Same issue here, nextcloud 31.0.1
Same issue here, NC 31.0.1. And SELECT * FROM oc_storages_credentials; returns an empty set.
me too
|Error|no app in context|ExceptionHMAC does not match.
Could not decrypt or decode encrypted session data|
| — | — |
any solutions ?
I have exactly same on version 31.0.5.
I’m using keepass files via WebDAV and all my keepass apps (Windows, Mac, IOS, Android) cause HMAC Exception. Table oc_storages_credentials in MariaDB is empty.
Hi all!
I have the same error message on a clean install. No add-ons, or anything. I’m going to file under “bug” until further notice.
HTH
And as well as same. 31.0.5. Just fresh install as TrueNAS App (I.e. Docker AIO)
And as well as same. 31.0.6
Error no app in context Exception HMAC does not match.
Any idea?
Try clear all site cookies/local storage from the browser
Same issue here (NC 30.0.12.2)
Same issue here on version 31.0.7
1 Like
Same issue here on version 31.0.8
The GitHub issue [Bug]: HMAC does not match. Could not decrypt or decode encrypted session data · Issue #42157 · nextcloud/server · GitHub is still open. A pull request is currently marked as “Draft,” fix(session): Make session encryption more robust by ChristophWurst · Pull Request #47396 · nextcloud/server · GitHub which may eventually resolve the problem. Until that PR is officially implemented and merged, it’s best not to assume the issue will be fixed in upcoming server releases. Keep an eye on the repository for updates.
2 Likes
Getting the same issue on version 32.0.2…
I’m having the same issue with Nextcloud Hub 25 Autumn (32.0.2). I have several Windows and Android clients connected. Everything works great A+. But this error is ruining my perfectionism.
1 Like
I was hit by the same issue all day yesterday. Really hope, someone will look into this bug.
According to the logs, it began slowly two days ago, and as it progressed, more and more HMAC errors turned up. Yesterday, I couldn’t access my server for 12 hours. Eventually, the issue resolved itself and so far I only have a single error from 02:35 in the log.
1 Like
Hallo zusammen.
Schliesse mich der Fehlermeldung an.
Derzeit habe ich 15.000 bis 20.000 dieser Meldungen/Fehler täglich im Protokoll (32.0.3). Lösungen habe ich auch noch nicht gefunden. Aber die Funktion ist nicht beeinträchtigt.
Hello everyone.
I'm experiencing the same error message.
Currently, I'm seeing 15,000 to 20,000 of these messages/errors daily in the log (32.0.3). I haven't found any solutions yet either. However, the functionality isn't affected.
For me this posting was really helpful. I checked my Apache log files and found out that some IPs tried out several non existing URLs (HTTP error 404). Here’s an example:
68.218.114.244 - - [26/Dec/2025:10:54:11 +0100] "GET /wp-content/plugins/hellopress/wp_filemanager.php HTTP/1.1" 404 8933 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:12 +0100] "GET /nc4.php HTTP/1.1" 302 1291 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:13 +0100] "GET /nc4.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:14 +0100] "GET /d4.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:14 +0100] "GET /ad.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:15 +0100] "GET /dlex.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:16 +0100] "GET /classwithtostring.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:16 +0100] "GET /pass.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:18 +0100] "GET /good.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:18 +0100] "GET /ext.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:19 +0100] "GET /class20.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:20 +0100] "GET /css/index.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:20 +0100] "GET /aa.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:21 +0100] "GET /npi.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:22 +0100] "GET /ahax.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:23 +0100] "GET /pop.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:23 +0100] "GET /file17.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:24 +0100] "GET /wp-includes/fonts/themes.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:25 +0100] "GET /about.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:25 +0100] "GET /litanies.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:26 +0100] "GET /g.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:27 +0100] "GET /readme.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:27 +0100] "GET /kwm4.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:28 +0100] "GET /just2.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:29 +0100] "GET /png.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:30 +0100] "GET /geger.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:31 +0100] "GET /let.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:32 +0100] "GET /np.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:33 +0100] "GET /ask.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:33 +0100] "GET /CLA.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:34 +0100] "GET /wp-admin/index.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:35 +0100] "GET /mek.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:36 +0100] "GET /fjpeb.