Local and remote files deleted by Windows client

Nextcloud version : 19.0.3
Operating system and version : Ubuntu 18.04
Apache : 2.4.29
PHP version : 7.4.10
Windows client : 3.0.1 on Windows 8.1

Background : I have a data folder on my Windows computer that I sync with my Nextcloud (VPS).

Problem : For the second time this month, almost all files get deleted (60Gb) from both my local Windows and remote Nextcloud. In the linux server, the logs indicate that deletion is initiated from the Windows client.

After the first incident I activated files deletion auditing on the folder in the Windows machine. Today, at the same time that the Nc server show that the Windows client request file deletion, the Windows machine logs show that the Nextcloud client initiate the deletion.

So, both machine say that the Windows Nextcloud client make the deletion.

Hopefully I had backup and the Nc server keeped all the file in “deleted files”. But now I try to understand what happend and I have no clue except for a Nc client software problem.

Is there any other log files that I can look at?

Nextcloud activity feed say : You deleted xxxx …

Apache logs

...
000.000.000.000 - winclient [09/Oct/2020:19:29:38 +0000] "PROPFIND /remote.php/dav/files/winclient/xxxxxxxx/xxxxxxxxxxxxx HTTP/1.1" 207 538592 "-" "Mozilla/5.0 (Windows) mirall/3.0.1stable-Win64 (build 20200828) (Nextcloud)"
000.000.000.000 - winclient [09/Oct/2020:19:29:49 +0000] "GET /ocs/v2.php/core/navigation/apps?absolute=true&format=json HTTP/1.1" 304 4078 "-" "Mozilla/5.0 (Windows) mirall/3.0.1stable-Win64 (build 20200828) (Nextcloud)"
000.000.000.000 - winclient [09/Oct/2020:19:29:49 +0000] "PROPFIND /remote.php/dav/files/winclient/ HTTP/1.1" 207 4989 "-" "Mozilla/5.0 (Windows) mirall/3.0.1stable-Win64 (build 20200828) (Nextcloud)"
000.000.000.000 - winclient [09/Oct/2020:19:29:49 +0000] "DELETE /remote.php/dav/files/winclient/xxxxxxxx/xxxxxxxxxxxxx HTTP/1.1" 204 4376 "-" "Mozilla/5.0 (Windows) mirall/3.0.1stable-Win64 (build 20200828) (Nextcloud)"
000.000.000.000 - winclient [09/Oct/2020:19:29:49 +0000] "DELETE /remote.php/dav/files/winclient/xxxxxxxx/xxxxxxxxxxxxx HTTP/1.1" 204 4376 "-" "Mozilla/5.0 (Windows) mirall/3.0.1stable-Win64 (build 20200828) (Nextcloud)"
000.000.000.000 - winclient [09/Oct/2020:19:29:49 +0000] "DELETE /remote.php/dav/files/winclient/xxxxxxxx/xxxxxxxxxxxxx HTTP/1.1" 204 4376 "-" "Mozilla/5.0 (Windows) mirall/3.0.1stable-Win64 (build 20200828) (Nextcloud)"
000.000.000.000 - winclient [09/Oct/2020:19:30:18 +0000] "DELETE /remote.php/dav/files/winclient/xxxxxxxx/xxxxxxxxxxxxx HTTP/1.1" 204 607 "-" "Mozilla/5.0 (Windows) mirall/3.0.1stable-Win64 (build 20200828) (Nextcloud)"
000.000.000.000 - winclient [09/Oct/2020:19:30:06 +0000] "DELETE /remote.php/dav/files/winclient/xxxxxxxx/xxxxxxxxxxxxx HTTP/1.1" 204 607 "-" "Mozilla/5.0 (Windows) mirall/3.0.1stable-Win64 (build 20200828) (Nextcloud)"
    ...

Loging in Nc Admin show absolutly nothing at the time of the event.

Windows audit example for one of the files :

    Objet :
	    Serveur de l’objet :		Security
	    Type d’objet :		File
	    Nom de l’objet :		E:\DATA\xxxxxxx\xxxxxxxxxxx
	    ID du handle :		0x13c4
	    Attributs de ressource :	-

    Informations sur le processus :
	    ID du processus :		0x224c
	    Nom du processus :		C:\Program Files\Nextcloud\nextcloud.exe

