Hi,
We received a message from IT department.
It was stated that attempts were made to upload files to our website continuously.
Our OJS version is OJS 3.3.0.16
How can solve this problem?
Best wishes
Ergah
Hi @eurjchem,
This is possibly an automated search for security flaws in older versions of OJS. The operation that the request is attempting to access is password-protected and should only be accessible to administrator accounts; unless someone has gotten access to an admin account, you’re safe.
I do recommend updating to the latest OJS 3.3.0-x release, though, and suggest reviewing your list of administrators to ensure that there are no surprises. See this thread for some concrete suggestions.
Regards,
Alec Smecher
Public Knowledge Project Team
Dear Alec Smecher,
Thanks for fast reply, we check our system and we have only one admin account and we checked system accoding to Preventing Vulnerabilities in the OJS 3.3.0-20 - #3 by asmecher
In addition, we found another problem. We are using recaptcha_version = 2 for user security. However, we have detected that some fake accounts have been created. We could not understand how they can become members of the system by passing recaptcha_version = 2. Our system sends a validation email to this new fake user and since the email does not reach the recipient, the email system notifies us by email. I am giving some user details below. In config.inc.php, “Maximum number of days before an unvalidated account expires and is deleted
validation_timeout = 14” is selected, but these accounts are not deleted after 14 days, how can we solve this problem?
Thanks
Subject: Validate Your Account
From: QQQQQ editor@QQQQQ.com
Date: 2/14/2025, 8:34 AM
To: montetoombs5 Monte monte_toombs@orange.fr
montetoombs5 Monte
You have created an account with QQQQQQ, but before you can start using it, you need to validate your email account. To do this, simply follow the link below:
Subject: Validate Your Account
From: QQQQQ editor@QQQQQ.com
Date: 2/14/2025, 5:43 AM
To: janibeier74579 Jani jani_beier@gmail.com
janibeier74579 Jani
You have created an account with …
Subject: Validate Your Account
From: QQQQQ editor@QQQQQ.com
Date: 2/14/2025, 6:48 AM
To: taniacreason865 Tania taniacreason@yahoo.com
taniacreason865 Tania
You have created an account with…
Hi @eurjchem,
Next time I’d suggest creating a new topic to help keep the forum organized – the ReCAPTCHA question is not related to the original post. But ReCAPTCHA is not perfect; there are many human spammers, and it’s always fighting against new AI capabilities.
The validation_timeout only tells OJS how long a user has to validate an account before it is enabled. If they don’t validate it within that time, then the account will remain (e.g. in the users table), but it won’t be usable by anyone – it will be disabled.
Regards,
Alec Smecher
Public Knowledge Project Team
Dear Alec Smecher,
Thanks for your message, and I would like to express my apologies for the new topic. I have a small question, can we delete unvalidated accounts from Mysql database with phpmyadmin? If we can delete them, how should we filter them? I would be very happy if you could inform us about this.
Thanks
Hi @eurjchem,
Rather than deleting accounts directly in MySQL, which will leave dependent entities lying around, I would suggest using the tools/mergeUsers.php script. Search for that script name on this forum for more information on that and how to use it.
Regards,
Alec Smecher
Public Knowledge Project Team
This topic was automatically closed after 12 days. New replies are no longer allowed.