22.214.171.124 - - [06/Feb/2021:22:10:19 -0500] "GET /ocm-provider/ HTTP/1.1" 200 1590 "-" "Nextcloud Server Crawler"
126.96.36.199 - - [06/Feb/2021:22:10:20 -0500] "GET /index.php/ocm/shares HTTP/1.1" 405 1401 "-" "Nextcloud Server Crawler"
188.8.131.52 - - [06/Feb/2021:22:10:21 -0500] "GET /ocs-provider/ HTTP/1.1" 200 2214 "-" "Nextcloud Server Crawler"
184.108.40.206 - - [06/Feb/2021:22:10:21 -0500] "POST /ocs/v2.php/cloud/shares?format=json HTTP/1.1" 200 1306 "-" "Nextcloud Server Crawler"
Any idea what these logs are? The user agent shows “Nextcloud Server Crawler”. What is this software?
Normally I wouldn’t be worried about probes in my logs, but I’m a bit nervous as these return 200 OK. Have I been compromised?
scan.nextcloud.com - you can ask to check your security… in the past it was used to scan through setups to see what versions were installed (without request from the operator).
Interesting, seems useful but also a great recon tool for attackers. Is there ratelimits on this to prevent abuse? Seems a bit odd that my private instance was scanned (its on a vhost and wouldn’t appear on the direct IP address).
Could also be part of the usage survey app…
As far as I understood, the function which uses the “
Nextcloud Server Crawler” agent string is part of the Nextcloud core and being used to request information. See e.g.
This file has been truncated.
* @copyright Copyright (c) 2016, ownCloud, Inc.
* @author Carlos Ferreira <email@example.com>
* @author Christoph Wurst <firstname.lastname@example.org>
* @author Daniel Kesselberg <email@example.com>
* @author Joas Schilling <firstname.lastname@example.org>
* @author Lukas Reschke <email@example.com>
* @author Mohammed Abdellatif <firstname.lastname@example.org>
* @author Morris Jobke <email@example.com>
* @author Robin Appelman <firstname.lastname@example.org>
* @author Roeland Jago Douma <email@example.com>
* @author Scott Shambarger <firstname.lastname@example.org>
* @license AGPL-3.0