[OJS 2.4.8] Suspected hacking incident

Recently we experienced malicious attack to our OJS 2.4.8 version.

We have found 2 type of attacks, one is that they registered as an author and uploaded “hacked by” images to the “Comments to the Author” section in the submission page. Then they took the link (…public/site/images/username/xxx.jpg) and spread as it is hacked. Is this folder (public/site/images/username) accessible to the public ? Can we restrict it by changing the permission or any other alternative ?

Second type was that they uploaded .phtml file, but I could not find any alteration on our site. From (Security issue: Hacking via submission in OJS 2.4.8) thread I understand that problem with the file directory as it is inside the OJS directory. Can we secure it by make it outside the OJS folder?

1 Like

Hi @sonbabyjohn,

they registered as an author and uploaded “hacked by” images to the “Comments to the Author” section in the submission page. Then they took the link (…public/site/images/username/xxx.jpg) and spread as it is hacked.

This is not a hack, but instead misuse of an intentional feature to cause confusion. The system is not at risk, nor has it been hacked by this means.

If you want to disable image uploads for users entirely, you can remove the “jbimages” tool that we use to do this. See this thread
for details.

Second type was that they uploaded .phtml file, but I could not find any alteration on our site.

For uploading .phtml files, you should indeed have your files_dir outside the web root or you risk having your server compromised. This is clearly noted in the documentation and on the installation form. If you have had your files_dir in a web-accessible location, I would suggest reviewing your account’s contents thoroughly to ensure that nothing unexpected is there.

Regards,
Alec Smecher
Public Knowledge Project Team

1 Like

Hi @asmecher,

Thank you for the quick response.

Will remove “jbimages” tool to avoid confusion and will check the files thoroughly.

Thank you,
Johnson

What is the correct way to delete those files from the server?
users upload more than one picture in profile biographic text area, and deleting from there, does not delete the image from server. Is there any database reference on those files I must take care of?

sds, Nicolás.

Hi @ojsfder,

There is no database reference. You can review the files in public/site/images/ and remove the ones you consider inappropriate.

Regards,
Alec Smecher
Public Knowledge Project Team