Hi @Alnasser ,
How to cleaning up a backdoored application is a general web admin question, so you might find good advice on e.g. StackOverflow. But there are some recommendations here:
Hi @srht ,
Earlier releases of OJS 3.3.0-x were vulnerable to some stored XSS attacks, and we’ve heard reports that these have been used to escalate privileges via stored Javascript that gets presented to the manager or site admin. We’re not aware of any of these vulnerabilities in OJS 3.3.0-20 – but here are a few things to check if you did suffer a hack on a previous release.
Some of this would apply to any PHP application, and you might find other helpful info on e.g. StackOverflow.
If you…
Hi @Jon ,
The orthodoxy in dealing with a potentially defaced site is not to trust any of the contents, even if it looks like the hack was never properly invoked.
I would suggest using the standard diff tool (or similar) to compare your codebase against the official OJS 2.4.8-3 release, e.g.:
diff -u -r -N /path/to/unpacked-ojs-2.4.8-3 /path/to/your/ojs_installation
Review the diff to see what has been introduced, watching in particular for unexpected new PHP files and weird-looking additions…
Hi @tecnicouncoma ,
If a rootkit was installed, then you won’t be able to trust the contents of your web root. It’s possible that additional PHP code was introduced there.
The parts of OJS that live in the web root are the source code, configuration file, and public directory. The source code will not be carried across with an upgrade to 3.3.0-20, so you’ll be starting clean there. Review the configuration file and contents of the public directory and ensure they are legit (e.g. free of executa…
Hi @Alice ,
If you can move the files directory outside of public_html (or whatever the equivalent is on your server), and configure config.inc.php to point to its new location, that’ll prevent new malicious attempts to break in.
However, it sounds like someone has already used this to break in and edit files on your server (to add spam to the scripts). They have likely done this by installing a backdoor script somewhere in public_html, and you’ll need to make sure that is gone.
Cleaning up af…
Regards,