Malware attack and DB Error

anjansid · June 26, 2018, 5:07pm

Hi,

I got notification from godaddy that the site has some malware files. malware
I have deleted the files, but how can I make the site secure so that it doesn’t happen again.

I have removed the files mentioned above as they are not part of the PKP package. But it stopped working and showed me the “DB Error: Duplicate entry ‘xxxxxx’ for key ‘sessions_pkey’”. Can you please tell me what’s the issue and how to fix it? My site is http://www.ijsas.com/index.php/ijsas/

Thank you.

Vitaliy · June 26, 2018, 5:28pm

Is your files folder inside web-root?

anjansid · June 26, 2018, 5:36pm

Yes. It is in public_html folder.

asmecher · June 26, 2018, 5:47pm

Hi @anjansid,

That’s an unsafe way to deploy OJS and probably explains how the attacker got in. The installation form, README documents, etc. all note that the files directory needs to be kept outside the web root, or protected from direct access using a .htaccess file or similar.

Cleaning up after a malware attack is somewhat beyond the scope of this forum, but essentially you should consider any content on that site untrustworthy. You can use tools like diff to identify changed files. It’s unlikely (but not impossible) that your files directory or database have been modified, but your OJS code has almost certainly been modified to include malware. The GoDaddy report probably detected some but not all of it.

I would suggest clearing out the old code and directories, reviewing everything on the host to make sure it’s clean, and installing a fresh copy of OJS from a new download from the PKP website. And make sure you follow the practices described in docs/README under “Recommended Configuration”.

Regards,
Alec Smecher
Public Knowledge Project Team

anjansid · June 27, 2018, 5:58am

Sorry I didn’t get this. I didn’t find any documentation where it was mentioned at the time of installation. Can you please explain it or send me some documentation on it?

anjansid · June 27, 2018, 6:31am

Hi @asmecher,

I deleted all the files except the files, public folder and config files. Then I uploaded the latest version of the files and it started working again.

But can you please tell me is there any way to tighten the security of the site?

Regards

asmecher · June 27, 2018, 5:14pm

Hi @anjansid,

Glad to hear it’s working again. I’d also suggest reviewing the contents of the public folder carefully to make sure there aren’t any malicious files there.

To keep your OJS secure, make sure you follow the “Recommended Configuration” section of the README document, e.g. concerning the files_dir location. (This was also noted on the installation form – see the screenshot below.)

Regards,
Alec Smecher
Public Knowledge Project Team