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:36 +0100] "GET /ex.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:37 +0100] "GET /asd67.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:38 +0100] "GET /zwso.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:38 +0100] "GET /alfa.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:39 +0100] "GET /shlo.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:40 +0100] "GET /sec.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:41 +0100] "GET /natural.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:42 +0100] "GET /1.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:43 +0100] "GET /z.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:43 +0100] "GET /law.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:44 +0100] "GET /bluejackets.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:45 +0100] "GET /php.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:45 +0100] "GET /sx21_1.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:46 +0100] "GET /1aa.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:47 +0100] "GET /nx9.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:47 +0100] "GET /file.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:48 +0100] "GET /aw.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:49 +0100] "GET /sfvul.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:49 +0100] "GET /icdwb.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:50 +0100] "GET /ticket.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:51 +0100] "GET /elp.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:52 +0100] "GET /k.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:53 +0100] "GET /amphicyon.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:53 +0100] "GET /wsad.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:54 +0100] "GET /lock1.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:55 +0100] "GET /xp.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:55 +0100] "GET /e.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:56 +0100] "GET /v3.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:57 +0100] "GET /akcc.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:57 +0100] "GET /minik.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:58 +0100] "GET /asasx.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:59 +0100] "GET /nx.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:59 +0100] "GET /themes.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:00 +0100] "GET /acp.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:01 +0100] "GET /xpw.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:02 +0100] "GET /lufix.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:03 +0100] "GET /akp.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:03 +0100] "GET /cwsd.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:04 +0100] "GET /tll.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:06 +0100] "GET /Okxob.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:06 +0100] "GET /idea.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:07 +0100] "GET /pepe.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:08 +0100] "GET /v2.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:09 +0100] "GET /yca.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:10 +0100] "GET /lock360.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:10 +0100] "GET /ot.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:11 +0100] "GET /bolt.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:12 +0100] "GET /j.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:13 +0100] "GET /s.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:13 +0100] "GET /ucp.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:14 +0100] "GET /zse.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:15 +0100] "GET /0x.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:15 +0100] "GET /403.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:16 +0100] "GET /gfile.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:19 +0100] "GET /doc.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:20 +0100] "GET /orm.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:20 +0100] "GET /ay.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:21 +0100] "GET /buy.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:22 +0100] "GET /test.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:22 +0100] "GET /wsa.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:23 +0100] "GET /wolv.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:24 +0100] "GET /ea3f.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:24 +0100] "GET /price.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:25 +0100] "GET /gmo.php HTTP/1.1" 404 5737 "-" "-"
I added a fail2ban jail for that (found a definition in the german ubuntuusers wiki) and used maxretry = 5 and findtime = 10 (seconds) since they try several URLs within a short period of time as one can see in the example above.
Hi @stefannagy,
These scans have been appearing in my log file for quite some time now.
Initially, I did set up a fail2ban rule/jail:
# /etc/fail2ban/jail.d/apache-php-scanner.local
[apache-php-scanner]
