Nextcry? Encrypted all files through my instance

Mostly standard, but see below;

Seems that inbox isn’t monitored and they want me to sign up to an external website to submit a report. An email would be a lot easier for this.

Oh. I didn’t know that. I would try Nextcloud - Contact us now.

Will try that also, cheers.

How did they manage to get into your server?

1 Like

Through NextCloud I presume… no other files were touched and my account via SSH wasn’t logged into as far as I can see (still checking).

It seems it’s happened a couple of times the last week or so.

Are you using Nginx with PHP-FPM perhaps? Urgent security issue in NGINX/php-fpm

Well sorry to hear, but I don’t think that this happened through Nextcloud.
Reading up on Nextcry, it seems to be a ransomware mostly affecting windows systems.
So it reached your server when someone logged into it via a windows computer that was affected.

No, the contact form is not the correct place. As per the autoreply:

You have sent an email to security@nextcloud.com. This mailbox is not being monitored and mails are being dropped.
If you have discovered a security issue, please get into contact with us at https://hackerone.com/nextcloud.
To learn more about our security policies and processes, please visit Security in Nextcloud.

Kind regards Nextcloud Security Team

I’ll check into this, but I’ll have to boot the server back up, pretty sure I patched this when I heard about it, but it’s worth a check - thanks :slight_smile:

Apologies, but this is not caused from a Windows PC. I have not had one connected to it (only at the beginning a while back, at least 5-6 months, to seed the files). From reading into the other thread it seems to be based on a Python script, meaning that it couldn’t have gone through my Windows PC back then also.

You could be thinking of Wannacry? Which was well known to spread through Windows systems.

And you know this is a nextcloud issue how? Do you have logs that show it was through nextcloud?

So. First of all. This kind of stuff is exactly why you have a backup. Good for you.

We have not heard of this before. However, we are unaware of any exploits in Nextcloud to have remote code execution.
So if you could go trough your access logs to find out what was going on please do.

Someting that comes to mind. Are you by any chance running NGINX with our outdated config and an outdate php-fpm?

2 Likes

Would be very interesting to know how it got in…

To add to this.

Can you send me (in private) your

  • access logs
  • nextcloud version
  • php version
  • webserver and version

Then we can dive into it more.

I’ll grab this for you this weekend, as I’m away from home currently until tomorrow.

Just for info, this has now been posted below with more info also;

It’s possible that @kesselb is correct - will confirm versions once I’m back.

That article on Bleeping Computer sounds as though the ransomware targets client computers running the sync client, rather than the server itself. However having the server “locked via SSH” (meaning server OS user passwords changed?) would suggest otherwise.

Is the nginx vulnerability being involved just speculative at this point, or does that seem like a likely culprit?

In the interest of attack surface reduction, I’ll share a couple other things I’ve done to harden my system. I run a dummy site that’s returned if the wrong/no SNI is used so random scans are less likely to ever reveal the Nextcloud instance. I also block all connections to it from non-ARIN addresses. That in particular drastically reduced the amount of random access I get. Also, it probably goes without saying, but there is no outside SSH access Or any other sort of remote control to the system. If you must have remote console access, strictly use a VPN.

If the infiltration point really is on the server, those measures will go a long way to help reduce potential exposure.

Does this affect people with NextCloudPi?

Digging through logs, I found these few requests from a few days ago:

2019-11-12T20:12:40Z	185.165.168.229 - - [12/Nov/2019:20:12:38 +0000] "GET / HTTP/1.1" 302 5 "-" "python-requests/2.20.0" "185.165.168.229" 
2019-11-12T20:14:10Z	185.16.206.2 - - [12/Nov/2019:20:14:00 +0000] "GET / HTTP/1.1" 302 5 "-" "python-requests/2.20.0" "185.16.206.2" 
2019-11-12T20:14:10Z	185.16.206.2 - - [12/Nov/2019:20:14:01 +0000] "GET /login HTTP/1.1" 200 1973 "-" "python-requests/2.20.0" "185.16.206.2" 
2019-11-12T20:13:25Z	185.165.168.229 - - [12/Nov/2019:20:13:11 +0000] "GET /login HTTP/1.1" 200 1975 "-" "python-requests/2.20.0" "185.165.168.229" 

Anyone else have similar requests in their logs?

These both seem to be anonymous proxies. I’ve blocked both of them at the firewall.

Agreed, I also geoblock. Best decision in my life. :slight_smile: