Sadly Heise didn’t notice the original bleeping computer article was updated with our response:
We are confident that the attack vector was the nginx+php-fpm security issue that hit the web some time ago.
While it was not an issue in Nextcloud itself, we informed our users through all channels we had available, including a direct notification to Nextcloud servers. This likely explains why so few servers were impacted out of the hundreds of thousands of Nextcloud servers on the web.
Let me add:
PHP bug report: PHP :: Sec Bug #78599 :: env_path_info underflow in fpm_main.c can lead to RCE
Our blog: https://nextcloud.com/blog/urgent-security-issue-in-nginx-php-fpm/So the “task” of the hacker was:
- read our blog
- find Nextcloud servers
- Try to execute the exploit of php_fpm+nginx
The attacker bothered to write a python script to explicitly target Nextcloud servers. We hope the lack of results will help act as a deterrence from doing this in the future…
Given we have a USD 10K security bug bounty program, we’d expect most hackers that find an issue in Nextcloud serious enough to do this to report it to us.
Bleepingcomputer noted about the bitcoin wallet:
no transactions have been recorded until now