Yesterday I received a notification from the defense ministry of my country saying that my OJS 3.1 magazine had a “Defacement” attack, so I had to close it. It is very worrying for us as the launch of our next issue is next month, someone it can help?
Where is your OJS files directory? OJS should be installed so that the files directory is not a subdirectory of the OJS installation. Otherwise it can be accessed directly and a hacker can upload a malicious script.
So you should
- Move your files outside the files directory so that it can not be accessed directly
- Replace the OJS installation files to make sure that there are no other changes besides the modified index.php file. Most likely only index.php is modified. Remember to leave the public directory, your own plugins and the config.inc.php which contains your settings. You should change your mysql password.
- After your OJS is online, it is worth checking that the hacker has not added any new users with manager privileges. Most likely not, they usually just do the defacement,.
It can also happen if the self registration is enabled, so that someone can upload an image either as his/her user profile image or in a tinyMCE field in the registration or the user profile form. Also, if tinyMCE is enabled, the tinyMCE image upload URL can be used directly to upload the image – so a connection between the image upload and an user is not known.
This all is ‘just’ an image upload, that means no harm to the system, but it can apparently create problems by maybe containing strange content that is publicly available from the journal site, because the editors do not know about that and because even some security organizations are being informed about the ‘defacement’
Hi all! We are soliciting feedback and proposals for hacking claims via image uploads on this Github discussion. Feedback would be welcome.
Public Knowledge Project Team