enabled = true
filter = apache-php-scanner
logpath = /var/log/apache2/access.log
maxretry = 1
bantime = 86400
# Which ports to block (http/https)
port = http,https
protocol = tcp
# Use automatic backend detection
backend = auto
# Never ban local/admin ranges — adjust to your environment.
ignoreip = 127.0.0.1/8 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12
# No explicit action -> use Fail2ban default action
with this filter:
# /etc/fail2ban/filter.d/apache-php-scanner.conf
[Definition]
# typical files from bad boy scans
failregex = ^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /1\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /404\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /96i\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /\.well-known/.*\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /\.well-knownold/ HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /Admin/uploads/ HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /ALFA_DATA/ HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /CLA\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /Sanskrit\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /a\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /aa\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /aaa\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /aaaa\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /abcd\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /about\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /adminfuns\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /admin/function\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /admin/uploads/ HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /ahax\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /ar\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /asd67\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /autoload_classmap\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /axx\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /bless\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /bolt\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /bv3\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /cfile\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /class9\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /co\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /cool\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /dejavu\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /dex\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /ffile\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /file\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /file17\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /file2\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /file4\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /file5\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /file7\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /file8\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /gfile\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /gmo\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /gold\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /golden\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /great\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /lc\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /lock360\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /lo\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /moon\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /nc4\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /new\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /num\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /ol\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /ot\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /pass\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /past\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /pp\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /re\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /ss\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /(upload|uploads)/.* HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /userfuns\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /we\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /witmm\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /(wp-admin|wp-includes|wp-content)/.* HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /wp-.*\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /wp\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /wsr2\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /xpas2\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) /z\.php HTTP/[12]\.[01].*
^<HOST> - - \[.*\] "(?:GET|HEAD|POST) [^"]*/cache\.php\?pass=[0-9a-fA-F]{32} HTTP/[12]\.[01].*
I created the rules with the utmost care. They precisely match the pattern of the recurring scans. Since these are exclusively non-existent targets on my server, I use ‘maxretry = 1’, meaning these IPs are banned for 24 hours on the first attempt.
And then I started to analyze the IPs more closely, and I discovered that they all originated from Microsoft Azure Cloud Infrastructure, like the IP in your example:
whois 68.218.114.244
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2025, American Registry for Internet Numbers, Ltd.
#
# start
NetRange: 68.218.0.0 - 68.221.255.255
CIDR: 68.218.0.0/15, 68.220.0.0/15
NetName: MSFT
NetHandle: NET-68-218-0-0-2
Parent: NET68 (NET-68-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: Microsoft Corporation (MSFT)
/ ... etc. /
Microsoft has been scanning web servers worldwide on a large scale for years, but particularly intensively since 2023–2025, after Microsoft began using the entire Azure cloud and edge infrastructure for:
- “Security Baseline Observability”
- “Threat Intelligence Feed Collection”
- “Compromise Detection Telemetry”
And my Fail2ban output shows exactly the known Azure scanner ranges:
########################################
# Azure / MSFT scanner ranges
########################################
# NetRange: 4.176.0.0 - 4.191.255.255
# CIDR: 4.176.0.0/12
# NetRange: 4.192.0.0 - 4.207.255.255
# CIDR: 4.192.0.0/12
# NetRange: 4.208.0.0 - 4.223.255.255
# CIDR: 4.208.0.0/12
# NetRange: 4.224.0.0 - 4.239.255.255
# CIDR: 4.224.0.0/12
# NetRange: 4.240.0.0 - 4.255.255.255
# CIDR: 4.240.0.0/12
# NetRange: 13.64.0.0 - 13.107.255.255
# CIDR: 13.64.0.0/11, 13.104.0.0/14, 13.96.0.0/13
# NetRange: 20.0.0.0 - 20.31.255.255
# CIDR: 20.0.0.0/11
# NetRange: 20.33.0.0 - 20.128.255.255
# CIDR: 20.33.0.0/16, 20.34.0.0/15, 20.36.0.0/14, 20.40.0.0/13, 20.48.0.0/12, 20.64.0.0/10,
# NetRange: 20.180.0.0 - 20.191.255.255
# CIDR: 20.184.0.0/13, 20.180.0.0/14
# NetRange: 20.192.0.0 - 20.255.255.255
# CIDR: 20.192.0.0/10
# NetRange: 40.74.0.0 - 40.125.127.255
# CIDR: 40.76.0.0/14, 40.74.0.0/15, 40.80.0.0/12, 40.120.0.0/14, 40.125.0.0/17,
# NetRange: 52.145.0.0 - 52.191.255.255
# CIDR: 52.145.0.0/16, 52.146.0.0/15, 52.148.0.0/14, 52.152.0.0/13, 52.160.0.0/11
# NetRange: 52.224.0.0 - 52.255.255.255
# CIDR: 52.224.0.0/11
# NetRange: 65.52.0.0 - 65.55.255.255
# CIDR: 65.52.0.0/14
# NetRange: 68.218.0.0 - 68.221.255.255
# CIDR: 68.218.0.0/15, 68.220.0.0/15
# NetRange: 104.208.0.0 - 104.215.255.255
# CIDR: 104.208.0.0/13
These bots clearly belong to Azure Public Cloud (Microsoft).
