How to fix OJS judol hack ?

Fixing the OJS Judol hack, as the trend of threats that fall to the OJS platform especially for gambling or betting sites, in this article, we cover a comprehensive guide on fixing the hacked OJS site.

Why is your journal getting hacked ? 

Judol, or an online gambling or betting site hack, has recently become popular for the OJS journal. The fix of the ojs hack or judol ojs fix has recently become strongly required. In the OJS community, more and more journals are becoming victims of hacks that lead to a downgrade in their reputation, which can even result in demolition from reputable indexing.

As many of the OJS users get hacked by this Judol. In this article, we cover how you can fix and prevent the hack that targeted the OJS site. This article is relevant not only for Judol hack it can also be used if your OJS site becomes the victim of hacking activity. 

The root cause of OJS judol hack

The question is : Why recently hacker can hack a journal site ?

The root cause of this problem lies in the OJS recently published vulnerabilities. For more details about this vulnerabilities, you can check this link (including on how to patch this issue) :

1. https://openjournaltheme.com/user-xml-fatal-vulnerabilities-for-ojs-omp-ops-3-3-0-21-cve-2024-56525/
2. https://openjournaltheme.com/urgent-critical-vulnerabilities-in-3-3-0-18-upgrade-your-ojs-now/
3. https://github.com/pkp/pkp-lib/commit/7ffd51c00a20b55b14e6abe95fb30949bbfd204e
4. https://openjournaltheme.com/critical-vulnerabilities-on-ojs-3-2-3-3-version3/

The short way to prevent this issue on your journal is to upgrade your journal to the latest version (either 3.3 or 3.4 latest version).

Online gambling, betting site or judi online (judol)  is illegal in Indonesia, yet its promotion persists through alarming tactics like hacking institutional websites (.ac.id, .go.id, .edu) to insert hidden backlinks. These links boost gambling sites’ search rankings by exploiting the trusted domains’ SEO authority. Even more disturbing, hackers reportedly earn bounties for each successful backlink insertion, creating a black-market incentive/bounty for these cybercrimes.

This scheme violates Indonesian law while exposing students and the public to gambling risks. Compromised institutional sites also face security threats, including malware and data breaches. Authorities must strengthen website security, remove malicious backlinks, and crack down on this illegal SEO manipulation. Public vigilance is crucial—report any suspicious links on trusted domains to help combat this digital threat.

With this emerging phenomena, many of domain that have educational extension including subdomain that host for the OJS suffer from this issue. The action for hack is not random now, it is now targeting OJS as OJS is open source and it become easier for hacker to gain knowledge about the code and finding the weakness of the hacker and selling the vulnerability / backdoor for a journal that have educational extension is more expensive than regular site such as personal blog. 

This article is part of the OJS security-focused post. To read other OJS security tips read here :

1. How to protect from OJS site ?
2. How to fix hacked OJS site ?

How to detect if you site is getting hacked, with easy method ?

Hacker can easily find OJS site by type in the Google Search using something like this query : 

intext:"Open Journal Systems" AND intext:"3.4." AND (inurl:journal OR inurl:journals)

So it will show all the domains that use the OJS 3.3 or 3.4, that is already known for their vulnerability (for example see this CVE 2024-50965  and CVE-2024-56525)

If you are using OJS 3.3 or 3.4 this article will explain on how they hack your site.

How to know if you journal getting hacked ?

It is very easy to know and detect if the PKP platform that you are being used, including OJS, OMP, and OPS, have been hacked.

You can search using using Google query with basic query like this :

site:journalexample.com +gacor +toto +slot

You can also use this method : 

Open Google and search using the keyword open journal systems 3.3 “gacor”. The word “gacor” can be replaced with other terms related to gambling sites, such as toto, slot, etc., as needed. Open one of the sites that appear in the search results, then view the page source. There is a high chance that you will find hidden gambling site backlinks embedded within the journal.

What may hacker do to your journal site ? 

Academic journals and institutional websites, particularly those running Open Journal Systems (OJS), are increasingly being targeted by malicious actors seeking to manipulate search rankings for illegal online gambling sites. One of the most concerning tactics involves unauthorized access to a journal’s Google Search Console account, allowing attackers to monitor and register backlinks pointing to gambling domains. By gaining control of the Search Console, hackers can track which backlinks are indexed by Google, refine their black-hat SEO strategies, and ensure their spam links remain undetected for as long as possible.

Once inside, attackers may further compromise the journal’s website by uploading a malicious plugin containing a hidden backdoor. These backdoors are often disguised as legitimate plugins to avoid suspicion. For example, they might use names like:

1. PDF.js Viewer Plugin (a seemingly harmless document viewer)
2. Scopus Citation Plugin (mimicking a trusted academic tool)
3. Gabut Plugin (using a generic or even humorous name to appear benign)

These plugins may appear functional on the surface but contain hidden code that allows attackers to maintain persistent access, inject additional spam links, or even deface the website. Since many journal administrators do not regularly audit their plugin directories, these backdoors can remain undetected for months or even years.

