Some days ago we had a security breach in you OJS server (OJS 3.3.0-14 on Ubuntu 18.04.6 LTS and PHP 7.4.33) and it seems our plugins folder was compromised.
There were a lot of .htacess files inside the plugins folder that did not exist previously. I managed to fix this, but there is still an error that is not allowing my plugins page to load:
PHP Fatal error: require_once(): Failed opening required ‘/home/ojs/rc-3.3.0/lib/pkp/plugins/importexport/userss/PKPUserImportExportDeployment.inc.php’
(include_path=‘.:/usr/share/php’) in /home/ojs/rc-3.3.0/lib/pkp/includes/functions.inc.php on line 25,
referer: https://www.periodicos.rc.biblioteca.unesp.br/index.php/index/admin/settings
The problem is that he is referencing a userss plugin inside importexport that does not exists. We do have importexport/users, but no userss.
So where is this reference coming from? I already looked in the versions and plugin_settings tables and found nothing. Where else it would be?
The rest of the stack trace that appears in the log below that error message should help clarify where the userss plugin is being invoked from. It’s likely to be a malicious plugin. OJS 3.3.0-14 is quite out-of-date, and there are known attack vectors against it; this is a good opportunity to update to the latest 3.3.0-x release.
Regards,
Alec Smecher
Public Knowledge Project Team
Yeah, I know 3.3.0.14 is old, and I plan to upgrade to 3.5 as soon as it becomes LTS. That said, I looked at the stack trace and still not able to find out where this userss come from…
All I can see in the apache error_log is the lines posted in my first message.
As I said, this folder does not exists, grep userss on the database dump and even in the ojs folder show me nothing. Both functions.inc.php and bootstrap.inc.php in /lib/pkp/includes are the same you have in the source package. What am I missing here?
If you can post the stack trace, I might be able to recommend places to look.
Once a site is successfully attacked, it’s hard to tell where there might be modifications; the best thing to do is move the old install offline, unpack a fresh copy of a “safe” download, and merge in the details you need to preserve (the files directory, configuration file, and once you’ve 100% reviewed its contents, the public files directory). You can upgrade to the latest 3.3.0-x at the same time by starting with the newest code.
Regards,
Alec Smecher
Public Knowledge Project Team
Sure the best would be upgrade to the latest 3.3 OJS, but I’m on vacation right now, so this is not an option.
After a server reboot, this is what appears in my error_log, beginning with the login and then going to the plugins page:
[Wed Dec 10 06:26:16.614699 2025] [php7:notice] [pid 4882] [client 141.98.19.18:45784] ojs2: 404 Not Found [Wed Dec 10 06:26:18.314424 2025] [php7:notice] [pid 4896] [client 141.98.19.18:45926] ojs2: 404 Not Found [Wed Dec 10 06:26:22.112121 2025] [php7:warn] [pid 4881] [client 186.217.13.68:50643] PHP Warning: session_regenerate_id(): Cannot regenerate session id - session is not active in /home/ojs/rc-3.3.0/lib/pkp/classes/session/SessionManager.inc.php on line 249, referer: ``https://www.periodicos.rc.biblioteca.unesp.br/index.php/index/login [Wed Dec 10 06:26:49.254562 2025] [php7:notice] [pid 4898] [client 47.128.26.226:15116] ojs2: 404 Not Found [Wed Dec 10 06:27:05.630891 2025] [php7:warn] [pid 4893] [client 186.217.13.68:50659] PHP Warning: include(/home/ojs/rc-3.3.0/cache/fc-pluginSettings-0-recommendbysimilarityplugin.php): failed to open stream: No such file or directory in /home/ojs/rc-3.3.0/lib/pkp/classes/cache/FileCache.inc.php on line 46, referer: ``https://www.periodicos.rc.biblioteca.unesp.br/index.php/index/admin/settings [Wed Dec 10 06:27:05.630916 2025] [php7:warn] [pid 4893] [client 186.217.13.68:50659] PHP Warning: include(): Failed opening ‘/home/ojs/rc-3.3.0/cache/fc-pluginSettings-0-recommendbysimilarityplugin.php’ for inclusion (include_path=‘.:/usr/share/php’) in /home/ojs/rc-3.3.0/lib/pkp/classes/cache/FileCache.inc.php on line 46, referer: ``https://www.periodicos.rc.biblioteca.unesp.br/index.php/index/admin/settings [Wed Dec 10 06:27:05.979614 2025] [php7:warn] [pid 4850] [client 186.217.13.68:50654] PHP Warning: require_once(/home/ojs/rc-3.3.0/lib/pkp/plugins/importexport/userss/PKPUserImportExportDeployment.inc.php): failed to open stream: No such file or directory in /home/ojs/rc-3.3.0/lib/pkp/includes/functions.inc.php on line 25, referer: ``https://www.periodicos.rc.biblioteca.unesp.br/index.php/index/admin/settings [Wed Dec 10 06:27:05.979645 2025] [php7:error] [pid 4850] [client 186.217.13.68:50654] PHP Fatal error: require_once(): Failed opening required ‘/home/ojs/rc-3.3.0/lib/pkp/plugins/importexport/userss/PKPUserImportExportDeployment.inc.php’ (include_path=‘.:/usr/share/php’) in /home/ojs/rc-3.3.0/lib/pkp/includes/functions.inc.php on line 25, referer: ``https://www.periodicos.rc.biblioteca.unesp.br/index.php/index/admin/settings [Wed Dec 10 06:27:38.195065 2025] [php7:error] [pid 4921] [client 193.142.147.5:55843] script ‘/home/ojs/rc-3.3.0/wp-login.php’ not found or unable to stat [Wed Dec 10 06:27:38.435484 2025] [php7:notice] [pid 4921] [client 193.142.147.5:55843] ojs2: 404 Not Found [Wed Dec 10 06:28:05.447219 2025] [php7:notice] [pid 4921] [client 47.128.23.30:56370] ojs2: 404 Not Found
It seems that there is an recommend by similarity plugin that is also missing, that I didn’t see before,but the userss one is still here.
Tried cleaning caches and expiring user sessions, and after that got only this:
[Wed Dec 10 06:35:05.948674 2025] [php7:notice] [pid 4940] [client 141.98.19.18:14567] ojs2: 404 Not Found
[Wed Dec 10 06:35:07.501143 2025] [php7:notice] [pid 4951] [client 141.98.19.18:14671] ojs2: 404 Not Found
[Wed Dec 10 06:35:09.171008 2025] [php7:notice] [pid 4952] [client 141.98.19.18:14804] ojs2: 404 Not Found
[Wed Dec 10 06:35:10.714372 2025] [php7:notice] [pid 4896] [client 141.98.19.18:14927] ojs2: 404 Not Found
[Wed Dec 10 06:38:38.658913 2025] [php7:error] [pid 4939] [client 103.59.161.78:61926] script ‘/home/ojs/rc-3.3.0/xmlrpc.php’ not found or unable to stat
[Wed Dec 10 06:43:35.251632 2025] [php7:warn] [pid 4951] [client 186.217.13.68:50798] PHP Warning: require_once(/home/ojs/rc-3.3.0/lib/pkp/plugins/importexport/userss/PKPUserImportExportDeployment.inc.php): failed to open stream: No such file or directory in /home/ojs/rc-3.3.0/lib/pkp/includes/functions.inc.php on line 25, referer: https://www.periodicos.rc.biblioteca.unesp.br/index.php/index/admin/settings
[Wed Dec 10 06:43:35.251689 2025] [php7:error] [pid 4951] [client 186.217.13.68:50798] PHP Fatal error: require_once(): Failed opening required ‘/home/ojs/rc-3.3.0/lib/pkp/plugins/importexport/userss/PKPUserImportExportDeployment.inc.php’ (include_path=‘.:/usr/share/php’) in /home/ojs/rc-3.3.0/lib/pkp/includes/functions.inc.php on line 25, referer: https://www.periodicos.rc.biblioteca.unesp.br/index.php/index/admin/settings
[Wed Dec 10 06:44:58.357771 2025] [php7:notice] [pid 4896] [client 66.249.74.70:57236] ojs2: 404 Not Found
Still not much more than we already had, only the userss again.
I can’t see anything there that gives me a clear indication of where userss is being invoked from – beyond that it’s appearing in the .../index.php/index/admin/settings URL. Normally that area wouldn’t be invoking plugins, so it’s possible/likely that it’s another malicious code modification to the admin area.
The only way to solve this for sure is to treat everything in the web root as untrustworthy. Either compare it against a known-clean installation (such as a .tar.gz download or a safe backup) using diff or equivalent, or get fresh copies of the contents.
Regards,
Alec Smecher
Public Knowledge Project Team