The following run automatically from there:
- Web shell scanner
- WP scanner
- Directory brute forcer
- Ransomware reconnaissance
- CVE signature checks
- Backdoor search routines
These bots are not “good crawlers” like Bingbot or BingPreview—they are telemetry scanners from Microsoft security products that:
- scan completely indiscriminately,
- take no account of server load,
- often send faulty or crude exploit payloads.
Microsoft itself claims in its advisories:
“Microsoft continuously scans public IPs for security exposure and threat intelligence enrichment.”
The reality:
These bots behave like script kiddie scanners and trigger every fail2ban filter worldwide.
And yes: it’s Microsoft itself—not spoofing!
Then I switched to blocking all these IP ranges.
Because they:
- don’t generate legitimate access
- generate a lot of log noise
- test thousands of PHP files (WordPress, backdoors, shells)
- try .well-known PHP files
- sometimes run at 10-30 requests per second
- don’t come randomly—they occur daily, systematically
It’s completely safe to block these ranges as long as you:
- don’t need to offer a service to Azure customers
- don’t operate a publicly accessible API for Microsoft services
- don’t have a Microsoft webhook integration
This is 100% safe for Nextcloud.
I then created a mechanism that allows me to easily block IP blacklists using fail2ban with nftables as the action backend, from individual IPs to entire ranges in CIDR notation:
So this is my blacklis at present:
“/etc/fail2ban/ip-blacklist”
4.176.0.0/12 [2026-01-01 14:30:00]
4.192.0.0/12 [2026-01-01 14:30:00]
4.208.0.0/12 [2026-01-01 14:30:00]
4.224.0.0/12 [2026-01-01 14:30:00]
4.240.0.0/12 [2026-01-01 14:30:00]
13.64.0.0/11 [2026-01-01 14:30:00]
13.96.0.0/13 [2026-01-01 14:30:00]
13.104.0.0/14 [2026-01-01 14:30:00]
20.0.0.0/11 [2026-01-01 14:30:00]
20.33.0.0/16 [2026-01-01 14:30:00]
20.34.0.0/15 [2026-01-01 14:30:00]
20.36.0.0/14 [2026-01-01 14:30:00]
20.40.0.0/13 [2026-01-01 14:30:00]
20.48.0.0/12 [2026-01-01 14:30:00]
20.64.0.0/10 [2026-01-01 14:30:00]
20.128.0.0/16 [2026-01-01 14:30:00]
20.180.0.0/14 [2026-01-01 14:30:00]
20.184.0.0/13 [2026-01-01 14:30:00]
20.192.0.0/10 [2026-01-01 14:30:00]
40.74.0.0/15 [2026-01-01 14:30:00]
40.76.0.0/14 [2026-01-01 14:30:00]
40.80.0.0/12 [2026-01-01 14:30:00]
40.96.0.0/12 [2026-01-01 14:30:00]
40.112.0.0/13 [2026-01-01 14:30:00]
40.120.0.0/14 [2026-01-01 14:30:00]
40.124.0.0/16 [2026-01-01 14:30:00]
40.125.0.0/17 [2026-01-01 14:30:00]
52.132.0.0/14 [2026-01-01 14:30:00]
52.136.0.0/13 [2026-01-01 14:30:00]
52.145.0.0/16 [2026-01-01 14:30:00]
52.146.0.0/15 [2026-01-01 14:30:00]
52.148.0.0/14 [2026-01-01 14:30:00]
52.152.0.0/13 [2026-01-01 14:30:00]
52.160.0.0/11 [2026-01-01 14:30:00]
