Remove malware from OJS

Software Support
2

Hi @a2usmani,

I’ve written some general advice on this in the past, e.g. this thread:

Cleaning up after a security incursion is beyond the scope of this forum, but broadly speaking, it’s good policy not to trust content there. I’d suggest using diff to compare your installation against the stock release…

This is the same advice that applies to any PHP-based web application, like Wordpress or Drupal, so you might find good general advice elsewhere. But in short, you have two problems to solve:

  1. The contents of your web root aren’t trustworthy, and trying to manually find and remove a backdoor can easily overlook malicious content. Move everything into a “quarantine” directory outside the web root, and only move contents back in when you have to and know they’re trustworthy.
  2. If you just re-install OJS 3.3.0-11, it’ll get hacked again. This version is significantly out of date. Take this opportunity to upgrade to the latest 3.3.0-x.

In answer to your specific questions:

  1. What is the recommended way to completely remove malware from an OJS installation via cPanel?

    Are there any known locations in OJS where malware commonly hides (e.g., cache, public, plugins, uploaded files)?

You should assume malware is hidden everywhere in your web root and trust nothing there unless you review it. The uploaded files directory should be somewhere outside your web root (if not, that’s a security problem!) so it’s less risky if you accidentally leave some kind of malware file there.

The general policy should be to rebuild everything in the web root with a trustworthy copy (e.g. from the .tar.gz download of OJS), and only copy what’s required from your “quarantined” copy of the infected web root (the configuration file and public directory).

  1. Should I replace the OJS core files with a fresh copy of the same version (3.3.0.11)?

No – this will get you hacked again. Use the freshest 3.3.0-x files. OJS 3.3.0-11 was released more than 3 years ago; see e.g. this memo.

  1. How can I make sure the site is clean before requesting Google re-indexing?

I’m not aware of any tools for this. The best thing to do is be methodical and “work smart” – e..g don’t expect yourself to manually review thousands of files when you can’t reasonably do that.

Regards,
Alec Smecher
Public Knowledge Project Team

1 Like