[OJS-3.4.0-6] phishing login attempt

OJS-3.4.0.5

I have checked and found many phishing login attempts, as you can see in the attached screenshot. Please suggest how to handle this. This has been happening for a long time.


Hi @shantanusingh,

OJS does not have any rate limiting built in – if you’d like to throttle this kind of request, I would suggest looking at server-side tools like fail2ban.

Regards,
Alec Smecher
Public Knowledge Project Team

@asmecher thanks for reply.

I suspect there is a script file uploaded to the server that is running a script like the one above.

It is possible that a script may have been inserted in the article submission.

Even today I saw that the same query was running and getting executed every few seconds which was unnecessarily increasing the load.

It is not possible to view approximately 60 journals articles manually.

Can you guide me in identifying the file to remove from the server.

Hi @shantanusingh,

I don’t see any sign from what you’ve posted of a malicious script running server-side; it looks much more to me like someone is running login attempts via the login form with an external database of usernames. I would suggest looking at your web server access log for signs of someone repeatedly hitting the login endpoint.

If a script were running server-side, it would be able to simply get the contents of the users table; it wouldn’t waste its time looking for users one by one by username or email.

Regards,
Alec Smecher
Public Knowledge Project Team

This topic was automatically closed after 12 days. New replies are no longer allowed.