Good evening, the community needs your help a lot. Our magazine has been hacked, so we’re using an old version of 2016 and may god help us.
The version used is OJS 2.4.x and since I will have to use a backup, I would like to upgrade to OJS 3.1.x.
The problem is that, I can not update via CLI and neither Web.
In the update via WEB, the following is informed:
A database error has occurred: Duplicate entry 'tinymceplugin-0-enabled' for key 'plugin_settings_pkey'
Reading here I saw that the problem is given when a badly successful update was attempted, however, no update was attempted. The only administrator is me.
But, I followed the standard procedure, erased the database, tells the dump of the backup and the folder where the submissions are.
I get the same error.
How to run this manually? For there is no other basis, no attempt has ever been made to update. Can you bump or change this duplicate key to try to proceed with the update?
Do you know the mechanism of the hack? If your files_dir (in config.inc.php) was within your public_html (or equivalent, depending on your server), then that’s an unsafe configuration unless you took additional steps to protect it. If that’s what happened, make sure your new installation is set up per the recommended configuration in docs/README to prevent this happening again.
It may not be necessary to go back to a 2016 backup. It’s unlikely that your database has been maliciously modified, and your files_dir should be easy to scan for unexpected files (e.g. by file extension). Just make sure that your codebase is freshly unpacked from the release .tar.gz file and you do not copy any of its contents from your old installation without thoroughly reviewing its contents (e.g. the public directory and its contents).
Regards,
Alec Smecher
Public Knowledge Project Team
First, thank you for your helpfulness. The OJS no longer presented the contents, it was only a blank page. I noticed that the “files_dir” directory was only 13MB of files and the copy of 2016, had 235MB, was clearly compromised.
The database apparently was not compromised, but I do not know about the rest.
I took all the measures indicated in the docs, but, there was a failure in the file_dir permissions, I do not know if mine or if it was done by the attackers.
Anyway, I’d like to upgrade our OJS to version 3.1.x. I saw a suggestion from you in git, talking about editing an xml (but you did not recommend it), I tried, but I did not succeed either.
The command-line upgrade process is the best way. Each time the upgrade fails you’ll have to restore from backup, as a failed upgrade leaves the database/files area stuck somewhere between the two versions. Start with a clean copy of your database and files directory, run the command-line upgrade script, and post where it gets stuck (if you don’t see a post in the forum already covering that message – I’ll see what I can suggest.
Regards,
Alec Smecher
Public Knowledge Project Team
Well, in the public folder I had another proof of the invasion. A rescue contact. The interesting thing is, the contact only exists in the 2016 backup and not in the 2018 version.
The hacker was hacked by Itsuka VrCy - Time being called Noesantara 1945 Hacker Team, the file with this data was named from V.html.
Anyway, I did not see any more malicious files.
I will do the following:
1º Download OJS 2.4.8 and upgrade;
2º Use the database 2018;
3º Use the files_dir of 2016;
4th Use the public of 2016;
5º Try to go to version 3.1.1 (always using the update script and not the web).
I did the steps I mentioned above, I upgraded from OJS 2.4.2 to OJS 2.4.8, everything went well. However, at the time of upgrading to OJS 3.1.1 the problem persists.
Unfortunately, I verified that an update process was started, several tables had the suffix migration. The fact is, I have never made any updates and no one else has access to this bank.
When trying to install via script I received the following message (both with PHP 5.6 and PHP 7):
PHP Version 5.6
[pre-installation]
[load: upgrade.xml]
[version: 3.1.1.1]
A database error has occurred: Duplicate entry 'tinymceplugin-0-enabled' for key 'plugin_settings_pkey'
I did a test, deleting all the tables that had suffix migration, but I still got an error.
Unfortunately, I gave up on going to OJS 3.1.1. I do not have a clean and accurate basis for the university papers in the air again. I will have to stay in OJS version 2.4.8.
That explains it – your command-line PHP looks like version 5.4.16, which is obsolete. Your server might have a newer version available, but you’ll probably need to specify a path to it manually (e.g. /path/to/php tools/upgrade.php rather than just php tools/upgrade.php). The details will be server-specific.
Regards,
Alec Smecher
Public Knowledge Project Team
/usr/bin/php is probably the same PHP 5.4.16 binary you’re using by just specifying php. Other (newer) versions are probably somewhere else on your server.
Regards,
Alec Smecher
Public Knowledge Project Team
