Investigating hacking activity

[ismaelrumzan]

Our server that has the 2018-09 version of canvas installed, hosting on aws ec2 with RDS has been having hacking activity for the past 2 weeks.

We have seen hundreds of users added with the same domain name for email and weird character names but not added to any course. Also, some portfolio pages were created and made public.

Do you have any suggestion on how I can go about investigating how the hacking happened?

[ktgeek]

By any chance, do you have self-registration enabled? That behavior could be less hacking and more exploitation of that setting.

[ismaelrumzan]

Thanks for that. In the "Settings" of the main account, Open Registration is unchecked. Students need a join code when they click "Need an account" on the canvas log in page but teachers can sign up. So I guess that could have been exploited. How would I find out if there were a many registrations on a specific date/time? Would there be a specific canvas log that keeps track of that? Also, how would I disable the ability to self-register (teachers and students)?

[ismaelrumzan]

I disabled it by following this - https://guides.instructure.com/m/4214/l/135435-how-do-i-configure-self-registration-through-canvas-authentication-for-an-account I went through the database and deleted the weird users - there were hundreds of them. The problem was that they were also then creating random eportfolio public pages from these accounts with random content (there was more than 1000 pages and the pages were constantly being created). I've mostly deleted everything now but monitoring things. It seems that the self-registration is a hole that can be exploited in any canvas instance. Maybe something Instructure wants to look into. My server and database are both hosted on EC2 and RDS with only ports 80 and 443 opened and the rest controlled by specific ip or security group access