OJS 3 HACKED Someone had pasted the script in the OJS index

Software Support
, ,
1

Hi Everyone,

1 month ago my OJS was hacked.

Someone had pasted the script in the OJS index file but I fixed it a week later I was hacked again with a bigger problem that is someone had deleted all of my OJS files. Luckily I was able to save some files on the server.

After that, Steps I took leading up to the issue:

  1. I moved file_dir outside the webroot
  2. I have Configure the base_dir on your PHP-FPM configuration for other vhost on your server so it won’t affect other vhost when one of the vhost gets hacked
  3. i have Disabled the php function in php.ini “exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source”
  4. Adding protection layer to my domain

But today my index file was hacked again, although I can fix it. What should i do to make my OJS file secured. im using OJS 3.2.1.1.
If I update with the latest OJS, will it be safe? Will when I use the latest version of OJS affect the plugin I already use on OJS 3.2.1.1?.

Your answers mean a lot to me

Best Regards
im_destra

2

Hi @im_destra

Aside from upgrading to the latest version of OJS (which is 3.3.0.13) to ensure that you have all bug fixes and security issues resolved, I strongly suggest conducting an audit of your server environment to ensure that no back door code has been left on your server from before. It’s possible that there exists a PHP file within your webroot that is allowing a remote exploit to run. Upgrading OJS will not prevent future exploits if such a file exists.

Further, it’s also possible that an exploit exists in another application running on your server. Do you have any other web applications, like an old version of Wordpress, for example?

Best
Jason

1 Like
3

Hi @jnugent

True on the server I have several applications. I’ve tried installing third-party applications to guard against malicious files entering the server. But this doesn’t work well for secure OJS. Can you suggest any idea?

Regard
Destra

4

Hi @im_destra

As far as I know, there are no security holes that allow remote access the way you describe in an up to date version of OJS, that is correctly installed with a files_dir outside of the web root and correct file permissions. We host hundreds of OJS installations at PKP Publishing Services and have never had an exploit like this. If you are still being compromised I suspect there is already something on the server that a malicious user is using.

Best
Jason

1 Like