How to prevent malware?

birkok · April 12, 2021, 8:01pm

The following malware has been uploaded to “ojs/public” directory as a gif file.
It looks like a user image that a user uploaded to his profile:

/home4/insanbil/.trash/jhumansciences_old/ojs/public/site/images/olufwarrior/vuln.gif: SL-PHP-HACKEDBY-md5-alwk.UNOFFICIAL FOUND
/home4/insanbil/.trash/jhumansciences_old/ojs3213/public/site/images/olufwarrior/vuln.gif: SL-PHP-HACKEDBY-md5-alwk.UNOFFICIAL FOUND
/home4/insanbil/.trash/jhumansciences_old/ojsBACK/public/site/images/olufwarrior/vuln.gif: SL-PHP-HACKEDBY-md5-alwk.UNOFFICIAL FOUND
/home4/insanbil/public_html/jhumansciences/ojs/public/site/images/olufwarrior/vuln.gif: SL-PHP-HACKEDBY-md5-alwk.UNOFFICIAL FOUND
/home4/insanbil/public_html/jhumansciences/ojs3213/public/site/images/olufwarrior/vuln.gif: SL-PHP-HACKEDBY-md5-alwk.UNOFFICIAL FOUND
/home4/insanbil/public_html/jhumansciences/ojsBACK/public/site/images/olufwarrior/vuln.gif: SL-PHP-HACKEDBY-md5-alwk.UNOFFICIAL FOUND

Our journal is closed by hosting staff.
I have deleted above files. And waiting they open it again.

Question is that how can we prevent to upload that kind of malware files again?

Thanks a lot

birkok · April 12, 2021, 8:19pm

The bluehost server trying to sell us firewall for 179.88 usd a year per site. Even we have free cloudflare service.

marc · April 13, 2021, 7:31am

If your server is correctly set, a gif image is harmless.
They can upload it with the name they like… but this don’t put your server in danger.

Older versions of OJS let users upload an image to their profile.
New versions include plugins to decide what can be upload and what not.

What is your OJS version?

A well configured OJS 3.3 is secure enough to run without a firewall, but this is your call.
More you protect your sever, the better.

birkok · April 13, 2021, 8:05am

Thank you Marc for your comment.

We are currently using OJS 3.2.1.4.
We couldn’t upgrade to 3.3. because of bugs, waiting more stable version.

But,
I have installed and turned on “Control Public Files” plugin and excluded *.gif
Now allowed file types only: “jpeg,jpg,png,doc,docx,pdf”

I would be appreciated If more comment

marc · April 13, 2021, 11:46am

I don’t know if I’m understanding this properly.
Do you mind to check the date of those “vuln.gif” files?
“Control public files” plugin was enabled (excluding gifs) BEFORE the gif images where created?

If yes… it could be related with a security issue that was fixed last week.

Basically, you need to remove your “/var/www/html/lib/pkp/lib/vendor/moxiecode/plupload/examples” folder and double-check your installation to see if your system is secure or during the hack they left any malicious file.

Cheers,
m.

birkok · April 13, 2021, 4:18pm

Thanks Marc for your concideration
I just today installed the “Control public files” plugin.

And server stuff scanned our site today, no malicious file found.
I have had manually removed the above malicious files in which they send to me their scanning output report.

Cheers

birkok · April 14, 2021, 6:37am

This is scanning report that shows malware found.
I post it because thought that it may be informative about what kind of scanning process used.

Maybe OJS staffs want to create a malware scanner plugin.

/home4/insanbil/.trash/jhumansciences_old/ojs/public/site/images/olufwarrior/vuln.gif: SL-PHP-HACKEDBY-md5-alwk.UNOFFICIAL FOUND
/home4/insanbil/.trash/jhumansciences_old/ojs3213/public/site/images/olufwarrior/vuln.gif: SL-PHP-HACKEDBY-md5-alwk.UNOFFICIAL FOUND
/home4/insanbil/.trash/jhumansciences_old/ojsBACK/public/site/images/olufwarrior/vuln.gif: SL-PHP-HACKEDBY-md5-alwk.UNOFFICIAL FOUND
/home4/insanbil/public_html/jhumansciences/ojs/public/site/images/olufwarrior/vuln.gif: SL-PHP-HACKEDBY-md5-alwk.UNOFFICIAL FOUND
/home4/insanbil/public_html/jhumansciences/ojs3213/public/site/images/olufwarrior/vuln.gif: SL-PHP-HACKEDBY-md5-alwk.UNOFFICIAL FOUND
/home4/insanbil/public_html/jhumansciences/ojsBACK/public/site/images/olufwarrior/vuln.gif: SL-PHP-HACKEDBY-md5-alwk.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 2120530
Engine version: devel-clamav-0.99-beta1-632-g8a582c7
Scanned directories: 83766
Scanned files: 256383
Infected files: 6
Data scanned: 5591.64 MB
Data read: 152360.90 MB (ratio 0.04:1)
Time: 3661.970 sec (61 m 1 s)

box2445: Mon Apr 12 11:32:07 MDT 2021: Scanning ‘/dev/shm’.

----------- SCAN SUMMARY -----------
Known viruses: 2120530
Engine version: devel-clamav-0.99-beta1-632-g8a582c7
Scanned directories: 0
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 6.417 sec (0 m 6 s)

box2445: Mon Apr 12 11:32:14 MDT 2021: Scanning ‘/tmp’.

----------- SCAN SUMMARY -----------
Known viruses: 2120530
Engine version: devel-clamav-0.99-beta1-632-g8a582c7
Scanned directories: 0
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 5.247 sec (0 m 5 s)

asmecher · April 14, 2021, 5:53pm

Hi @birkok,

Chances are this is not actually malware; see https://pkp.sfu.ca/2017/04/12/regarding-recent-ojs-defacement-attacks/ for information about reports like this.

To disable user image uploads, set public_user_dir_size to 0 in config.inc.php.

Regards,
Alec Smecher
Public Knowledge Project Team

asmecher · April 17, 2021, 8:00am

This topic was automatically closed after 2 days. New replies are no longer allowed.

asmecher · June 23, 2022, 3:47pm

Hi all! We are soliciting feedback and proposals for hacking claims via image uploads on this Github discussion. Feedback would be welcome.

Regards,
Alec Smecher
Public Knowledge Project Team