Dear colleagues,
I have two sites on the ojs platform, versions 3.3.0.13 and 3.3.0.15. Over the past few months, the sites have been under constant attack. A virus specialist managed to find out that this is happening from hackers in Indonesia through the Citation Style Language plugin for OJS 3.
Now I had to remove this plugin and close the ability for authors to register and upload articles themselves. So far, everything is fine, there have been no attacks for the last week. However, we need to prevent further hacking attempts, restore the plugin and allow authors to upload articles themselves. Will updating the system to version 3.3.0.20 help?
If not, what should I do? Maybe I need to write something in a file in the file manager to protect against hacking?
I am not a professional in website maintenance, I am just the chief editor and site administrator.
Thank you very much!
What is your files_dir setting in the config.inc.php configuration file?
Regards,
Alec Smecher
Public Knowledge Project Team
Thanks; I’m not aware of any security flaws in the citationStyleLanguage plugin. Could you send me a private message with any additional details from your expert about this?
Regards,
Alec Smecher
Public Knowledge Project Team
Thank you for your answer.
I have written to my expert about tour request. I am waiting now for his answer.
My expert says that he just intuitively assumed that the problems were in this plugin. If he had seen the logs, he would have fixed the situation himself.
But when we removed this plugin and closed the ability for authors to register and upload articles, there were no hacks yet. But I can’t keep the site in this mode for long. This will negatively affect the rating of journals.
He said that if a new version of ojs is released soon that will not contain these vulnerabilities (possibly 3.3.0.21), then we need to wait and then update the system.
When will be new version ojs released? What is your opinion?
Thank you.
Without any information on how your site was hacked, it’s impossible to know whether the site has been correctly safeguarded. As long as a hacker does not have Journal Manager or Administrator account credentials, I am not aware of any security flaws in the current stable releases of OJS, OMP, or OPS. I would suggest double-checking your user lists to ensure that there are no mystery accounts with those privileges; unfortunately I can’t say more without further details.
We will release new builds of OJS, OMP, and OPS 3.3.0-x and 3.4.0-x within the next month or so, but again, I’m not aware of any vulnerabilities that these will correct unless a malicious user already has Journal Manager or Site Administrator credentials.
Thanks,
Alec Smecher
Public Knowledge Project Team
Thank you very much for your answer and your advice. I have checked users and them roles. Only I am the manager. I don’t know how I can check admissions. I look only my profile.
Thank you.
OK, good luck with the relaunch. If you do find further details, and you think you may have discovered an undisclosed security issue, please submit the information privately rather than posting on the public forum. There are details on where to disclose here.
Thanks,
Alec Smecher
Public Knowledge Project Team
I am facing a similar situation in my ojs 3.4.0.8 version. I noticed arrange incomplete submission from strange names. I attempted to remove some of these registrations but even as an admin, I could remove some. I don’t know if they also made themselves admin. One click on any of those, my website was gone. I recovered it from backup, activated automatic delete incomplete submissions after 24 hours. After 24 hours, the website was attacked again. I still recovered it from backup, deactivated new user Registration and deactivated automatic delete incomplete submissions.
I need a way forward especially removing these hackers and preventing such strange incomplete submissions.
Hope to get solutions soon
Hi @CHUKWUMA_EZEUKO,
What is the files_dir setting in your config.inc.php configuration file?
Regards,
Alec Smecher
Public Knowledge Project Team
Hi @CHUKWUMA_EZEUKO,
You’re getting hacked because your files_dir is inside public_html. That’s an unsafe configuration, as noted on the installation form, in the configuration file, and elsewhere.
Regards,
Alec Smecher
Public Knowledge Project Team
thank you. Where should i move the files_dir to?
i cannot find .htaccess file in my directory
Hi @CHUKWUMA_EZEUKO,
Where you move it is up to you, and will depend on your server. But it needs to be outside public_html, or else protected from direct access.
Regards,
Alec Smecher
Public Knowledge Project Team
We recently experienced a similar hacking incident on our website. The hacker created a Journal Manager role for themselves and modified the files_dir setting in our config.inc.php to point to a new directory. At the time, we were using OJS version 3.4.0.1, and the files_dir was located inside public_html.
We later worked with the @openjournaltheme team to upgrade from 3.4.0.1 to 3.4.0.8. They did a great job handling the update with minimal downtime and moved the files_dir outside of public_html for better security.
However, I want to make a note — subject to correction — that simply having the files_dir outside public_html does not, by itself, prevent an intrusion. Today, we discovered another breach where a hacker created a Journal Administrator role and made a submission. I immediately informed @openjournaltheme who deleted the unauthorized user and are now investigating further.
- Anil
Thank you very much for your experience.
Is there any way to prevent hackers from getting into the site? Are there any ways to prevent hacks?
Hi @Zhanneta_L_Kozina / all,
You might want to take a look at this post/thread for information on how to review user accounts, particularly for admin roles.
If you have experienced a hack, there really is no substitute for a careful look over the system to determine the means. For example, if there’s a back-door script on the server, check the file creation time and correlate it against the server’s access log to see if you can identify the request that created the script. Unfortunately we can’t do any of that from here.
PKP runs a large hosting operation, and we are not seeing our installs compromised – which suggests to me that folks are either misconfiguring their installations, or were running out-of-date versions of the software for which there are known vulnerabilities. We are attentive to anything to the contrary, but will need details in order to make any investigations. (And again, if you do find details, please contact us privately with those per our security policy.)
Thanks,
Alec Smecher
Public Knowledge Project Team
Thank you for your reply.
I don’t know, where sould I search “user_groups”. In Hosting?
Thank you.
That’s a table in your MySQL database. You can generally access it from your web hosting’s CPanel via an application called phpMyAdmin. If you don’t have experience with SQL, you might need some guidance on how to use it.
Regards,
Alec Smecher
Public Knowledge Project Team