What do the images below have in common? They are all on US College Moodle 1.9.1 or higher sites.

Have you received your Moodle Security alert from Moodle HQ informing you about the huge Moodle Porn SPAM problem, how to find it on your Moodle site, how to get rid of it, and how to prevent it in the future? Neither have I. With 10’s of thousands of infected sites out there, including a lot of sites hosted by Professional Moodle Partners, I guess it’s a better business model to just ignore it and hope no one notices.

Moodle Security Through Obscurity? I don’t think so!….the clock is still ticking…142 Days, 10 Hours and counting.

The site below is a Moodle 1.9.1 site that has over 10,000 users and is infested with stuff like this:

The site below is a large computer science department Moodle 1.9.2 site and even has an https connection.

The image above was from a computer science department on the West coast of the US, the image below is of another computer science department, Moodle 1.9.2 site, on the East coast…trust me…that’s not “Mahagoney” furniture

This is just a small sample of the extent of the problem. It’s a major Moodle security flaw and if you look at some of the other posts here on this blog, you will soon realize that a professional Moodle Partner can’t protect you from it…according to one of the partners, “it’s not part of the service” and according to another moodle partner, “only moodle admins can see it” so it’s not a problem.

Thinking of adopting Moodle? Better go in with your eyes open! 

If these courses are yours, are you wondering how it is I have access to them and your list of students? If so, you may want to contact your Moodle Partner host and ask why I, and anyone else for that matter, can access your supposedly secure courses on their server. Your courses should be protected, but a major, and well known Moodle security flaw gives anyone easy access to them with no hacking required.

Moodle Security Through Obscurity? I don’t think so!

The clock is still ticking on that moodle.org security forum…140 Days, 17 Hours and counting.

Moodle Security -- or Not!

Now there is some sage advice from a Moodlerooms Moodle Partner.

If you recognize the site below, you may want to contact your professional Moodle Partner host and ask them why your site is infested with this stuff.

A Moodle Partner employee once again trolling the “open source” forums. Ethical? I’ll report, you decide.

Moodle Troll

Source: http://moodle.org/mod/forum/discuss.php?d=110424

Read this thread on moodle.org if you really want to see what a Moodle Partner can do for you:

http://moodle.org/mod/forum/discuss.php?d=109366

p.s. Yea, I know…a short sabbatical

A friend, who I do have a lot of respect for, email me yesterday and suggested that I may be letting my blood pressure get a bit high lately and I think he is right. So, I’m going to take a bit of a break from blogging. The latest series of exchanges over Moodle Porn SPAM and the fact that I had to embarrass the lead developer into even entering the discussion says volumns to me…volumns more than I already knew.

Mauno said it best:

On the other hand from this discussion I noticed that people don’t really care what happens to those sites that are not registered, upgraded and never get warnings - nowhere. I thought Partners sell service that include taking care of updates and settings of sites but Howard confirmed this is not the case.

Emphasis added by me…original quote from here: http://moodle.org/mod/forum/discuss.php?d=109366#p482486

Now, don’t get all teary-eyed. I’m not going anywhere and neither is this blog. I’m just taking a break for a while to concentrate on some of my own “for profit” stuff that I’ve been neglecting recently. I do still care about the thousands and thousands of sites like this:

http://www.pictonhigh.net/moodle/user/view.php?id=701&course=1

…and this:

http://www.sdssroyals.com/moodle/user/view.php?id=145&course=1

…and the fact that even after over a week of discussion, embarrassment, and a 15 minute movie showing just how infested the site below is, the moodle partner who hosts this site still hasn’t felt the need to comment (while at the same time continuing to sell his wares in other moodle.org forums) or even completely clean-up the site…the day after I posted the movie, someone removed about 70% of the profiles I showed in that movie…I guess they just got tired and didn’t get to them all:

http://gcdivinity.mrooms.net/user/view.php?id=550&course=1

http://gcdivinity.mrooms.net/user/view.php?id=515&course=1

http://gcdivinity.mrooms.net/user/view.php?id=304&course=1

Come on “moodle pros”…at least make people login for those profiles if you’re not going to clean up the site: http://gcdivinity.mrooms.net/user/view.php?id=45&course=1

So, since this post will be at the top here for a while, I’ll leave you with some of my favorite Moodle Art that I’ve posted here over the past few months. The images below tell a story…if you can’t read it, then well, maybe that’s more evidence that I need this sabbatical

Moodle Security Team

Censorship

Yea, this Moodle Partner is very active on moodle.org when it comes to “selling” his product, but be sure to take a look at this post and be sure to read the entire post and watch the entire video:

http://www.moodleus.org/blog/?p=501

Then, read this entire thread on moodle.org:

http://moodle.org/mod/forum/discuss.php?d=109366

and after you have done that research, then ask yourself if you are comfortable with the “professional services” of this Moodle Partner.

