ATTENTENTION Webmasters - possible security vulnerability on school networks

[ZInventor]

This post is mainly intended as a warning, but also to see if anyone else has been affected.

Our school used to run Moodle, a sort of CMS / Online class software, and recently, the school newspaper's website (which i maintain along with our robotics site) got hacked.

curiously though, the result of the hack was the addition of a div marked display:none (thankfully) that contained links to pages on a ton of moodle sites. however, when we investigated a coupple of the sites, they seemed fishy. the pages had been added maliciously to the websites, and contained no relevance to the host.

it see if your website has a similar problem, put some comments like this around your "BODY" tag:

Code:

<!--The ghost div starts IMMEDIATELY after the open body tag.-->
<body><!--end ghost spam div-->

when you render the website in a browser, right click and hit "view source" if your site has been affected, there will be a huge ghost div in between the body tag and the second comment.

try viewing the source of this page (our newspaper site)

so far, we've been lucky and haven't had the div turn visible, but want to spread the word that this is happening to see if anyone knows how to stop it.

we have tried virus-scans, spyware scans... etc... and nothing has turned up. hopefully, not many people have this kind of problem, but if you do, please post here so that we can all check out each others sites. the way i see it, the more people we have looking, the better.

if you have any ideas on how to fix this type of problem, Please post! it would be much appreciated.

-Z

[SushaK]

my school uses moodle for some classes but just as a way to post practice quizzes and assignments and as a way to chat with teachers or as an easier way to get ahold of the teachers. we don't actually use it much though and i personally havent used it since last year... but thanks for the warning, i'll make sure to ckeck it out and warn our tech advisor. good luck with your problem and hopefully it'll go away!

[ZInventor]

curiously enough though (i forgot to mention this earlier) the list of links doesn't appear in the moodle system, it's currently appearing on a sepparate system, the newspaper, which was hand-coded by myself and a friend.

the reason we're pointing the finger toards moodle is because the links ALL go to sites using moodle!

also, if you look at the rendered source of the site (loaded in a browser) every page (categories etc...) has a different list of links, and the whole set changes every coupple days! but, without fail, they are all moodle!!!

if i were you, i'd have the tech person check every website and page on the domain.

-Z

[Andrew Schreiber]

That is strange.

Have you filed a report with the makers of Moodle?

Have you checked through all of the javascript on the page? A virus scan won't find AJAX calls to external pages. If the content is changing it has to have a source, if a virus scan found nothing chances are it isn't local to you. ( I did a quick scan through of it but being unfamiliar with the system I would have missed it)

Does that appear on every page or just certain ones?

A quick google search didn't return results for the phrases other than your newspaper site.

[ZInventor]

unfortunatley, the only person with contact info for moodle (other than the non-responsive online suport email) is the tech coord at our school, and he's on vacation.

my friend and i hand-coded the pages (there are several, but all are "included" by index.php)i've looked through every script, and none of them reference external files; whenever i get a new script or such that does, i download the source (if it's creative commons) and tweak it, removing any external references.

oddly, the only place that the code shows up is the "rendered" source. the files on our server are clean.

we'll be contacting moodle as soon as our tech gets back.

another funny thing, making me think that this has nothing to do with the code, is that when we renamed index.php to index1.php, the problem went away, for a couple days, but, so did our site (index1 will not get auto-called like index)

thanks for the ideas,

-Z

[Andrew Schreiber]

Try renaming the page then having index.php redirect to index1.php. Odd problem.

[ZInventor]

we tried that, but it seems that the redirect connects the files just enough to cause the divs to keep appearing!

once the tech gets back, we'll try migrating the entire site to a different location on the server, then moving the DNS reference...

hopefully, that'll help.

-Z

[OScubed]

It looks like link generating spam. This is placed into remote sites to point back at other sites for advertising SEO. Many spiders won't notice that they are in a hidden div, so the links back to the original sites increase (in a black hat kind of way) the linkscore of the target.

Have you commented out the following JS to be sure they're not injecting the div:

Colourloverscolorpicker.js
print.js
ddaccordion.js
lnews.js

Check this link on the moodle site for additional info:
http://moodle.org/mod/forum/discuss.php?d=116103

If your webmaster downloaded a template from a "free site" the linkspam js may be embedded in the moodle skin.

[ZInventor]

Quote:

Originally Posted by OScubed

Have you commented out the following JS to be sure they're not injecting the div:

Colourloverscolorpicker.js
print.js
ddaccordion.js
lnews.js

lnews.js and print.js are scripts we've written, and both of the other scripts have been heavily modified, and do not reference any other files, unless i missed something... (after all, i was working late at night)

now that you mention it,i've re-checked the scripts, and they are all clean...

the only scipt i haven't modified is http://ajax.googleapis.com/ajax/libs.../jquery.min.js, but i use that on several other sites without any issues...

looking at the pages referenced in the ghost div, it doesn't seem to be for advertizing... all the pages seem to be located on sites they have no relation to, most of which are schools and universities, and all of which run moodle

i wasn't able to get to the moodle discussuion board, as i do not have an account... however, i will talk with the tech coordinator at school to see if he has one.

thanks for the thought though,

-Z