    Informations sur la demande d’accès :
    	ID de la transaction 		{00000000-0000-0000-0000-000000000000}
    	Accès :		DELETE

config.php

$CONFIG = array (
  'instanceid' => 'xxxxxxxxxx',
  'passwordsalt' => 'xxxxxxxxxxxxxx',
  'secret' => 'xxxxxxxxxxxxxx',
  'trusted_domains' => 
  array (
    0 => 'xxxxxxxxxxxx',
  ),
  'datadirectory' => '/var/www/nextcloud/data',
  'dbtype' => 'mysql',
  'version' => '19.0.3.1',
  'overwrite.cli.url' => 'https://xxxxxx',
  'dbname' => 'xxxxxxxx',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'xxxxxxxx',
  'dbpassword' => 'xxxxxxxxxx',
  'installed' => true,
  'maintenance' => false,
  'mysql.utf8mb4' => true,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'theme' => '',
  'loglevel' => 2,
  'mail_smtpmode' => 'xxxxxxxxxxxxx',
  'mail_smtpsecure' => 'xxxxxxxxxx',
  'mail_sendmailmode' => 'xxxxxxxx',
  'mail_from_address' => 'xxxxxxx',
  'mail_domain' => 'xxxxxxxxxxx',
  'mail_smtpauth' => xxxx,
  'mail_smtpauthtype' => 'xxxxx',
  'mail_smtphost' => 'xxxxxxxx',
  'mail_smtpport' => 'xxxxxxx',
  'mail_smtpname' => 'xxxxxxxxxxxxxx',
  'mail_smtppassword' => 'xxxxxxxxxx',
  'updater.secret' => 'xxxxxxxxxxxxxxx',
);

Do you have the sync folder on Windows in any peculiar setup such as a TrueCrypt volume or external drive?

Nothing special, regular folder on a NTFS volume. The folder is shared with another computer on my home network. Bu at the time of the event nobody was there. Virus scan found nothing.

I experienced a similar issue with Nextcloud Client 3.0.2 on Windows 7 two days ago. I didn’t even change anything (although it is possible than Nextcloud updated itself?) and I also don’t have any special hard drive or configuration as far as I know.

I’m not sure if its related, but I ran a simulation that almost completely filled up my main (Windows OS) HDD that also includes the Nextcloud installation directory. The files are on another drive though and Nextcloud deleted them step by step. Fortunately, I could also restore them from the trashbin on the Nextcloud website, but this is pretty scary and not really building up trust I will definitely downgrade my clients once my 160+ GB are synced on all computers again, I don’t like the “fancy” animations, the pup-up window and automatic updating in 3.x anyway

Not sure which information I could deliver to give more insight except the one below. In the client and the server it just looks as if I deleted the files by myself step by step over a period of an hour or so.

Operating system: Linux 2.6.32-042stab145.3 #1 SMP Thu Jun 11 14:05:04 MSK 2020 x86_64

Webserver: Apache/2.4.18 (Ubuntu) (apache2handler)

Database: mysql 10.0.38

PHP version: 7.3.22-1+ubuntu16.04.1+deb.sury.org+1

Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, Reflection, SPL, sodium, session, standard, apache2handler, mysqlnd, PDO, xml, apcu, bcmath, bz2, calendar, ctype, curl, dom, mbstring, fileinfo, ftp, gd, gettext, gmp, iconv, imagick, intl, json, exif, mysqli, pdo_mysql, Phar, posix, readline, shmop, SimpleXML, sockets, sysvmsg, sysvsem, sysvshm, tokenizer, wddx, xmlreader, xmlwriter, xsl, zip, Zend OPcache

Nextcloud version: 19.0.3 - 19.0.3.1

Enabled:
 - accessibility: 1.5.0
 - activity: 2.12.0
 - admin_audit: 1.9.0
 - audioplayer: 2.11.2
 - bruteforcesettings: 2.0.1
 - calendar: 2.0.4
 - cloud_federation_api: 1.2.0
 - comments: 1.9.0
 - contacts: 3.3.0
 - contactsinteraction: 1.0.0
 - dav: 1.15.0
 - deck: 1.0.5
 - encryption: 2.7.0
 - federatedfilesharing: 1.9.0
 - federation: 1.9.0
 - files: 1.14.0
 - files_downloadactivity: 1.8.0
 - files_pdfviewer: 1.8.0
 - files_rightclick: 0.16.0
 - files_sharing: 1.11.0
 - files_trashbin: 1.9.0
 - files_versions: 1.12.0
 - files_videoplayer: 1.8.0
 - firstrunwizard: 2.8.0
 - fulltextsearch: 1.4.2
 - fulltextsearch_elasticsearch: 1.5.2
 - logreader: 2.4.0
 - lookup_server_connector: 1.7.0
 - metadata: 0.12.0
 - nextcloud_announcements: 1.8.0
 - notes: 3.6.4
 - notifications: 2.7.0
 - oauth2: 1.7.0
 - password_policy: 1.9.1
 - photos: 1.1.0
 - previewgenerator: 2.3.0
 - privacy: 1.3.0
 - provisioning_api: 1.9.0
 - recommendations: 0.7.0
 - serverinfo: 1.9.0
 - settings: 1.1.0
 - sharebymail: 1.9.0
 - support: 1.2.1
 - survey_client: 1.7.0
 - systemtags: 1.9.0
 - text: 3.0.1
 - theming: 1.10.0
 - twofactor_backupcodes: 1.8.0
 - updatenotification: 1.9.0
 - viewer: 1.3.0
 - workflowengine: 2.1.0
Disabled:
 - files_clipboard
 - files_external
 - gpxpod
 - nextant
 - onlyoffice
 - registration
 - sharerenamer
 - tasks
 - user_ldap