52.224.0.0/11 [2026-01-01 14:30:00]
65.52.0.0/14 [2026-01-01 14:30:00]
68.218.0.0/15 [2026-01-01 14:30:00]
68.220.0.0/15 [2026-01-01 14:30:00]
74.176.0.0/14 [2026-01-01 14:30:00]
104.208.0.0/13 [2026-01-01 14:30:00]
This is the jail file:
# /etc/fail2ban/jail.d/ip-blacklist.local
[ip-blacklist]
enabled = true
port = anyport
action = nftables-ip-blacklist
filter = ip-blacklist
logpath = /etc/fail2ban/ip-blacklist
maxretry = 0
findtime = 15552000
bantime = -1
[ip-blacklist_8]
enabled = true
port = anyport
action = nftables-ip-blacklist[mask=8]
filter = ip-blacklist_8
logpath = /etc/fail2ban/ip-blacklist
maxretry = 0
findtime = 15552000
bantime = -1
[ip-blacklist_9]
enabled = true
port = anyport
action = nftables-ip-blacklist[mask=9]
filter = ip-blacklist_9
logpath = /etc/fail2ban/ip-blacklist
maxretry = 0
findtime = 15552000
bantime = -1
[ip-blacklist_10]
enabled = true
port = anyport
action = nftables-ip-blacklist[mask=10]
filter = ip-blacklist_10
logpath = /etc/fail2ban/ip-blacklist
maxretry = 0
findtime = 15552000
bantime = -1
[ip-blacklist_11]
enabled = true
port = anyport
action = nftables-ip-blacklist[mask=11]
filter = ip-blacklist_11
logpath = /etc/fail2ban/ip-blacklist
maxretry = 0
findtime = 15552000
bantime = -1
[ip-blacklist_12]
enabled = true
port = anyport
action = nftables-ip-blacklist[mask=12]
filter = ip-blacklist_12
logpath = /etc/fail2ban/ip-blacklist
maxretry = 0
findtime = 15552000
bantime = -1
[ip-blacklist_13]
enabled = true
port = anyport
action = nftables-ip-blacklist[mask=13]
filter = ip-blacklist_13
logpath = /etc/fail2ban/ip-blacklist
maxretry = 0
findtime = 15552000
bantime = -1
[ip-blacklist_14]
enabled = true
port = anyport
action = nftables-ip-blacklist[mask=14]
filter = ip-blacklist_14
logpath = /etc/fail2ban/ip-blacklist
maxretry = 0
findtime = 15552000
bantime = -1
[ip-blacklist_15]
enabled = true
port = anyport
action = nftables-ip-blacklist[mask=15]
filter = ip-blacklist_15
logpath = /etc/fail2ban/ip-blacklist
maxretry = 0
findtime = 15552000
bantime = -1
[ip-blacklist_16]
enabled = true
port = anyport
action = nftables-ip-blacklist[mask=16]
filter = ip-blacklist_16
logpath = /etc/fail2ban/ip-blacklist
maxretry = 0
findtime = 15552000
bantime = -1
[ip-blacklist_17]
enabled = true
port = anyport
action = nftables-ip-blacklist[mask=17]
filter = ip-blacklist_17
logpath = /etc/fail2ban/ip-blacklist
maxretry = 0
findtime = 15552000
bantime = -1
[ip-blacklist_18]
enabled = true
port = anyport
action = nftables-ip-blacklist[mask=18]
filter = ip-blacklist_18
logpath = /etc/fail2ban/ip-blacklist
maxretry = 0
findtime = 15552000
bantime = -1
[ip-blacklist_19]
enabled = true
port = anyport
action = nftables-ip-blacklist[mask=19]
filter = ip-blacklist_19
logpath = /etc/fail2ban/ip-blacklist