- STEVE, if you can read my previous posts…

Source:
http://moodle.org/mod/forum/discuss.php?d=109366#p482486

Yea, Mauno, I can “read”, but that’s all I can do. Must be nice to be able to post whatever you want over there in moodle-land and not have to worry about being challenged. 

Take a look at the picture in the upper-left header of this blog…recognize any of those people? Go social constructivism! Rah, Rah! ;-)

Suggestion
…
For those admins that need even more details about a security breach and need to understand how to address it, a better solution would be to create a group something like Moodle Developers, perhaps call it Moodle Administrators, that an admin can enroll in and be screened. This forum can then be secured from the public and address any fears of vulnerabilities getting out.

What a great idea…create a closed group, screen the membership, and secure it from the public.

That will fit right in with the elitist mentality in moodle-land. Keep making suggestions like that and you’ll soon find one or two of those already existing status badges under your smiley face…just like the rest of the people in that forum have :-)

Source: http://moodle.org/mod/forum/discuss.php?d=109366&parent=482486#p482639 

Security Through Obscurity (or closed clubs)? I don’t think so!

Joomla Security Forum: http://forum.joomla.org/viewforum.php?f=432

Mambo Security Forum: http://forum.mambo-foundation.org/forumdisplay.php?f=151

Moodle Security Forum: Sorry, you’re not member of the “club”

Is this your Moodle site?

If so and you’re not sure why this is on your site today, 6 Nov 2008 and has been there since 3 May 2008, then you may want to contact your professional Moodle host as ask them what they are doing to protect your site from Moodle SPAM.

Trust me when I tell you this is “mild” compared to what could be on your site. If you are not sure how to contact your host, you may want to send a message to the following account. Good luck!

http://mrsh.mrooms.net/user/view.php?id=3&course=1

Source for image below captured on 6 Nov 2008: http://mrsh.mrooms.net/user/view.php?id=170&course=1

Moodle Security Through Obscurity? I don’t think so!

If you recognize the Moodle course below and are wondering how it is you are seeing it here, you should contact your professional Moodle host as ask them about the course enrollment key security vulnerability.

There was no “hacking” required to gain access to your course…if I can do it anyone in the world can.

Note: I didn’t download anything from your course, but there is nothing stopping the next person…

Moodle Security Through Obscurity? I don’t think so!

People like STEVE can open our eyes to communicate more - not meaning to hurt feelings but ready to make things better and to warn sites of possible risks.

That’s nice that you are finally ready to warn sites of possible risks…what finally made you ready to do such a radical thing like that, I wonder?

By “People like STEVE…” I’m sure you mean “People” who refuse to have their speech censored by “People like MARTIN and his DISCIPLES…”, Right?

Or, maybe you mean people who will not be intimidated and actually have the backbone to ensure conversations like you are having in that forum right now can and will actually take place…even if he has to do it from outside the cult community…is that what you mean?

The clock is still running…129 Days, 8 Hours and counting…

I will say you were right before you were wrong though….calling for that security forum was the right thing to do…allowing Martin to slap your hand and make you change your mind was not good…I’m glad you have changed your mind again…shows there’s hope of at least a little independent thought over in moodle-land.

Moodle Security

 Source: http://moodle.org/mod/forum/discuss.php?d=109366 

If this is your Moodle site, you may want to contact your host and ask them what to do about this. Trust me when I say, there could be worse stuff than this on your site available to the public.

http://priory.mrooms.net/user/view.php?id=855&course=1

Also, you may want to let your host know there have been a lot of security updates since the 2+ year old version you are running — moodle 1.6.5 + (2006050550). If you are not sure how to contact your host, you may be able to find that information here:

http://priory.mrooms.net/user/view.php?id=3&course=1 

Moodle Security Through Obscurity? I don’t think so!

I’m not sure if this is paranoia or just that Freduian thing that gets us all from time to time, but I’m happy to see I continue to be in Martin’s thoughts…what an honor

Glad to see you’re going to work on that detection tool real soon…now what made you think to do that? You don’t have to look for me in the shadows Martin…I’m right here and I’ll keep you informed of what’s going on in the field. Thanks for thinking about me though.

Hi Marc.

Enjoyable as it is, let’s bring this conversation back to some facts …

From what I can see this is a matter of one (possibly very old, I don’t know) site…

My apologies in advance to the site owners, but since the Moodle Lead developer and some of his partners seem to believe people are being mislead and Moodle SPAM is limited to one, possibility very old site, and wants to imply things like:

Is it the client? Well, no, the client is always right, of course. Luckily clients never change settings they don’t understand properly and always read the context help and documentation (as far as we can tell). That makes our life so much easier.

