Hacking incident?

I figured out that we have had an unusual traffic on our website on September 2nd. We are on OJS 2.4.6 and the files folder is not web accessible. by checking the event log file:

1- an odd connection has made access to both view and download pages of all our articles starting from 1 to 4245! and also view pages of all our issues! originating from Germany.
IP addresses of all connections are the same.
first connection is made on: "2016-09-02 17:34:43"
last connection is made on: "2016-09-02 18:22:00"
this evidently can not be incidental.

sample log:
138.*.*.* - - "2016-09-02 18:19:08" http://*/index.php/*/issue/view/1 200 "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36"

2- there are around 1000 connections from ltx71.com which is never happened before.
originating from Amazon technologies in the U.S.

sample log:
52.*.*.*- - "2016-09-01 00:02:26" http://*/index.php/*/*/download/3318/3296 200 "ltx71 - (http://ltx71.com/)"

Have you ever encountered such behavior ever? Should I be worried?


Hi @alirezaaa,

It looks to me like someone is trying to scrape all content from your journal. There are tools available to prevent this if you’re concerned, such as fail2ban.

Alec Smecher
Public Knowledge Project Team