The effect of the hack was to delete all files/folders from the ojs installation, and replace with a couple of PHP files.
I know that we were a couple of versions behind on the 2.4.8 release, but I’m just wondering if there was a security fix applied in 2.4.8-3, or is there potentially still an open security bug in the 2.4.8 release?
I looked through the 2.4.8-1 to 2.4.8-3 patch file and the changes to the release notes, but couldn’t see anything obvious in the notes.
Obviously we will upgrade, but am just a little nervous of going to 2.4.8-3 if there is still an open issue. We are evaluating upgrading to 3.1, but haven’t fully committed to it yet due to the large changes.
The most common cause is that the files directory is a subdirectory of your installation. Meaning that you can access the directory from an address like http://yourserverhere.com/files/.
do you have something else installed on that same server? In a different folder I mean. All the upload scripts I know point to the files directory or the public directory. With the latter you can only upload things like images (in tinymce).
Of course if the files directory would be accessible you could upload php script and use that to upload other scripts as well also to the ojs root. But since it was not the case here, I am thinking maybe the original script was uploaded using another site/system on the same server? This happened to my once on an university shared server where a hacker had gained access through a vulnerability in an old CMS and was able to hack our site as well on the same server.
Yes, I think you’re right. After some more digging, it looks like OJS was not the source of the hack. Another old CMS was compromised first, and it was on this shared server (bad idea!).