Source for both quotes above is here: http://moodle.org/mod/forum/discuss.php?d=109366#p481459 

You want facts, Martin? Here are a couple…the first link was the star in my movie. The second link could be a star in the next. Of course, according to your favorite Moodle Partner, Bryan, no one but the site admin can see these, so no harm done. I’ll post more later if these facts aren’t factual enough for you:

http://gcdivinity.mrooms.net/user/view.php?id=556&course=1 

http://wtc.mrooms.net/user/view.php?id=5126&course=1 

If you are the owner of these sites and don’t like what you see and don’t know what to do about it, I would recommend contacting your host…after all, they are certified professionals in Moodle hosting.

Background:

1. Last Wednesday, October 29th, I published this post on my blog exposing some very offensive SPAM on a moodle site.
2. That post resulted in this thread being started on moodle.org on Thursday, October 30th. (Note: click “login as a guest” if prompted)
3. If you are not familiar with this issue, it would be good for you to review the information found at the links in bullet 1 and 2 above before viewing the video below.
4. Today, Sunday, November 2nd, I created the video linked below of the same site I reported about on Wednesday.

Before Viewing the Video:

1. If you are offended by bad words, then don’t view this video.
2. I tried to block out all “really bad” words, but I could have missed a few. I also didn’t show any profiles with graphic pron images like the one I blurred out in my previous post. 
3. As I did in the post on Wednesday, I tried to hide the identity of the site.
4. I have attempted to protect this video from being available to the average person simply browsing the web by placing it in a properly configured Moodle course that requires a login. The loign information is only provided here in this post below the video link.
5. The video is 14min 22sec long and demonstrates just how infested this site is with all kinds of profile SPAM. I would recommend watching the entire video to get a full appreciation of the problem. I didn’t narrate the video because I simply want you to see what exists and you can draw your own conclusions. You may want to have paper and pen handy to jot down some words you will see in these profiles so you can use them to search your database.

Now, if you are not offended by bad words, click the link below and login to view the video, then come back here and read the other bullets below the video link.

Login Info:
Username: moodle
Password: partner

CLICK HERE TO VIEW THE VIDEO

After viewing the video:

1. Did you notice that all 100 profiles I showed you indicated that they were Deleted?
2. That is because they were deleted by the Moodle admin and are no longer present in the list of users the admin sees. The Moodle Administrator has no indication these exist by looking anywhere in Moodle.
3. So, why are these profiles still available on the web for anyone in the world to view?
   1. Because when a Moodle Admin deletes an account (like this moodle admin did), the account is removed from the list of users in Moodle but it is NOT deleted from the Moodle database.
   2. The ONLY way (other than viewing them like I did in the web-browser) for the moodle admin to know these profiles still exist is to look in the actual database on the server. If the moodle admin trusts someone else to take care of the “server stuff” then he/she has no way of knowing that these are still available after they have been deleted.
   3. When you look at your mdl_usr table in the database, you will see that all “deleted” user accounts are still there. The only thing that happens when a Moodle admin deletes an account is the user record is “marked” as being deleted. You will see a variable in every user record called “deleted”…if an account is deleted the value is simply changed from “0″ to “1″, but nothing is actually deleted from database (where the profile description is stored) or moodledata directory (where the favicon is stored).
   4. Result…all SPAM profiles you have ever deleted from your site through the Moodle Admin is still there in your database and is still available on the web!
4. Did you notice that all of these profiles have been on this site for a very long time?
5. The one profile on that site, that I reported about here on Wednesday, was deleted and it was deleted from the database, not just through the moodle admin block.
6. Are you wondering how anyone could have opened the moodle database, deleted one SPAM profile, and didn’t notice there were 100’s of others there? Well, so am I.

Fortunately, there is an easy way to scan your Moodle database, find all of these SPAM profiles whether you have deleted them through the Moodle admin block or not, and completely remove them from your site and from the web, but you will have to do it directly in the database…there is no way to do it through the Moodle interface. The only thing you have to be careful of is that you don’t delete “regular” users (even those you have deleted through the moodle admin block) directly from the database or you run the risk of having orphaned activities in your courses.

The gurus at Moodle HQ have, belatedly, provided you with some suggestions about how to protect against getting this SPAM, but that’s like locking the chicken coup after a family of foxes have already moved in…what you need to know is how to get the foxes out of the hen house so they don’t continue eating your chickens!

…we do not check our sites for possible issues like this once we have set it up. I honestly don’t see it as part of the service.

and

These bogus accounts, populated with ugly stuff, are only viewable by the Moodle admin who can access all users accounts. This has largely been a nuisance for Moodle admins to clean these out while putting the “fix” in place. The fix involves using the reCAPTCHA anti-bot service…

I’ll leave you to judge those comments…you can find them both in this thread on moodle.org and you can also judge how it is that these profiles could still be on that site today after this has been discussed publicly for nearly a week.