maxretry = 0
findtime = 15552000
bantime = -1
[ip-blacklist_20]
enabled = true
port = anyport
action = nftables-ip-blacklist[mask=20]
filter = ip-blacklist_20
logpath = /etc/fail2ban/ip-blacklist
maxretry = 0
findtime = 15552000
bantime = -1
[ip-blacklist_21]
enabled = true
port = anyport
action = nftables-ip-blacklist[mask=21]
filter = ip-blacklist_21
logpath = /etc/fail2ban/ip-blacklist
maxretry = 0
findtime = 15552000
bantime = -1
[ip-blacklist_22]
enabled = true
port = anyport
action = nftables-ip-blacklist[mask=22]
filter = ip-blacklist_22
logpath = /etc/fail2ban/ip-blacklist
maxretry = 0
findtime = 15552000
bantime = -1
[ip-blacklist_23]
enabled = true
port = anyport
action = nftables-ip-blacklist[mask=23]
filter = ip-blacklist_23
logpath = /etc/fail2ban/ip-blacklist
maxretry = 0
findtime = 15552000
bantime = -1
[ip-blacklist_24]
enabled = true
port = anyport
action = nftables-ip-blacklist[mask=24]
filter = ip-blacklist_24
logpath = /etc/fail2ban/ip-blacklist
maxretry = 0
findtime = 15552000
bantime = -1
This is the filter file for single IP’s:
# "/etc/fail2ban/filter.d/ip-blacklist.conf"
[Definition]
failregex = ^<HOST>(/32.*|[^/]*)?$
ignoreregex =
and then you need for every one of the possible CIDR Notations one filter file. This is just an example for ip/16:
# "/etc/fail2ban/filter.d/ip-blacklist_16.conf"
[Definition]
failregex = ^<HOST>/16.*$
ignoreregex =
this for /11:
# "/etc/fail2ban/filter.d/ip-blacklist_11.conf"
[Definition]
failregex = ^<HOST>/11.*$
ignoreregex =
I don’t need to repeat them all here; the principle should be clear.
And finaly this is the action file, the core of everything:
# "/etc/fail2ban/action.d/nftables-ip-blacklist.conf"
[Definition]
# executed once at start
actionstart = nft add table inet f2b-table
nft -- add chain inet f2b-table f2b-chain \{ type filter hook input priority -1 \; \}
nft add set inet f2b-table <addr_set> \{ type <addr_type> \; flags interval \; \}
nft add rule inet f2b-table f2b-chain ip saddr @<addr_set> reject
# executed once at stop
actionstop = { nft -a list chain inet f2b-table f2b-chain | grep -oP '@<addr_set>\s+.*\s+\Khandle\s+(\d+)$' || true; } | while read -r hdl; do
nft delete rule inet f2b-table f2b-chain $hdl || true
done
nft delete set inet f2b-table <addr_set>
{ nft list table inet f2b-table | grep -qP '^\s+set\s+'; } || { nft delete table inet f2b-table; }
# executed before each ban
actioncheck = nft list chain inet f2b-table f2b-chain | grep -q '@<addr_set>[ \t]'
# ban = add element to set, **with CIDR mask from jail parameter**
actionban = nft add element inet f2b-table <addr_set> { <ip>/<mask> }
# unban = remove element (same CIDR)
actionunban = nft delete element inet f2b-table <addr_set> { <ip>/<mask> }
[Init]