Negative impact of hacked OJS site :

1. The journal may host online gambling content or redirect users to phishing sites. In countries where online betting is illegal, your domain could be blocked by local networks if it is found to host or be associated with gambling, betting site , judi online or ‘JUDOL’ websites.
   
2. Google Scholar may permanently block the journal’s domain if its crawler detects the site has been compromised. A security breach undermines the journal’s credibility, and Google will interpret this as poor maintenance—potentially resulting in permanent removal from the platform.

3. Decrease the credibility and trustability of the author as they found out that the journal hacked journal is indication of their past work and future work may be threaten.
   
4. Hackers can completely wipe out all data or databases with relative ease.

5. In some cases, hackers can alter or upload fraudulent metadata to published articles. This is particularly damaging, as it allows attackers to inject illegitimate publications, compromising the journal’s credibility and academic integrity.

How the hacker can hack your site :

While hackers can exploit multiple vulnerabilities to gain unauthorized access to websites – particularly on PKP platforms (OJS, OMP, OPS) – we’ve identified and documented the most common attack vectors targeting OJS installations.

1. Given that Open Journal Systems (OJS) operates as an open-source platform, its publicly accessible source code presents a unique security challenge. Malicious actors can thoroughly analyze the codebase to identify potential security flaws, backdoors, or vulnerabilities in the system architecture. This detailed examination enables attackers to develop sophisticated exploits that specifically target weaknesses in the OJS framework, potentially compromising the integrity of journal websites running on this platform. The open nature of the code, while beneficial for transparency and community development, unfortunately provides hackers with a comprehensive blueprint of the system’s inner workings, allowing them to craft precise attacks that can bypass standard security measures and gain unauthorized access to sensitive editorial content, user data, and administrative functions
   
2. By leveraging publicly disclosed vulnerabilities (CVEs) or newly discovered flaws through simple Google searches like ‘ojs cve’, attackers can then identify vulnerable OJS-based journal sites using Google Dork techniques such as :

3. After they get the information about the victim, later using (for example) this published CVE for example CVE 2024-50965, hacker register as a legitimate author. He then uploads JavaScript code that will run in the background as the editor clicks the submission title. Without the editor knowing, he had escalated his privileges to become an administrator.
   
4. After gaining administrator access, attackers typically upload malicious plugins disguised as legitimate ones – often using names like ‘Scopus Citation’ or ‘PDF Viewer’ that appear trustworthy. These plugins secretly function as backdoors, maintaining persistent access while evading suspicion
   
5. Hacker then accessing the direct path to the plugin such as : journal.com/plugins/generic/backdoorPlugin/backdoor.php
   
6. The next action may be taken over the ownership of the site in the scope of the Google search engine and submit multiple backlink sites to the Google Search Console using XML file (for example using gacor.xml file in this image preview :

With this technique hacker can gain a better search engine rank because their gambling site have “citation” from the legitimate site. The drawback, your journal will consider by journal host or affiliate with gambling site which will decrease the credibility of your journal.

7. Is the hacker stop to this ? Attackers rarely stop here. The backdoor often enables further exploitation, like data theft or server takeover.

No, hackers typically don’t stop there. They often deploy additional malware beyond just compromising the application layer (OJS). Attackers commonly install multiple backdoors to establish persistent server access via SSH – even bypassing VPN protections. Through privilege escalation from www-user to root, they can open new ports and create hidden entry points.

With full server control, attackers can:

• Hijack other websites on the same server
• Access and exfiltrate databases
• Steal credentials for lateral movement
• Use the compromised server as a launchpad for brute-force attacks against other systems

This creates a chain of vulnerabilities that extends far beyond the initial OJS breach.

How to fix the hacked OJS from such incident ?

1. Access your Google Search Console and remove the newly added XML file. If you did not register your journal/domain to Google Search Console, you can follow this guide :
   https://www.youtube.com/watch?v=qVB1MdwvYNo,
   This step is critical for eliminating all backlink records connecting your site to gambling platforms, thereby severing any association with these illegal websites.

2. Remove any unknown user in your Google search console account, follow this guide : 

Need better hosting that handles and helps you manage OJS? 🚀
For maximum security and performance, use dedicated OJS hosting or our Support Package with expert support instead of generic providers like other general-purpose hosting. Our specialized hosting offers proactive security, faster speeds, dedicated expert staff, and daily backup that shared hosting can’t provide. With our in-house Guardian AI and OJT Advance Security Plugin, you get the best protection for your valuable journal

3. Removing the malware 

The first malware removal method involves conducting a thorough root cause analysis by meticulously examining server access logs to identify malicious activity patterns (you can skip this if you don’t have knowledge on doing such analysis)

4. Temporary suspend the site, then patch or upgrade your OJS. For instruction on patching OJS you can read : How to patch OJS  or using this video : https://www.youtube.com/watch?v=8dyddt8pKvA 

5. Move to the new fresh server. As hacker can hide any backdoor or can access credential to the server even your server already have VPN for connecting it, be sure that hacker can login to the server remotely with another way. The quick action for solving this is moving the OJS to the new fresh server. 

