Nextcloud stopped running on freenas

Nextcloud version (eg, 12.0.2): FreeNAS isnt reporting Nextcloud Version
Operating system and version (eg, Ubuntu 17.04): FreeNAS-11.2-U6
Apache or nginx version (eg, Apache 2.4.25): idk, its a plugin
PHP version (eg, 7.1): idk, its a plugin

The issue you are facing:

Hi guys, Im new here and Im facing problems with my current installation

I have a FreeNAS server with netxcloud, in a small office of 8 people.
It was working perfect until a few days, but now, it doesnt work.
First thing I notice was the IP changed, so I create an IP Reservation on the router, but even fixing that (the plugin reply the pings), the web UI doesnt opens.
I have restarted the plugin and even the entire freenas, but same results.

Im not very experienced on nextcloud and i really dont know what to do, I dont want to loose all the configs, even worst, the data.

If someone can help me, I will appreciate it so much

Is this the first time you’ve seen this error? (Y/N): Y


I’m not sure I can totally help. I have nextcloud 17 running within a freenas jail – however I set up the jail and nextcloud manually and not through use of a plugin.

Did you use the nextcloud plugin to setup your nextcloud?
Can you ssh or access the nextcloud jail through command line or other means? The jail itself is going to have a different IP address than the FreeNAS box – You can think of the jail as a type of “virtual machine” with different IP address.

Hi Kev, thanks for quick reply
Yes, I installed it from the Plugin list

I have shell access to the jail via FreeNAS web UI

Where I can find some log to see whats the error

Ok - so great, you can access the jail.
Can you confirm for example that web server within the jail is running?
I’m not sure if the web server within the jail runs apache or nginx. Have you tried restarting the webserver?
Nextcloud is just a php application, not really a standalone application. It doesn’t normally run by itself in the background.

Well Im trying to check apache or nginx version and nothing

Even on started services, it isnt seems to be running anything

I found a folder for nginx on /usr/local/etc/nginx

Im still trying to find the logs

Today, before I set the IP reservation on the router, I could access to nextcloud webui in the dynamic IP (not the right one) but it says something about “not in the same domain”, i mean, i could open the webui but it was blocking me couse of this message.

After that, i set the IP reservation to the right one, reboot the jail and even the freenas server and now even with the correct IP, it seems webserver is not starting

Could it be some IP misconfiguration somewhere?

I found the logs, but im still trying to get them (download)
But it seems something happened on the month change

This is a screenshot of the snapshots, and nothing have changed since Nov 1st

And these are the errors from the nginx error log

it could be i have being hacked?

it looks like some kind of php injection

You’re not doing the basics to test for things.

Make sure webserver is up and running. If its not up and running in the jail you may have to manually start the service. Look at either nginx or apache logs in /var/log. They might give you a clue. to what is happening.

Its best if you do these things if you ssh into the jail (just like a computer). Once in the jail, I would traverse directory tree, look at running services, start missing services, and look at looks. You may need to upgrade things within the jail like the pkgs and such, however this may also break things (temporarily). The only thing I see in your error logs is a problem with php which may mean the program can’t find your php path. On the command line you can see your php version with php --version command. It’s your responsibility to give us more information so we can help. Screen captures are nice, however they don’t allow you to actually test commands and such. I don’t remember the exact command however within the jail you can run

sudo -u www php occ config:list

This should list the config for nextcloud.

tomorrow i will be at the office and do it by ssh, i will try to give as much info i can
thanks for the hints

did you also concidered that it could be a hack?
i found weird the message from the nginx error log and look for it and found a very recent exploit for php

also tracked the client ip and its from russia

this might means nextcloud webui its vulnerable to this php exploit?
php-fpm (CVE-2019-11043

Honestly I have no idea about a possible hack. You haven’t presented enough information to come to this conclusion.

Ok, here is my nextcloud.log

as you can see, the attack started at line 139 until line 336 for a total of almost 200 php injections in about 2 minutes

From IP (russia)
Using this tool

I do think i have being hacked, I will try to get more logs where i can show you

But now im concidering how to proceed, Im afraid of “fixing” this installation couse i would preffed to erase this compromised jail/plugin/installation
Thinking about reinstalling from scratch but as far as i saw in the manual, it might be something complicated

That link you posted is no good. Sorry

the google drive link?

here i uploaded to other site

well, i dont know how or why, but the nextcloud is working again

but im still looking for traces from the hacker, im pretty sure someone use the exploit i mentioned before