I have inherited an OJS page and was recently received an email “The Australian Cyber Security Centre (ACSC) is aware of a defacement of the website”. The problem is that our getInterests page is currently showing :
I am not really familiar with OJS as this site was installed and maintained by someone who has since left our organisation. Does anyone know how I go about resolving this issue? It appears the OJS site is version 2.4.5 and I am waiting on approval before I upgrade to a newer version, if this is required. In the meantime, I have made some changes to the website header to block some common vulnerabilities.
I’m also wondering how I go about clearing this hacked page. Any ideas?
upgrading your OJS installation to the latest 2.4.x (this be done relatively easily and without big changes for your users),
cleaning out the spammy user accounts using mergeUsers.php (you’ll probably have to look into your database to identify them – see users and user_settings in particular), then
when you’re ready to take on a bigger upgrade, move to OJS 3.x (this will be a big change for your users but the software is much more modern).
There are a few other threads on cleaning out spammy users in this forum if you search around.
Regards,
Alec Smecher
Public Knowledge Project Team
And I guess I can go straight to 2.4.8-5 from 2.4.5? If so, I found a patch file on the same site and found the site PKP/Upgrading - Libopedia so I guess the upgrade process is:
make a backup
extract the 2.4.5-to-2.4.8-5 patch file to the correct directory
from the same directory, run the command :
$ patch -p1 < PATCH_FILE
There is “official” documentation in the download .tar.gz file. I’d suggest the “full package” process, as patches won’t contain binaries (like images). Don’t forget the database upgrade step, which is in the same document. And don’t forget to take a full backup of everything before you start, especially if you’re not sure of the state of the installation!
Regards,
Alec Smecher
Public Knowledge Project Team
