Nextcloud version (eg, 12.0.2): FreeNAS isnt reporting Nextcloud Version
Operating system and version (eg, Ubuntu 17.04): FreeNAS-11.2-U6
Apache or nginx version (eg, Apache 2.4.25): idk, its a plugin
PHP version (eg, 7.1): idk, its a plugin
The issue you are facing:
Hi guys, Im new here and Im facing problems with my current installation
I have a FreeNAS server with netxcloud, in a small office of 8 people.
It was working perfect until a few days, but now, it doesnt work.
First thing I notice was the IP changed, so I create an IP Reservation on the router, but even fixing that (the plugin reply the pings), the web UI doesnt opens.
I have restarted the plugin and even the entire freenas, but same results.
Im not very experienced on nextcloud and i really dont know what to do, I dont want to loose all the configs, even worst, the data.
If someone can help me, I will appreciate it so much
Is this the first time you’ve seen this error? (Y/N): Y
I’m not sure I can totally help. I have nextcloud 17 running within a freenas jail – however I set up the jail and nextcloud manually and not through use of a plugin.
Did you use the nextcloud plugin to setup your nextcloud?
Can you ssh or access the nextcloud jail through command line or other means? The jail itself is going to have a different IP address than the FreeNAS box – You can think of the jail as a type of “virtual machine” with different IP address.
Hi Kev, thanks for quick reply
Yes, I installed it from the Plugin list
I have shell access to the jail via FreeNAS web UI
Where I can find some log to see whats the error
Ok - so great, you can access the jail.
Can you confirm for example that web server within the jail is running?
I’m not sure if the web server within the jail runs apache or nginx. Have you tried restarting the webserver?
Nextcloud is just a php application, not really a standalone application. It doesn’t normally run by itself in the background.
Well Im trying to check apache or nginx version and nothing
Even on started services, it isnt seems to be running anything
I found a folder for nginx on /usr/local/etc/nginx
Im still trying to find the logs
Today, before I set the IP reservation on the router, I could access to nextcloud webui in the dynamic IP (not the right one) but it says something about “not in the same domain”, i mean, i could open the webui but it was blocking me couse of this message.
After that, i set the IP reservation to the right one, reboot the jail and even the freenas server and now even with the correct IP, it seems webserver is not starting
Could it be some IP misconfiguration somewhere?
I found the logs, but im still trying to get them (download)
But it seems something happened on the month change
This is a screenshot of the snapshots, and nothing have changed since Nov 1st
And these are the errors from the nginx error log
it could be i have being hacked?
it looks like some kind of php injection
You’re not doing the basics to test for things.
Make sure webserver is up and running. If its not up and running in the jail you may have to manually start the service. Look at either nginx or apache logs in /var/log. They might give you a clue. to what is happening.
Its best if you do these things if you ssh into the jail (just like a computer). Once in the jail, I would traverse directory tree, look at running services, start missing services, and look at looks. You may need to upgrade things within the jail like the pkgs and such, however this may also break things (temporarily). The only thing I see in your error logs is a problem with php which may mean the program can’t find your php path. On the command line you can see your php version with php --version command. It’s your responsibility to give us more information so we can help. Screen captures are nice, however they don’t allow you to actually test commands and such. I don’t remember the exact command however within the jail you can run
sudo -u www php occ config:list
This should list the config for nextcloud.
tomorrow i will be at the office and do it by ssh, i will try to give as much info i can
thanks for the hints
did you also concidered that it could be a hack?
i found weird the message from the nginx error log and look for it and found a very recent exploit for php
also tracked the client ip and its from russia
this might means nextcloud webui its vulnerable to this php exploit?
Honestly I have no idea about a possible hack. You haven’t presented enough information to come to this conclusion.
Ok, here is my nextcloud.log
as you can see, the attack started at line 139 until line 336 for a total of almost 200 php injections in about 2 minutes
From IP 18.104.22.168 (russia)
Using this tool https://github.com/neex/phuip-fpizdam
I do think i have being hacked, I will try to get more logs where i can show you
But now im concidering how to proceed, Im afraid of “fixing” this installation couse i would preffed to erase this compromised jail/plugin/installation
Thinking about reinstalling from scratch but as far as i saw in the manual, it might be something complicated
That link you posted is no good. Sorry
the google drive link?
here i uploaded to other site
well, i dont know how or why, but the nextcloud is working again
but im still looking for traces from the hacker, im pretty sure someone use the exploit i mentioned before