Hello everyone,
Our journal entitled available at www.extensioneducation.org has been hacked now.
This is not the first time we are experiencing this. We have tried all possible solutions such as including CAPTCHA & installing a server scanner - but this keeps happening time and again.
Can you suggest some concrete solutions to avoid this hacking issue in future?
Will upgrading to OJS 3.0 , help? We are anyhow planning to upgrade shortly. Kindly let us know the steps to be taken for the same.
Our support team had sent a mail mentioning that an outdated plugin might’ve been the cause of hacking.
I am reproducing their mail below.
Sir,
_There are outdated plugins in this: _
‘/home/extensionedu/public_html/lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/jbimages/ci/system/core/CodeIgniter.php’ Script version check [OLD] [CodeIgniter v2.1.2 < v3.1.3] Please talk to OJS people and let us know whether this issue has been fixed. Thank you, JEE Support
The files directory should be outside the webroot. So, if OJS is for example in public_html folder, the files directory can not be in that same directory. If the files folder is accessible through internet, then your installation can be hacked. This is usually done by uploading a .phtml file to the directory.
After moving the files folder to the right location, you should look through you installation to make sure that there are no backdoors there.
I will tag @asmecher here, he can give you better guidance (I’m not PKP).
@ajnyga , here is the reply from our support team, which you could not see :
"Please find the following details:
The entire site ( hacked) is backed for analysis and available at the following url which can be downloaded along with access log
[EDIT: REMOVED]
We were not knowing as we have many other accounts on this server but only OJS script is hacked. Let the PKP team analyze the issues and provide us the solution."
i thought your problem is, user allow submit file such PHP, HTML, PHTML, etc. Would you like to test register new account and try to upload those file ?
As @ajnyga noted, it’s not safe to expose all that data to the public. I’d recommend changing any passwords that might have been exposed via that download. @ajnyga’s also described the likely path the attack took. I’ve removed the download link from your post above.
Regards,
Alec Smecher
Public Knowledge Project Team
@ajnyga, @Muhammad_Khoiruddin and @asmecher ,
Many thanks for the detailed responses. I have informed our support team on this. Hoping for the best! Thank you.
Besides moving the files directory outside public_html folder, I would suggest that you check that the hacker has not added any new files in other folders of the OJS installation.
Hi @ajnyga , as suggested by you all, the JEE support team has now password- protected the directory. We hope the site will be safe from now on. Thanks.
I had checked his backup folder and there were phtml files in four submission folders. One of them was the last folder. The rest I do not remember now and I have deleted the backup. @jee, you can check them by search method by winrar or any program.
Yes, I saw one of those as well. But I was thinking more about the other folders besides the files folder. It would be wise to check that there are no new files in the installation or that there are no modifications made.
i dont know how to explain. but default submission of OJS support upload executable file extension such like PHP, PHTML, HTML, etc. so vulnerable. after uploaded HTML, PHP, PHTML hacker can gain the root of server.
We permit any kind of file upload, including .phtml, .py, etc. As long as the files directory is kept outside of the web root (as described on the installation form and elsewhere), these files are not dangerous. We permit all kinds of file uploads because journals may legitimately want source code as part of submissions.
As long as your files directory is outside your web root, even malicious .phtml uploads etc. cannot be executed and do not represent a danger.
Regards,
Alec Smecher
Public Knowledge Project Team