{
    "instanceid": "***REMOVED SENSITIVE VALUE***",
    "passwordsalt": "***REMOVED SENSITIVE VALUE***",
    "secret": "***REMOVED SENSITIVE VALUE***",
    "trusted_domains": [
        "files.my-domain.de"
    ],
    "datadirectory": "***REMOVED SENSITIVE VALUE***",
    "overwrite.cli.url": "https:\/\/files.my-domain.de",
    "dbtype": "mysql",
    "version": "19.0.3.1",
    "dbname": "***REMOVED SENSITIVE VALUE***",
    "dbhost": "***REMOVED SENSITIVE VALUE***",
    "dbport": "",
    "dbtableprefix": "oc_",
    "dbuser": "***REMOVED SENSITIVE VALUE***",
    "dbpassword": "***REMOVED SENSITIVE VALUE***",
    "installed": true,
    "default_language": "en",
    "default_locale": "de_DE",
    "knowledgebaseenabled": true,
    "auth.bruteforce.protection.enabled": true,
    "memcache.local": "\\OC\\Memcache\\APCu",
    "mail_from_address": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpmode": "smtp",
    "mail_smtpauthtype": "LOGIN",
    "mail_domain": "***REMOVED SENSITIVE VALUE***",
    "htaccess.RewriteBase": "\/",
    "check_for_working_wellknown_setup": true,
    "check_for_working_webdav": true,
    "check_for_working_htaccess": true,
    "maintenance": false,
    "updater.secret": "***REMOVED SENSITIVE VALUE***",
    "theme": "",
    "loglevel": 2,
    "mail_sendmailmode": "smtp",
    "check_data_directory_permissions": true,
    "mysql.utf8mb4": true,
    "app_install_overwrite": [
        "fulltextsearch_elasticsearch",
        "sharerenamer"
    ]
}

External storages: files_external is disabled

Encryption: no

User-backends:

• OC\User\Database

Hello,

What a nasty bug!
The exact same thing happened to me yesterday!

The Nextcloud client is configured to sync some folders on D: disk.

My C: drive filled up while I was away from the computer.
Then, the Nextcloud client deleted most files both on the server and on my desktop.
I was able to see this from logs from lines like these:

[0;33;1mnginx.1 | [0m ADDRESS IP - USER [11/Dec/2020:22:10:52 +0100] “DELETE /remote.php/dav/files/USER/Foto_Aj/Ogledalo HTTP/1.1” 204 0 “-” “Mozilla/5.0 (Windows) mirall/3.0.3stable-Win64 (build 20201125) (Nextcloud)”

I was able to restore everything (I hope) from the Nextcloud trash.

Client is 3.0.3 on Windows 7 x64.

I’m on the same boat (thread here), happened twice in two weeks. Server is (still) NC 16, two different clients: 2.6.4 and 3.0.1. I’m not sure the two cases can be referred to the same problem, I try to recap them here.

Case 1

Last week the user reported they had their C drive filled up, apparently after that NC client started issuing deletes on the server (from what we can read on the access.log). According to them no other action was performed on the client.

My guess is that the client’s SQLite database got corrupted by the drive fillup and thus started misbehaving. According to docs the db should be in the directory being synced, and I understood this is the local files path, but I cannot find them in there, at least on 3.0.x they are in %AppData%/Roaming/Nextcloud (in 3.1.0 they’re back to syncdir). So it could matter.

Case 2

Today we got a folder contained in a share deleted by a user. They said they had this folder unticked in the client, they did select it and deselected all the subfolders which were not of their interest, then pressed Apply. We cannot tell exactly when but likely short time later the client start issuing DELETE requests to the webserver. They remember no other action on the client. On the server I see a lot of GET requests, even on a supposedly unticked folder, and a lot of them had a 404 return code, but they’re backup files so it’s even possible they’re legit. After few minutes then the DELETEs started. We found the deleted directory in the computer’s recycle bin, and from we could test on a Windows client (tough using 3.0.3) when a folder is unticked or removed server-side the local files are not moved to bin, so this might not be a case for the thread but a user misunderstanding.

Could be issue 1433?