I’ll give Moodle HQ and the Moodle Partners a few days to get their act together and tell you how to find this stuff on your site and get rid of it. If they don’t, then I’ll make a few videos and post them here to show you how to do it. 

Moodle Security Through Obscurity (or, it seems through a Moodle Partner)? I don’t think so!

It looks like the discussion on moodle.org, as a result of my blog post on Wednesday, picked up a little steam yesterday. As I check in to “view” the discussion this morning [still serving my time and can't post ;-)] I can’t help but notice two things.

1. Neither the lead developer of Moodle, nor the Moodle Partner who is the subject of the discussion has commented.

2. Of all the people who have commented to this point, 41 posts in that thread as of this morning, only ONE doesn’t have a Status Badge under his name…and he seems to be the one with the most reasoned, objective response in the thread!

Of course, Marc may yet lose his badge for having the audacity to start such a discussion…it doesn’t seem to be working on him anyway

Reminds me of an article I read a few years ago…the pertinent excerpt is here.

Scan the image below…doesn’t it remind you of a yard full of peacocks?

By the way, this could be a kid-friendly activity (unlike browsing the Moodle site they are discussing). Just download the image below and use it with your kids like one of those “Where’s Waldo” books…see if they can find what’s different in the picture

I cut out the content in the image below so you could concentrate on the imagery, but do read the thread on moodle.org…it’s very “educational” as well…particularly if you are currently hosting, or are considering hosting your Moodle site with a Moodle Partner!

Here is a link if you can’t see the iframe below.

If you want to see just how much one of the major Moodle Partners knows about Moodle and SPAM exploits, just read the post by Moodle Partner Bryan Williams in the thread below:

http://moodle.org/mod/forum/discuss.php?d=109366#p480843

These bogus accounts, populated with ugly stuff, are only viewable by the Moodle admin who can access all users accounts. This has largely been a nuisance for Moodle admins to clean these out while putting the “fix” in place.

That’s got to be a joke…right? Even Bryan can’t be that clueless, surely!

Saying this is the work of a Bot and that reCPTCHA will fix it…are you joking! Surely this has to be a joke…surely someone else posted that ridiculous post and just pretended to be Moodle Partner Bryan Williams to embarrass him. Surely, a certified Moodle Partner is not that clueless? Surely!

Here is challenge for anyone. Copy the text below and past it into a Google search…make sure it’s formatted exactly as I have it below. Then click on some of the 12,000+ returns you get and look at some of them. Then go post in that thread and ask Bryan what he has been smoking! I want to know…it must be some good stuff

inurl:moodle/user porn

Once again, I’ve caused a discussion to be started on moodle.org that I can’t participate in since I’m only 5 months into my 12 month sentence So I’ll just have to continue providing my 2cents worth from here ;-). And here’s my 2cents about the quote in the subject line and pasted again below just for good measure — DITTO!

The bar needs to be raised at least for the Moodle Hosting Partners, if not for the Moodle Community at large, to look seriously at the issue of security, privacy and content monitoring.

Source: http://moodle.org/mod/forum/discuss.php?d=109366#p480793 

p.s. Maybe the discussion taking place there isn’t really that important. I see no one from Moodle HQ, including the lead developer or the Moodle Partner who’s the subject of the discussion has posted. Of course, that moodle partner is a prolific poster on the forums when he is trying to sell his company’s service ;-)

Moodle Security Through Obscurity (or through ignoring it)? I don’t think so!

WOW! I do have to give Howard credit for his honesty and willingness to openly discuss this issue even though this wasn’t one of his sites.

For background see:

1. http://www.moodleus.org/blog/?p=442
2. http://www.moodleus.org/blog/?p=458 

Now, to the point that Howard (Moodle Partner) doesn’t check his sites for these issues and he doesn’t see it as “part of the service”…well, at least now you know.

So remind me again…what is it you are actually getting by hosting with a Moodle Partner? Evidently a lot less than I thought!

I guess I had better stop regularly scanning my sites for pornographic content since “such a thing doesn’t exist”. After all, according to one of those “professional” Moodle Partners, I just:

“…live in an academic ivory tower getting a paycheck each month from the taxpayers of Kentucky, and try to run a Moodle business in your (my) spare time.”

Source: http://moodle.org/mod/forum/discuss.php?d=92405#p408615 

Who am I to find this stuff by not only “regularly scanning” my own sites, but those being hosted by a lot of others, including, it would seem Moodle Partners who, based on what Howard says, doesn’t do it, doesn’t see it as part of their service, and wouldn’t know how to do it if they wanted to. Of course, I’m not perfect, but at least I try to protect my users’ sites.

I’ll just end the way I started by saying….WOW!