You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Over the last few days, we have received a number of reports of Chamilo portals (even the latest v1.11.36) being hacked into.
These attacks targeted a vulnerability in the main/install/ folder of Chamilo. At the end of the installation process, we recommend deleting or changing the permissions of the main/install folder. Even if the folder was still there, it also needed write permissions in the app/config/ folder or on the app/config/configuration.php file and in other places.
There are some cases where someone would not have seen that message at the end of the installer, or would have later upgraded Chamilo, adding again that folder without the warning message. In any case, some Chamilo portals were vulnerable as we have seen over the last few days, so we though it was important to inform you.
First of all, even if you do not know if you've been hacked, you can now download Chamilo v1.11.38 from here and update your portal. If you have 1.11.32, 1.11.34 or 1.11.36, this should practically not change anything else than add features, fix bugs and fix a ton of newly-discovered vulnerabilities.
Removing the main/install/ is the most important and easy fix, but you also need to check if you've been hacked.
Check if you have been hacked:
Look for the last date of change of the app/config/configuration.php file. Modifying this file seems to be a common first action taken by the hackers.
If the date is recent and you didn't change anything there personally, it is likely that you've been hacked. In this case, you should watch:
for any change in the database connection details at the beginning of the file (db_host, db_user, db_pass, main_database)
for any call to file_put_contents which will try to write a file into your root chamilo folder
for any files created at the root like rce_*.php or up_*.php
What to do
copy the hacked files, in their current state, in a directory out of Chamilo, our of web access (you can put them on your computer, they shouldn't be viruses, just text files with PHP code). This will later help you analyse the impact.
remove the main/install/ directory completely. It's not necessary for Chamilo to run and it's the one containing the vulnerability
recover app/config/configuration.php from a backup or, if you know if very well, edit it an remove the recent changes (db details and file_put_contents line, see above).
You will need to assess the impact of the hack on your system.
In order to do this, get a security specialist advice. In security term, this vulnerability, if the conditions matched the ones described above, was an unauthenticated RCE (or Remote Code Execution), so your server might have been severely affected.
As far as we have seen, no harmful data stealing script was used, but justified worry would make us assume that database contents could have been exported by the hackers. This means informing your users that their data was probably made vulnerable and, if they use the same login/password on your Chamilo portal than on other places online, they should change that password quickly.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Hi all,
Over the last few days, we have received a number of reports of Chamilo portals (even the latest v1.11.36) being hacked into.
These attacks targeted a vulnerability in the main/install/ folder of Chamilo. At the end of the installation process, we recommend deleting or changing the permissions of the main/install folder. Even if the folder was still there, it also needed write permissions in the app/config/ folder or on the app/config/configuration.php file and in other places.
There are some cases where someone would not have seen that message at the end of the installer, or would have later upgraded Chamilo, adding again that folder without the warning message. In any case, some Chamilo portals were vulnerable as we have seen over the last few days, so we though it was important to inform you.
First of all, even if you do not know if you've been hacked, you can now download Chamilo v1.11.38 from here and update your portal. If you have 1.11.32, 1.11.34 or 1.11.36, this should practically not change anything else than add features, fix bugs and fix a ton of newly-discovered vulnerabilities.
Removing the main/install/ is the most important and easy fix, but you also need to check if you've been hacked.
Check if you have been hacked:
Look for the last date of change of the app/config/configuration.php file. Modifying this file seems to be a common first action taken by the hackers.
If the date is recent and you didn't change anything there personally, it is likely that you've been hacked. In this case, you should watch:
db_host,db_user,db_pass,main_database)file_put_contentswhich will try to write a file into your root chamilo folderrce_*.phporup_*.phpWhat to do
copy the hacked files, in their current state, in a directory out of Chamilo, our of web access (you can put them on your computer, they shouldn't be viruses, just text files with PHP code). This will later help you analyse the impact.
remove the main/install/ directory completely. It's not necessary for Chamilo to run and it's the one containing the vulnerability
recover app/config/configuration.php from a backup or, if you know if very well, edit it an remove the recent changes (db details and file_put_contents line, see above).
remove the /rce_.php and /up_.php file if present
strenghten your filesystem permissions by following the security guide at https://11.chamilo.org/documentation/security.html
After that
You will need to assess the impact of the hack on your system.
In order to do this, get a security specialist advice. In security term, this vulnerability, if the conditions matched the ones described above, was an unauthenticated RCE (or Remote Code Execution), so your server might have been severely affected.
As far as we have seen, no harmful data stealing script was used, but justified worry would make us assume that database contents could have been exported by the hackers. This means informing your users that their data was probably made vulnerable and, if they use the same login/password on your Chamilo portal than on other places online, they should change that password quickly.
Beta Was this translation helpful? Give feedback.
All reactions