It has come to my attention that multiple incomplete submissions have been occurring on my OJS platform. Recently, I noticed a very concerning activity where a fabricated/dummy article was submitted. Shockingly, this dummy submission was even processed under an Editor-in-Chief account, reviewers were assigned, and a dummy PDF was attached.
This looks highly suspicious and raises serious concerns about security and platform integrity. Could someone please guide me on how I can investigate this issue further? Specifically, I want to identify who carried out this activity and understand why/how it happened so I can take the necessary steps to prevent it in the future.
Hi @Sajjad_Haider,
Would you mind indicating your specific OJS version number (e.g., OJS 3.3.0-13)? We have heard of this occurring, and there have been some fixes applied in later versions to address these issues (if that is what is occurring in your case - I can’t say for certain at this point). For the Editor-in-Chief account - I take it you confirmed that someone else, other than the person with the account, did this? From what you’ve observed, you suspect someone has overtaken the account?
-Roger
PKP Team
I have a main website where I have created 6 OJS installations using subdomains. Out of these:
The same suspicious activity is happening across all OJS installations with username “Disommo“, regardless of version. This includes dummy submissions, fabricated articles being processed, and reviewer assignments without authorization.
From the Editor-in-Chief accounts on these journals, I can confirm that no such activity has been performed by them, which leads me to believe that the accounts may have been compromised.
Now I delete user from all OJS and their submission as well and change EIC account credentials.
Could you please guide me on how to investigate this further and what steps I can take to secure all my OJS installations?
Hi @Sajjad_Haider,
Have a look at this thread, which lays out the pattern I’ve been seeing recently. As I say in that thread, I am interested in patterns that would suggest current releases are vulnerable to attack, but I haven’t seen them yet. If you can investigate your access log for activity from the IP address being used by “Disommo”, you may be able to put together a record of their tracks through the system.
Regards,
Alec Smecher
Public Knowledge Project Team
1 Like