Potential hackers have uploaded images to our OJS

aas · May 19, 2022, 11:50am

Hello,
Since we were recently informed by the system administrators that our website is also on the list where hackers publish their achievements http://www.zone-h.org/archive/filter=1/fulltext=1/domain=uni-lj.si, I am interested in when and who creates subfolders in the images folder http://ojs.aas.bf.uni-lj.si/ public/site/images/ with the name of their username and uploads files, such as images. We have discovered four subfolders created by hackers where they uploaded images of propaganda hacking material. Since this happened in 2021, 2020, and 2017, I do not think they had bad intentions since they did not cover our websites with their images.
I found these four usernames in OJS and disabled them. Is there anything else I can do?

We are currently using OJS version 2.4.6.0.

Kind regards,
Jože

dagosalas · May 19, 2022, 12:12pm

Hi @aas ,

This topic has already been discussed on the forum:

If you do a search in the forum you will get several post about he same thing.
I`m looking for the post that was made from PKP about this, but I can´t find it.
Bu it doesn´t represent a potential risk, it´s just annoying.

And by the way, v 2.x is obsolete, yo need to upgrade.

aas · May 19, 2022, 1:14pm

Hi @dagosalas
Thanks for the quick reply and additional discussion on this topic. I searched the forum, but found nothing … I obviously entered irrelevant words.

dagosalas · May 19, 2022, 1:53pm

Also, take a look around here:

github.com

pkp/pkp-docs/blob/main/admin-guide/en/securing-your-system.md

# Securing Your System

## The Basics

Please see [https://pkp.sfu.ca/ojs/README](https://pkp.sfu.ca/ojs/README), [https://pkp.sfu.ca/omp/README](https://pkp.sfu.ca/omp/README), or [https://pkp.sfu.ca/ocs/README](https://pkp.sfu.ca/ocs/README) to ensure that the software install directory and file storage area (`files_dir` in `config.inc.php`) are configured securely on your server.

In general, the `files_dir` should not be web accessible and should be placed outside of the main software install directory. The software application will manage access to private submission files based on user roles and permissions \(i.e. Editors will have access to all submission files, whereas authors will only be able to access their own submission files\).

In addition, to ensure security the `files_dir` folder should not be readable by other users on the server. Only the webserver should have the necessary read/write permissions so that OJS, OMP, or OCS can read existing files and add new files to the folder, e.g.

`drwxrwx---    6 ojs www 204B 11 Sep  2017 files/`

The exact details of file permissions will depend on how your web server runs PHP scripts (this is called the "server API" or "SAPI"). For example, if it uses `mod_php`, all PHP scripts will run as the `www-data` user or similar (this is inherently not 100% secure on a multi-user server). If it uses CGI, FastCGI, FPM, or a similar mechanism, it will likely run under your user account.

It is recommended that you install an SSL certificate for your OJS, OMP, or OCS install and ensure that your site always uses the HTTPS protocol to manage user registration, login, and to present content to readers. Once your SSL certificate has been installed and is confirmed to be working \(i.e. you can access your site via [https://myjournal.org](https://myjournal.org/)\) you can configure your site to always use HTTPS by using the following setting in `config.inc.php`:

`; Force SSL connections site-wide
force_ssl = On`

You should also set the base URL to use the HTTPS version of your journal, press, or conference:

This file has been truncated. show original

D.

aas · May 19, 2022, 2:16pm

Hi @dagosalas
Thank you very much for the additional link with instructions on how to protect our system.

rcgillis · May 19, 2022, 6:42pm

@aas @dagosalas,

Just an FYI, here is the post that PKP did on this, a little while back: https://pkp.sfu.ca/2017/04/12/regarding-recent-ojs-defacement-attacks/

-Roger
PKP Team

dagosalas · May 19, 2022, 7:17pm

Thanks @rcgillis !!! This url is the one I was looking for

aas · May 20, 2022, 11:26am

Thank you very much @rcgillis for link!

dagosalas · May 20, 2022, 1:00pm

This topic was automatically closed after 23 hours. New replies are no longer allowed.