How to properly delete malicious, hidden submissions

Hello, we have discovered that in our OJS2 (2.4.7.0) journal, a vulnerability that allowed users to upload malicious .phtml exploits had been used – however, the website is intact, therefore we believe these scripts have not been executed. Measures have been taken to avoid any further uploads of script files.

These submissions, naturally, have their (phtml) files and a standard subdirectory structure within the files_dir directory. However, within the OJS interface, these submissions cannot be found as an Editor (even an ID search returns nothing). Upon inspection of the database, these submissions are lacking actual metadata, such as titles.

Is there a solution through use of OJS? How would one go about deleting these submissions manually without compromising the integrity of the database, if necessary? Would there be problems arising from simply deleting the files, or emptying/scrambling their contents (looking forward to an OJS3 upgrade, for example)?

Thanks in advance.

Hi @CDTux,

Make sure that your files_dir is not within your public HTML directory, or failing that, that you’ve protected your files_dir from direct access by using a .htaccess file or similar mechanism. There’s probably an automated script attempting to upload these files and invoke them remotely. If you have protected your files_dir from direct access, you will not be at risk.

To delete these submissions, you can use the tools/deleteSubmissions.php command-line script.

Regards,
Alec Smecher
Public Knowledge Project Team