How do we delete hacker user accounts

geirrosset · November 3, 2023, 9:17am

Describe the issue or problem
A month ago we were hacked, and at that time multiple user accounts were added. We have since restored the site, and disabled all the bogus accounts. But how do we delete those users? I know about the merge users option, but these bogus accounts don’t show up under users and roles for any of the journals! The only place we can see them is in the database. We would really like to get rid of them completely.

What application are you using?
OJS 3.3.0.15

asmecher · November 3, 2023, 11:05am

Hi @geirrosset,

There’s a tools/mergeUsers.php command-line tool that you can use for batch merging. You can get e.g. a list of usernames or user IDs from the database, then specify them on the command line to get rid of the accounts. From the tool’s usage:

Use this tool to merge two or more user accounts.

Usage: tools/mergeUsers.php targetUsername mergeUsername1 [mergeUsername2] [...]
targetUsername: The target username for assets to be transferred to.
mergeUsername1: The username for the account to be merged. All assets (e.g.
                submissions) associated with this user account will be
                transferred to the user account that corresponds to
                targetUsername. The user account that corresponds
                to mergeUsername1 will be deleted.

Multiple users to merge can be specified in the same command, e.g.:

tools/mergeUsers.php myUsername spamUser1 spamUser2 spamUser3

This will merge users with username "spamUser1", "spamUser2", and
"spamUser3" into the account with username "myUsername".

Users can be specified by ID by entering usernames of the form "id=x"
with the user ID in place of "x", e.g.:

tools/mergeUsers.php myUsername id=234 id=456

Usernames and IDs may be mixed as desired.

Regards,
Alec Smecher
Public Knowledge Project Team

geirrosset · November 3, 2023, 12:38pm

Thank you for that Alec!

That works.

BUT there really should be a better “sitewide user manager” interface for site administrators! We have found after we were hacked (because 1 of our 9 journals had the register user option active) that a whole bunch of bogus users have been registered, but with no journal affiliation, and they are in effect invisible to anyone who is logged in. Only visible in the database.

A site admin should be able to view all user for all journals and sort by id, journal, name, lastname, email etc. and also have options for merging users, password resets and so on.

asmecher · November 3, 2023, 12:44pm

Hi @geirrosset,

If you go to Users & Roles and hit “Search”, you’ll see a checkbox:

Check that and hit Search, and you should see all users regardless of enrolment status in the current journal.

Regards,
Alec Smecher
Public Knowledge Project Team

geirrosset · November 3, 2023, 1:00pm

Ok. Didn’t think about that. Feels like a bit of a workaround compared to a dedicated User management page with sorting and filters, but it’ll do for most I guess…

asmecher · November 3, 2023, 1:06pm

Hi @geirrosset,

There’s definitely more we could do on this in the future. Hopefully this will get you moving for now, though.

Regards,
Alec Smecher
Public Knowledge Project Team

asmecher · November 13, 2023, 4:00pm

This topic was automatically closed after 10 days. New replies are no longer allowed.