Nextcloud version: maybe 29.0.0 (derived via version.php VersionString; OC_Version is 29,0,0,19) Operating system and version : Ubuntu 24.04Apache or nginx version: Apache 2.4.59`
PHP/82.19
Running behind nginx reverse proxy v2.9.19
I apologize for any nonsense and panic I radiate, but I’m scared I might have been hacked. I’m fully aware that if this is true, it might not be an issue of NC, but I hope that with your help we can either calm down my nerves by identifying a possible misconfiguration, known bug or similar or at least get some insight on how I can investigate this further.
I run NC for me and a few close relatives / friends. Besides me, there are only two regular users. All of us three use the Android client Version 3.30.1 to sync files, upload pictures, and we also sync calendar and contacts using DAVx5.
This is what I observed: While I did not notice any irregularities, both of the other main users reported excessive file uploads since yesterday, draining their batteries, and we confirmed more than 160 GB of network traffic for a user with merely 2 GB of used storage. When I got the second report of this behavior, I thought it might be a bug in the client, since at least for one of them it started after the client got updated.
Looking into the network traffic I of my router (AVM FritzBox 7520) I realized that my home network, has sent over 400 GB of data within this week, while the whole previous month had a lot less of outgoing traffic. Now I disconnected my router from the internet and don’t know how to proceed.
Before this happened, I regularly ran the security checks in the NC admin panel etc. and everything seemed to be fine. Can anyone assess what might have happened?
To analyzing the situation must review your logs. If you have auditlog app installed it is quite easy to see all user logins and actions including file uploads and downloads. If not you can get this data from nextcloud.log but it harder. I would stark checking for unknown IPs. As you likely don’t keep track of your IPs check if you see foreign IPs and maybe “strange” user-agents not matching you familiar devices in the log…
here is the short help to get all IP+usragents combination from you nextcloud.log using jq command. this should allow first check for unexpected connections and give you some starting point
# as json
jq '{time: .time, remoteIp: .remoteAddr, userAgent: .userAgent, url: .url}' /{path to your data directory}/nextcloud.log|jq --slurp 'unique_by(.remoteIp, .userAgent)'
# as csv
jq '{time: .time, remoteIp: .remoteAddr, userAgent: .userAgent, url: .url}' /{path to your data directory}/nextcloud.log|jq --slurp 'unique_by(.remoteIp, .userAgent)|.[] |flatten|@csv'
If you are concerned about security, you should not neglect updates, there is already version 29.0.8:
(No need to install NC 30, it is the next major version. It’s up to you when you upgrade to that, but within the 29.0.x branch, you should not wait too long to update).
If you have your logfiles of the webserver, you can check the activity there. A bug in the client, you would see a lot of activity from certain clients with IPs that you know. Another way, if you have high traffic, the people running the client should have high traffic as well.
If you see a lot of access from other IPs that you cannot associate to a regular user, more users/other users, …
That strongly hints to a bug in the clients. Check the versions they use, if there are reports on the bug tracker (for the desktop client: GitHub · Where software is built).
If someone hacks your server and wants to steal 2 GB of data, they just get that data and don’t create 400 GB of traffic, this just raises suspicion. Certainly, there can be people that just want to do that and/or use your server for some illegal downloads.
[edit] I just saw a new version 3.30.2 on Fdroid. This is what the changelogs says: Bugfix for two way sync. Please check listed folders in settings → internal two way sync
I see exactly the same behaviour. LineageOS 21 and Nextcloud version 3.30.1. Today it consumed almost all my 4G data outside my home. On WiFi it consumed 102GB of data to my NC 29.0.8 server (which is completely isolated in a DMZ and only accessible through a tunnel). According to the Apache logs on the server the client seems to download continuesly the whole files section, over and over again. Note: AFAICS! I’m not a NC guru.