Anyone seen this before?
Exception: The requested uri(/admin/images/tango.png) cannot be processed by the script ‘/core/templates/404.php’) at /var/www/nextcloud/lib/private/AppFramework/Http/Request.php#729
i have the same Error Logs but with different requested uri
Exception: The requested uri(/phpmyadmin) cannot be processed by the script '/core/templates/404.php') at /var/www/vhosts/domain.tld/nextcloud/lib/private/AppFramework/Http/Request.php#729
I haven’t found a fix yet.
same error here with different odd targets …
Exception: The requested uri(/phpMyAdmin/scripts/setup.php) cannot be processed by the script ‘/core/templates/404.php’) at /srv/dev-disk-by-label-Storage/nextcloud/lib/private/AppFramework/Http/Request.php#729
Exception: The requested uri(/pma/scripts/setup.php) cannot be processed by the script ‘/core/templates/404.php’) at /srv/dev-disk-by-label-Storage/nextcloud/lib/private/AppFramework/Http/Request.php#729
Exception: The requested uri(/myadmin/scripts/setup.php) cannot be processed by the script ‘/core/templates/404.php’) at /srv/dev-disk-by-label-Storage/nextcloud/lib/private/AppFramework/Http/Request.php#729
An attempt of an attack?
Pfff, no, when, in what situation does this happen? A bit of context pls
Like, are you trying to feed your cat? Upload a file? Add a comment?
I can’t reproduce these errors in my logfile, they seem to appear randomly.
For testing, I upped files, set up shares, downloaded files, used WebDAV, synced contacts and kalendar with Thunderbird (SoGo) and Android. I use a Linux, a Windows and an Android Client as well.
I’ve been messing around, but nothing triggered these errors …
Just got the error, and I didn’t do any tasks
Exception: The requested uri(/a2billing/common/javascript/misc.js) cannot be processed by the script ‘/core/templates/404.php’) at /var/www/nextcloud/lib/private/AppFramework/Http/Request.php#7
So these files - /a2billing/common/javascript/misc.js
or /phpMyAdmin/scripts/setup.php
etc, what are that? Where are those files located? In Nextcloud? On the storage of one of its users? Outside?
The /core/templates/404.php
- well, a 404, so I guess something isn’t found…
The file /phpMyAdmin/scripts/setup.php is nowhere located on my system, I don’t have phpmyadmin installed.
Odd to see a logfile entry with this pointer …
Same for
/pma/scripts/setup.php
/myadmin/scripts/setup.php
That’s why I suspect an attempt to reach those files within my web root by a possible attacker
I’m not sure thats what im trying to figure out. But i never had this error when i was on NC11 is started to appear after the update to NC12
Same here, appeared a couple hours after upgrade to version 12.
I have installed PHpmyadmin but not at these path. I Access it with an other subdomain. Last Access 3days ago .
I am also seeing these
Exception: The requested uri(/recordings/) cannot be processed by the script '/core/templates/404.php') at /var/www/nextcloud/lib/private/AppFramework/Http/Request.php#729
Exception: The requested uri(/a2billing/common/javascript/misc.js) cannot be processed by the script '/core/templates/404.php') at /var/www/nextcloud/lib/private/AppFramework/Http/Request.php#729
It does smell bad to me
Maybe an attacker looking for vulnerable stuff? Not from nextcloud, but from asterisk, etc
a2billing looks like it is this
I have started getting these as well. This look like an attack. It can be recreated by trying to access the main domain and some file. e.g.
mydomain.com/admin/config.php
I would love to know if there is a vulnerability in this, and how to fix it. And/Or stop the error.
Well, it’s hacker kiddies scanning the web for vulnerable instances of software.
Not much we can do about that! Except muting that exception message.
I for one would not do that, in case there is a vulnerability in NC, it could help realize the attack
I have noticed this usually comes after an ‘untrusted domain’ access directly to the IP.
Trusted domain error. “<SOME_IP>” tried to access using…
I have blocked such access with fail2ban. This seems to stop the kiddies.
Yes, fail2ban and brute force protection are the best bet against this. One step further would be a IPS/IDS like Snort or Suricata for the network as well as OSSEC or AIDE for the server.
What webserver are you using and how does your configuration look like?
In nginx, stuff like this should only be in the vhost of NC:
location / {
rewrite ^ /index.php$uri;
}
location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /index.php$uri$is_args$args;
# Optional: Don't log access to other assets
access_log off;
}
If nextcloud is in a subfolder, you should use this configuration: https://docs.nextcloud.com/server/12/admin_manual/installation/nginx.html#nextcloud-in-a-subdir-of-nginx
If you run nextcloud in the mainfolder and you want to run other services in subfolders, you must exclude them from this rewriting.