# name of the nftables set / logical action
name = ip-blacklist
protocol = all
chain = input
table = f2b-table
table_family = inet
chain_type = filter
chain_hook = input
chain_priority = -1
blocktype = reject
nftables = nft
addr_set = addr-set-<name>
addr_type = ipv4_addr
addr_family = ip
# default mask if none is passed from jail (overridden by [mask=10] etc.)
mask = 32
The only thing fail2ban can’t do is display the blocked IP ranges. So, to check if the ranges are actually blocked, you have to look at it directly with nftables:
nft list ruleset
table inet f2b-table {
set addr-set-ip-blacklist {
type ipv4_addr
flags interval
}
set addr-set-ip-blacklist_10 {
type ipv4_addr
flags interval
elements = { 20.64.0.0/10, 20.192.0.0/10 }
}
set addr-set-ip-blacklist_11 {
type ipv4_addr
flags interval
elements = { 13.64.0.0/11, 20.0.0.0/11,
52.160.0.0/11, 52.224.0.0/11 }
}
set addr-set-ip-blacklist_12 {
type ipv4_addr
flags interval
elements = { 4.176.0.0/12, 4.192.0.0/12,
4.208.0.0/12, 4.224.0.0/12,
4.240.0.0/12, 20.48.0.0/12,
40.80.0.0/12, 40.96.0.0/12 }
}
set addr-set-ip-blacklist_13 {
type ipv4_addr
flags interval
elements = { 13.96.0.0/13, 20.40.0.0/13,
20.184.0.0/13, 40.112.0.0/13,
52.136.0.0/13, 52.152.0.0/13,
104.208.0.0/13 }
}
set addr-set-ip-blacklist_14 {
type ipv4_addr
flags interval
elements = { 13.104.0.0/14, 20.36.0.0/14,
20.180.0.0/14, 40.76.0.0/14,
40.120.0.0/14, 52.132.0.0/14,
52.148.0.0/14, 65.52.0.0/14,
74.176.0.0/14 }
}
set addr-set-ip-blacklist_15 {
type ipv4_addr
flags interval
elements = { 20.34.0.0/15, 40.74.0.0/15,
52.146.0.0/15, 68.218.0.0/15,
68.220.0.0/15 }
}
set addr-set-ip-blacklist_16 {
type ipv4_addr
flags interval
elements = { 20.33.0.0/16, 20.128.0.0/16,
40.124.0.0/16, 52.145.0.0/16 }
}
set addr-set-ip-blacklist_17 {
type ipv4_addr
flags interval
elements = { 40.125.0.0/17 }
}
set addr-set-apache-php-scanner {
type ipv4_addr
elements = { 135.235.161.115 }
}
set addr-set-apache-selfref {
type ipv4_addr
elements = { 145.239.10.137 }
}
chain f2b-chain {
type filter hook input priority filter - 1; policy accept;
ip saddr @addr-set-ip-blacklist reject with icmp port-unreachable
ip saddr @addr-set-ip-blacklist_10 reject with icmp port-unreachable
ip saddr @addr-set-ip-blacklist_11 reject with icmp port-unreachable
ip saddr @addr-set-ip-blacklist_12 reject with icmp port-unreachable
ip saddr @addr-set-ip-blacklist_13 reject with icmp port-unreachable
ip saddr @addr-set-ip-blacklist_14 reject with icmp port-unreachable
tcp dport { 80, 443 } ip saddr @addr-set-apache-modsecurity reject with icmp port-unreachable
ip saddr @addr-set-ip-blacklist_15 reject with icmp port-unreachable
ip saddr @addr-set-ip-blacklist_16 reject with icmp port-unreachable
ip saddr @addr-set-ip-blacklist_17 reject with icmp port-unreachable
tcp dport { 80, 443 } ip saddr @addr-set-apache-php-scanner reject with icmp port-unreachable
tcp dport { 80, 443 } ip saddr @addr-set-apache-selfref reject with icmp port-unreachable
}
}
If I get a hit from an IP range that isn’t yet banned, I locate the range (no problem using whois) and add it to the file “/etc/fail2ban/ip-blacklist”. I then set the date next to each IP range to the current date and save the file. Fail2ban will recognize this immediately because it treats the blacklist as a log file and will ban the new range as well.
So far, I’ve only encountered one case, an app-source from Microsoft for the Visual Studio code Package:
packages.microsoft.com:443 used 13.107.246.45 which is in the banned range.
I simply disable fail2ban when I want to upgrade the code package
I hardly ever get any scans now.
Microsoft offers the IP ranges on their download page. While one could ban them ALL at once, I prefer to only ban them after they’ve been flagged.
