Finding and Cleaning OJS (Open Journal System) Malicious Trojan Files

OJS (Open Journal System) is a well known academic journal web publishing software which is PHP based and open source. It could be checked on github: https://github.com/pkp/ojs

I encountered some small attacks on my ojs web site (version 3.3.0–20) that is just about changing some files adding some other web site links.

Actually there is a specific precaution that comes from OJS maintainers such as putting uploaded publication files other than the path config.inc.php exists.

If you have encountered a problem like there is new index.html file generated maliciously or edited index.php file, probably the files directory resides in root directory that is next to config.inc.php file. So first move the uploaded files to a path other than config.inc.php exists.

However you may experience still the same vulnerability despite changing the path of files. This is because the infected trojan files could still be there and continue to manipulate your files. So you must detect and remove those files.

To detect those trojan files you should check the files with the execute permission. So I run this command under the path config.inc.php file exists:

find . -type f -exec bash -c '[[ $(file -b "'{}'") == *" executable "* ]] ' \; -print

In my problem there are directories contain malicious executables which are in plugins directory.