Nextcloud Server Crawler

ℹ️ Support
1 
161.97.152.224 - - [06/Feb/2021:22:10:19 -0500] "GET /ocm-provider/ HTTP/1.1" 200 1590 "-" "Nextcloud Server Crawler"
161.97.152.224 - - [06/Feb/2021:22:10:20 -0500] "GET /index.php/ocm/shares HTTP/1.1" 405 1401 "-" "Nextcloud Server Crawler"
161.97.152.224 - - [06/Feb/2021:22:10:21 -0500] "GET /ocs-provider/ HTTP/1.1" 200 2214 "-" "Nextcloud Server Crawler"
161.97.152.224 - - [06/Feb/2021:22:10:21 -0500] "POST /ocs/v2.php/cloud/shares?format=json HTTP/1.1" 200 1306 "-" "Nextcloud Server Crawler"

Any idea what these logs are? The user agent shows “Nextcloud Server Crawler”. What is this software?

Normally I wouldn’t be worried about probes in my logs, but I’m a bit nervous as these return 200 OK. Have I been compromised?

2

scan.nextcloud.com - you can ask to check your security… in the past it was used to scan through setups to see what versions were installed (without request from the operator).

1 Like
3

Interesting, seems useful but also a great recon tool for attackers. Is there ratelimits on this to prevent abuse? Seems a bit odd that my private instance was scanned (its on a vhost and wouldn’t appear on the direct IP address).

4

Could also be part of the usage survey app…

5

As far as I understood, the function which uses the “Nextcloud Server Crawler” agent string is part of the Nextcloud core and being used to request information. See e.g.

1 Like