17 November 2020, 21:49

Hello,

I am using Mahara for a university but in the last few months, many phishing attacks were successfully attempted. Initially, one unzip.php & one premiumx.zip file was uploaded after then one onlinebanking folder created within the account folder(sometimes at the root). Also, this site does not have direct user login & registration as well, user login through SSO from the moodle site.

I had tried many possible solutions as below:

1- Followed the settings as recommended for configuration in config.php & config site options as admin.

2- Included many of .htaccess rules.

3- Changed password of hosting, database user, site admin.

4- Restricted external resource/URL embed option in site options through admin.

5- Version upgraded from 20.04.0 to 20.04.2

6- Enabled Google Recaptcha & disabled contact form

7- Again restored fresh code after version upgrade

8- Added restriction to upload files option in the config file (validfiletypes)

9- Set directorypermissions = 0700 in config file

10- Enabled ClamAV antivirus

11- No unauthenticated user found to access Mahara site as checked-in logs

12- Removed login block code from the sidebar and login template.

After applying these changes, not able to stop phishing attacks. Please help.

19 November 2020, 9:45

Hello Nitin,

This does sound like a problem.

I notice that on point 8 you mention restricting file uploads to certain file types - did you exclude the .zip option there?

It seems strange that any uploaded file would have been executed as they are stored outside the www root directory and so should not be able to be accessed directly via the Mahara system. They are read from the dataroot storage via a download.php file so shouldn't be executed on directly.

Are you able to check the system logs to see what process created the new directory?

Also can you check if the files were somehow passed in via the moodle system?

Cheers

Robert