Our OCS system was hacked last week. We are using the captcha feature on the log in page. The user created an account and replace all our ocs folders with a NetFlix set. I have deleted the user from our database. I do not know if it was a bot or a real person.
Is there a more secure screen for OCS account signups to prevent this in the future?
Thanks
Hi @RickMath,
Is your files_dir somewhere inside your web root? If so, it’s possible that the user uploaded a malicious file (typically a .phtml PHP script) and then caused it to be executed on the server by invoking it directly through the web server rather than through OCS. It’s important to either keep your files_dir outside your web root, or to protect it from direct access via a mechanism like an .htaccess file, in order to prevent this vector from being available.
Regards,
Alec Smecher
Public Knowledge Project Team
Thanks Alec
Yes that was a phtml file that was uploaded. We have deleted all the database records associated with the user ID. We will attempt to follow your suggestions for the files_dir.
Is there anything that needs to be changed for the path that leads to that dir so we retain access to it?
The recaptcha seems to have become the new standard. Can this be implemented in OCS and OJS?
Thanks as always for your help.
Rick
ReCAPTCHA is unlikely to prevent this kind of attack; this is strictly dependent on configuring OCS’s files_dir so that uploaded files are not executable.
That said, OJS 2.x and OCS via git does support ReCAPTCHA v1; OJS 3.x supports ReCAPTCHA v2.
I have attached picture of the OCS directory. Is the circled folder the one that needs to be made executable. I can change the permissions on the folders to remove the execute permission for users, groups and world. When I removed the execute permissions in folder 8 (the latest conference) I cannot see the files in the folder.
Hi @RickMath,
Are you trying to use file permissions to prevent direct access to the contents of the files_dir? That probably won’t work. I’d suggest either moving the files_dir out of the web root, or using a mechanism like .htaccess to prevent direct access.
Regards,
Alec Smecher
Public Knowledge Project Team
Alec
Thanks for your help. I need to tell my server manager what to do.
The files folder is in the following path on our server.
/home/marketrm/public_html/ocs/files
The lines in the config.inc.php
are
; Complete path to directory to store uploaded files
; (This directory should not be directly web-accessible)
files_dir = files
Should we move the files folder out of the public_html folder and then specify a path in the config.inc.php file?
Thanks as always! 
Rick
Should we move the files folder out of the public_html folder and then specify a path in the config.inc.php file?
Yes, that’s the best solution.
Regards,
Alec Smecher
Public Knowledge Project Team