Describe the issue or problem
My OJS system was initially compromised through a file uploaded via the submission feature, which contained malicious PHP or HTML script. This exploit led to a critical breach where the attacker was able to change the admin password and also upload unauthorized files or directories into the server. The attacker essentially used the file submission mechanism as an entry point to gain deeper access into the system.
As an immediate mitigation step, we installed the AllowedUploadsPlugin, which restricts the types of files that can be uploaded through submissions. This plugin helped block further upload attempts involving executable scripts, and it appeared to stabilize the situation temporarily. Since then, no new malicious uploads have been detected through the submission path.
However, the issue escalated when the attacker shifted their focus and began exploiting a plugin called ControlPublicFilesPlugin. This plugin had been compromised and contained a backdoor, allowing the attacker to upload additional malicious files and potentially gain remote control of the server. After identifying this, we deleted the plugin and reinstalled a clean version from the official PKP repository. Unfortunately, the attacker was able to overwrite the plugin again, which indicated that they still had access most likely through a hidden or unauthorized admin account.
Following recommendations from the PKP forum, we investigated and discovered that an unauthorized second admin account had been created, presumably by the attacker. Although we removed the admin role from that account, we did not delete the account entirely, which may still present a risk if additional privileges were retained or exploited.
Since removing the admin role from that account, we have noticed a reduction in attack activity across several OJS installations. However, some attacks particularly those attempting to re-upload or modify the ControlPublicFilesPlugin have continued sporadically, which implies that some level of persistent access may still exist. Moreover, whenever the plugin was injected into the system, the main admin password would again be altered, indicating that the plugin still contained malicious code.
To fully resolve the issue, we are looking into a more permanent and layered security strategy, including the removal of inactive or suspicious accounts, plugin audits, and tighter restrictions on plugin uploads.
What application are you using?
OJS 3.3.0-20/21