Hi @sonbabyjohn,
they registered as an author and uploaded “hacked by” images to the “Comments to the Author” section in the submission page. Then they took the link (…public/site/images/username/xxx.jpg) and spread as it is hacked.
This is not a hack, but instead misuse of an intentional feature to cause confusion. The system is not at risk, nor has it been hacked by this means.
If you want to disable image uploads for users entirely, you can remove the “jbimages” tool that we use to do this. See this thread
for details.
Second type was that they uploaded .phtml file, but I could not find any alteration on our site.
For uploading .phtml files, you should indeed have your files_dir outside the web root or you risk having your server compromised. This is clearly noted in the documentation and on the installation form. If you have had your files_dir in a web-accessible location, I would suggest reviewing your account’s contents thoroughly to ensure that nothing unexpected is there.
Regards,
Alec Smecher
Public Knowledge Project Team