Regarding Recent OJS “Defacement” Attacks
Since about March 29, 2017 some reports of widespread “hacking”, or defacement of OJS sites has been causing some concern. The “hacking” has involved pointing to an image that has been uploaded to the affected sites, the presence of which supposedly indicates successful defacement.
This isn’t a hack or a defacement, though it has been reported as such by the perpetrator(s). OJS, like many similar systems, does allow users to register with the application, and as part of the user registration/configuration process, users can upload a profile photo to accompany a biographical statement. The system will check to confirm that the uploaded file is in fact an image (rather than an executable or malicious file), but can’t control what image the user uploads.
In these cases, the alleged defacement occurs like so:
- the defacer searches for OJS journals online;
- they register an account with the journal (often with username “a”);
- they then upload a profile photo that suggests the site has been defaced (typically one named “ppy.png” that says, for example, “HACKED BY Mr E[R]”);
- finally, they notify various security agencies of the now “defaced” site by providing a direct link to the image, in order to take credit.
No more, no less. This “hacker” doesn’t have any privileged access to the system (and usually doesn’t even register as a reader or author), and the photo doesn’t appear anywhere unless it is explicitly linked to directly (which the “hacker” would know simply by virtue of where OJS stores publicly available files). In this case, we believe that the “hacker” has publicized the location of these images to try and build up some sort of reputation. This has resulted in a fair amount of confusion and understandable, though unnecessary, concern.
For journals hosted by PKP Publishing Services, we take the following steps (and suggest that, if you maintain an OJS instance, you do the same):
- delete the user account in question (eg. the user account “a”);
- confirm that captcha on user registration is enabled in config.inc.php (this won’t stop all registrations, but it will significantly slow down automated attempts);
- delete the problematic file (eg. “ppy.png”) from the system.
In summary, this is not a “hack.” Do not be misled by any claims to the contrary. If you still have any questions or concerns please consult the PKP Community Forum.