Microsoft has not officially published a statement saying, “We scan external servers.”
Microsoft does not confirm anywhere that they do this.
BUT: What you are seeing definitely originates from publicly documented Azure IP ranges, and these are used for security-related services, bots, telemetry, health checks, monitoring, API crawlers, antivirus systems, compliance scanners, etc.
Microsoft operates one of the world’s largest security networks.
They collect global signals to:
- Detect botnet activity
- Identify new attack patterns
- Monitor vulnerabilities
- Catalog exploit attempts
- Determine the global reputation of IP addresses
- Analyze malware behavior
- Detect DDoS patterns
This is officially called the “Microsoft Intelligent Security Graph” by Microsoft.
This data feeds into:
- Microsoft Defender (all versions)
- Azure Sentinel
- Defender for Cloud
- Outlook spam/phishing detection
- Windows SmartScreen Reputation
Microsoft uses it for global threat detection.
Similar activity regularly comes from:
- Google Cloud
- AWS
- Cloudflare
- Akamai
- Oracle Cloud
- Hetzner Probes
- GitHub Actions
- Palo Alto Threat Labs
- Fortinet Threat Intelligence
- Rapid7 Sonar
- Shadowserver
- Censys
- Shodan (official, publicly documented)
In reality, you are triggered daily by dozens of official scanners – Microsoft is just the largest.
h.t.h.
ernolf
4 Likes
I have now solved the problem by blocking everything that looks like WordPress, since that’s the majority of what’s triggering this error message for me.
direcotry /etc/apache2/sites-available
ssl config from nesdtcloud edit
Erzeugt einen virtuellen Pfad, der sofort gesperrt wird
<Directory “/var/www/nextcloud/wp-content”>
AllowOverride None
Require all denied
<Location “/wp-content”>
Require all denied
RewriteEngine On
Sperrt alles, was wp-content ODER wp-includes enthält
Das [NC] steht für “case-insensitive” (Groß-/Kleinschreibung egal)
Das [F] steht für “Forbidden” (403 Fehler)
Das [L] steht für “Last” (keine weiteren Regeln danach ausführen)
RewriteCond %{REQUEST_URI} (?i)/(wp-content|wp-includes) [NC]
RewriteRule ^ - [F,L]
insert this bevor <Directory /var/www/nextcloud/>
you can change RewriteCond %{REQUEST_URI} (?i)/(wp-content|wp-includes) [NC] with more exampe wp-admin dont forget to restatr you apache
Hi all,
Please, do correct me, if I’m wrong, but from my own research I gathered that these are indeed results of random bot scans, as already mentioned here, could be malicious, whitehats or even corporate (as @ernolf suggested), that are all too common on the net. They scan all IPs they come across for known vulnerabilities, that’s why you see non-existing URLs in the logs @stefannagy, like in mine, for example:
“url”:“//wp-admin/images/wp-conflg.php?p=”
The above is a known WordPress config file that may be vulnerable but I don’t have WordPress.
HMAC does not match
and
Could not decrypt or decode encrypted session data
mean that the session data was invalid, you can see there is no real usernames or anything in the error log, and Nextloud rejected it. So, this is not a bug in Nextcloud, but Nextcloud is working as designed, nothing is broken, and this is just a warning and nothing to panic over unless the number of these requests grows o DDoS like levels. I get 2-3 per day, it started in December, couple of months after a fresh install.
The bottom line is Nextcloud correctly rejected junk traffic.
These scans are “normal” internet background noise, unfortunately.
I thought about installing Fail2Ban*** but it adds too much complexity for what I use my Nextcloud for, basically a hobby. If these scans become persistent or turn into something more targeted, like usernames or Nextcloud URLs start appearing in these error logs, I will try forcing my ISP router to change its IP or just isolate my instance to my home LAN and close all my ports.
***EDIT: I use Webmin and I realized that it has a Fail2Ban module, so the installation and configuration were not too bad.