search didn't return results for the phrases other than your newspaper site.

[ZInventor]

unfortunatley, the only person with contact info for moodle (other than the non-responsive online suport email) is the tech coord at our school, and he's on vacation.

my friend and i hand-coded the pages (there are several, but all are "included" by index.php)i've looked through every script, and none of them reference external files; whenever i get a new script or such that does, i download the source (if it's creative commons) and tweak it, removing any external references.

oddly, the only place that the code shows up is the "rendered" source. the files on our server are clean.

we'll be contacting moodle as soon as our tech gets back.

another funny thing, making me think that this has nothing to do with the code, is that when we renamed index.php to index1.php, the problem went away, for a couple days, but, so did our site (index1 will not get auto-called like index)

thanks for the ideas,

-Z

[Andrew Schreiber]

Try renaming the page then having index.php redirect to index1.php. Odd problem.

[ZInventor]

we tried that, but it seems that the redirect connects the files just enough to cause the divs to keep appearing!

once the tech gets back, we'll try migrating the entire site to a different location on the server, then moving the DNS reference...

hopefully, that'll help.

-Z

[OScubed]

It looks like link generating spam. This is placed into remote sites to point back at other sites for advertising SEO. Many spiders won't notice that they are in a hidden div, so the links back to the original sites increase (in a black hat kind of way) the linkscore of the target.

Have you commented out the following JS to be sure they're not injecting the div:

Colourloverscolorpicker.js
print.js
ddaccordion.js
lnews.js

Check this link on the moodle site for additional info:
http://moodle.org/mod/forum/discuss.php?d=116103

If your webmaster downloaded a template from a "free site" the linkspam js may be embedded in the moodle skin.

[ZInventor]

Quote:

Originally Posted by OScubed

Have you commented out the following JS to be sure they're not injecting the div:

Colourloverscolorpicker.js
print.js
ddaccordion.js
lnews.js

lnews.js and print.js are scripts we've written, and both of the other scripts have been heavily modified, and do not reference any other files, unless i missed something... (after all, i was working late at night)

now that you mention it,i've re-checked the scripts, and they are all clean...

the only scipt i haven't modified is http://ajax.googleapis.com/ajax/libs.../jquery.min.js, but i use that on several other sites without any issues...

looking at the pages referenced in the ghost div, it doesn't seem to be for advertizing... all the pages seem to be located on sites they have no relation to, most of which are schools and universities, and all of which run moodle

i wasn't able to get to the moodle discussuion board, as i do not have an account... however, i will talk with the tech coordinator at school to see if he has one.

thanks for the thought though,

-Z