Hi,
I am facing a continuous problem with the OJS 3.8.0.8 installation at the https://pubs.thesciencein.org/journal for last few days. The home page of the journals site appear different to users and google bots (search console). When we browse then it appear normal, while we do the live test on google search console, it shows a completely different contents (hacked). Details are given below:
Describe the issue or problem
A hacking of site was reported by a author who shared the screenshot of the site which was completely different (Indonesian contents) than the original journal site. When we checked in the google search console, found that few keywords (like nana4D etc.) not related to journal site are getting excessive hits in google search and original keywords were losing the hits. In the live test of the site (in google search console) it showed the hacked site content. When we browsed at our PC, the normal journal site loaded. We found this is a ‘SEO Cloaking’ hack by someone from Indonesia (as all hits (in millions) to unrecognized search terms were coming from Indonesia).
Steps I took leading up to the issue
We checked all the installation files, a redirect code was inserted in the htacess file > we corrected the file. Still the results were same.
- We then did a replacement of all OJS file with fresh new files (deleted all previous files except configuration file (the contents files were ok) and copied new files of OJS (and plugins) to remove the possibility of any intrusion in the installation files.
- Checked the database if any suspicious term (related to google search console terms) is there, but did not find anything.
- Set up the Cloudflare for security of the OJS installation (also blocked few IPs). Changed admin related passwords (including for wordpress installations).
- As of now, the installations files are intact (there is no intrusion) since last 4-5 days. Error logs also do not show any aberrant access/change.
- BUT, the cloak hack is still there. When we do the ‘live test’ in google search console, it shows the hacked site, otherwise normal journals site load on browsing. This is leading to SEO loss (severe loss as metadata of articles is not indexed), only the hacked site contents are indexed. We checked on other sites meant for detection of hacks (like SiteChecker), all shows normal (do not indicate hack). When we browsed in the journals contents in google scholar then ‘all listed articles links led to the hacked contents site (on refresh as well, normal journal content site did not load)’.
What application are you using?
OJS 3.4.0-8, Apache, MySQLi, Shared host.
Additional information
The screenshots of hacked site contents and normal journal contents are provided here. Also the text file of the html shown in the google search console ‘live test’ is available for referring the code/terms (will provide if required).
We are unable to find any point of intrusion in the files or database, any suggestion from the community/team for resolution of this would be much appreciated.
Hacked content site from google scholar search results.
[ed: image removed by request]
Normal browse site (for same link)
[ed: image removed by request]
Results in google search console live test:
[ed: image removed by request]