6. Change all the credentials roles of : journal manager, editor, and admin right away, as the hacker may still have access to the site, as they have been exposed to the backend application. As we have understand that hacker can gain the credential from the data breach activity we have built a plugin that protecting such kind of activity using OJT Advanced Security by validating the credential with the second method by using their email address validation The plugin will be activate 2 way authentication smartly if there is any pattern that triggered by user as considered as suspicious. Regularly changing those role credentials is a must. 

7. To detect hidden OS-level backdoors, you must perform an exhaustive system investigation by examining newly opened ports, analyzing suspicious files in critical directories like /dev/shm/ and /tmp/, reviewing unauthorized changes to system files such as /etc/passwd, and identifying any illicit root users. This forensic process is inherently complex and time-intensive, often requiring days or even weeks of meticulous analysis, as skilled attackers deliberately employ advanced evasion tactics. These adversaries excel at concealing malware in unconventional locations and establishing sophisticated persistence mechanisms that defy standard detection methods, making complete remediation an exceptionally challenging task that demands specialized expertise.

Yes, we also tried doing that as we have already experienced such an issue when handling thousands of clients, so we decided to invest in our in-house cyber-security tool, which we called OJT Guardian that act for Intrusion Prevention System (IPS) and Intrusion Detection System (IDS) to prevent such issues to achieve high security for our hosting service or support service.

More required steps to fix this issue : 

• In the new server only use the SSH key not password and never combine the OJS platform with another platform such as custom built website or WordPress
• For other tips  read our article : How to secure OJS ? 
• If you site had suffer from this hacked activity and make your site removed from Google Scholar, read our article : Why Google not indexed an OJS journal site ?

What you can do to prevent OJS for being hacked ? 

New vulnerabilities in OJS keep appearing, so staying on top of security is just as important as publishing great content. It’s not enough to focus only on article quality – you need to protect your platform too. That means regularly updating OJS, monitoring for suspicious activity, and securing your server properly. If you ignore these technical aspects, you’re leaving your journal vulnerable to attacks that could compromise data or even take down your site. The most successful journals find the right balance between maintaining high academic standards and keeping their systems locked tight against threats.

We have make basic summary for prevent such issues. 

1. Use only OJS hosting in single server, never put on same application like WordPress or other unsecured web application. 
2. Only choose the hosting that is built for OJS, as the WordPress hosting kind is not fully protecting you from OJS vulnerabilities.
3. Change the credentials of the journal manager, editor and admin regularly and use strong password combination periodically. 
4. Only use the latest version of streamline for OJS or regularly update your OJS. 
5. Find and remove spammy user in your OJS user list.
6. To enable email validation for OJS registrations (which isn’t active by default), modify your config.inc.php file. This ensures only users with verified email addresses can register
7. You can also improve your OJS security by following our articel : How to secure your OJS?

;;;;;;;;;;;;;;;;;;
; Email Settings ;
;;;;;;;;;;;;;;;;;;

[email]

require_validation = On

FAQ

1. I have use Cloudflare, is my OJS secured ? 

While Cloudflare provides essential protection against common attacks like SQL injection (SQLI) and local file inclusion (LFI), it does not safeguard against advanced exploits such as zero-day vulnerabilities or public CVE that for the version used by the publisher. These are previously unknown security flaws—often undetected even by developers—that attackers can exploit before patches become available. For comprehensive protection, organizations must implement additional security measures beyond Cloudflare, including regular software updates, server-side monitoring, and vulnerability scanning.

This is the reason why we are creating our custom tool that is specialized for OJS protection that utilizes the server protection by using Guardian AI and the OJS protection with the feature of link injection hack that leads to judol site with OJT Advanced Security.

2. I have use GoDaddy for managing host of my OJS, they promote that they have special security tool ? 

We’ve encountered multiple cases where clients using GoDaddy, Inmotion, and other hosting experienced website defacements. While GoDaddy provides basic hosting services, it lacks dedicated security protections for hosted websites that are built specifically for OJS. Without additional safeguards like:

• Web Application Firewalls (WAF)
• Real-time file integrity monitoring
• Malware scanning and removal

Attackers can easily compromise vulnerable sites. Shared hosting environments are particularly at risk of cross-contamination from neighboring infected sites.

Need better hosting that handles and helps you manage OJS? 🚀
For maximum security and performance, use dedicated OJS hosting or our OJS Support Service package with expert support instead of generic providers like other general-purpose hosting. Our specialized hosting offers proactive security, faster speeds, dedicated expert staff, and daily backup that shared hosting can’t provide. With our in-house exclusive Guardian AI and OJT Advance Security, the unified tool will be used for guarding your OJS with ease.

Muhammad Hendra

Project Manager

Hendra here, I love writing about OJS and share knowledge about OJS. My passion is about OJS, OMP platform and doing some research on creating innovated products for that platform to help publisher to improve their publication.