My site is running OJS version 2.3.8 and has recently been compromised and used for sending junk mail. We do not have a clean copy of the site to restore. Could someone please advise on what the best course of action would be to port my current content to a fresh install of OJS 2.4.7-1. What folders would be needed to be copied over to ensure all media uploads are kepy and would porting the database as is suffice?
Hi @karimghorbal,
I’m sorry to hear that you’ve been hit.
Before you start rebuilding the site, it’s worth trying to figure out what led to the break-in. OJS 2.3.8 is a very old release, but we’re not aware of any security flaws in it. It’s possible that the break-in was caused by another application, or the way you’ve deployed the installation, and it’s possible that simply deploying your journal on a newer release will not make it safe.
Did you place your files_dir (see config.inc.php) inside the web root? If so, that’s a likely line of attack. Make sure your files_dir cannot be accessed directly through the web server.
If files within your server have been added or modified during the incursion, see if you can correlate the exact modification or creation date of these files against your web server’s access log. This will often indicate the route used to attack.
Regards,
Alec Smecher
Public Knowledge Project Team
Hi Alec,
Thank you very much for your answer. I shall forward your comments to the person responsible and I may come back to you.
Regards,
Karim
Hi Alec,
Here is the webmaster reply:
Yes, the files are in the web root, so that could be where the attack came from. You can have the files_dir in the webroot and secure it so no outside access is allowed. Can you tell me how to recover it? In a shared hosting environment, setting that folder so only the local web server can read the files should be acceptable?
Regards,
Karim
Hi @karimghorbal,
An ideal setup will depend on your web server’s SAPI configuration – e.g. whether all PHP scripts run under the same user account (usually www-data or apache) or whether they execute as your user account. If your server uses www-data or apache it’s inherently risky; any vulnerable script on the server can result in an attack on your OJS install.
Regards,
Alec Smecher
Public Knowledge Project Team
Hi Alec,
What we don’t know is how to recover from this CMS version, All we need to now is how to recover from it. Are we able to just copy certain folders and connect the same database? If so, which folders?
Thanks for your help.
Regards,
Karim
You will essentially want to follow the Full Package instructions in the UPGRADE documentation, even if just refreshing the 2.3.8 source code.
You will be copying over the files_dir and public_files_dir from your infected installation to your clean installation, so be sure to run a virus scan across these directories.
Dear Alec and Clinton,
Thank you so much for your help. The Web site was updated and everything works (with OJS 2.4.7).
Regards,
Karim