Does this affect people with NextCloudPi?
Digging through logs, I found these few requests from a few days ago:
2019-11-12T20:12:40Z 185.165.168.229 - - [12/Nov/2019:20:12:38 +0000] "GET / HTTP/1.1" 302 5 "-" "python-requests/2.20.0" "185.165.168.229"
2019-11-12T20:14:10Z 185.16.206.2 - - [12/Nov/2019:20:14:00 +0000] "GET / HTTP/1.1" 302 5 "-" "python-requests/2.20.0" "185.16.206.2"
2019-11-12T20:14:10Z 185.16.206.2 - - [12/Nov/2019:20:14:01 +0000] "GET /login HTTP/1.1" 200 1973 "-" "python-requests/2.20.0" "185.16.206.2"
2019-11-12T20:13:25Z 185.165.168.229 - - [12/Nov/2019:20:13:11 +0000] "GET /login HTTP/1.1" 200 1975 "-" "python-requests/2.20.0" "185.165.168.229"
Anyone else have similar requests in their logs?
These both seem to be anonymous proxies. I’ve blocked both of them at the firewall.
Agreed, I also geoblock. Best decision in my life. 
tl;dr nobody knows how the attack happened. This may or may not be a nextcloud issue. This may or may not be related to the nginx php-fpm exploit.
The article linked earlier in the thread does not explain things properly and thus the attack source isn’t known.
The URL with extension is also obfuscated in the article, so we have no idea if the nextcloud install itself was compromised.
I don’t see popular nextcloud providers (such as hetzner) having issues and the nextcloud reps in this forum appear clueless. This implies it’s not a nextcloud issue.
Most probable cause is probably that nginx and php-fpm was not updated with the latest security fixes.
I have checked my servers and that is the only entry point I could come up with so far. I doubt that it is some new hole that someone has discovered. As it looks like a works or something that is scripted to scan for hosts.
Maybe not the best time I updated to NC 17:
Following apps have been disabled:
deck (incompatible),
event_update_notification (incompatible),
files_texteditor (incompatible),
quota_warning (incompatible),
ransomware_detection (incompatible), <---
ransomware_protection (incompatible), <--
spreed (incompatible)
This implies we don’t know nothing. And we have to collect more facts and investigate further.
Or?
All those have updates. So just upgrade, go to apps and update the apps.
They probably updated the article and added new information. The ransomware is looking for config/config.php and reads the datadirectory from there. Sounds like server to me.
Because it appears the nextcloud team wasn’t contacted at all regarding this issue until after the article went public.
Because there are no open github issues related to this under the server branch.
Because it appears none of the major nextcloud providers have been hit with it. A random no-name nextcloud install got hit while people who can actually pay the ransom fee have not.
Because how the server actually gets exploited is not posted anywhere on the article or in the forum linked on the article, despite claiming to have the python script in full.
As pointed out above the exploit appears to be able to read the config file and directories, but once again we don’t know how this exploit works.
This exploit was originally posted on their forum on November 9th. That was a week ago! Nobody has heard anything since and the nextcloud developers were never contacted!
Call me skeptical but I doubt this is a nextcloud issue.
3 Likes
This - it was definitely server-side. I had no Windows apps loaded. In response to my earlier comments, as far as I can see it was most likely down to the PHP-FPM CVE with the NGINX config after checking versions.
@Paradox55 The URL that was obfuscated is just the index.php file. It was the same for me when I visited the address, they replace it with the “Pay me bitcoin” index.
As others have said, because of the exploit it then targets the config.php file to read where the data is stored and goes from there it seems.
@ialexpw Does your setup show any warnings under Administration > Overview, at https://scan.nextcloud.com/, or at https://observatory.mozilla.org/?
Unfortunately I cannot check it as I no longer have my instance running. I took a snapshot just in case and then destroyed it.
Hmm. Well in any case, I would advise to run all of those tests regularly. I usually do it after each time I update the system which is usually a couple times a month.
Good Morning, regardless of the development of the story. It’s a good argument to patch your NC to current version, do the same with your Linux underneath and to run your exposed Cloud behind an IDS/IPS firewall (e.g. ipfire.org). At least you should have libapache2-modsecurity installed and running with general rules against portscanners and brute-forcing stuff.
I would like to see more of the logs for this kind of attack so we could create own modsecurity rules against this.
2 Likes
Is there a good ruleset for Modsecurity? Back at owncloud, they started but it isn’t maintained (GitHub - owncloud-archive/mod_security: Repository for example configurations).
1 Like
As foundation this should work fine: https://coreruleset.org/
For myself I am adding custom rulesets, depending on used web application.
As far as I know there are no specials rulesets for Nextcloud.
Would be great to revive this old project for Nextcloud.