It might be better to deny all but access to index.php and remote.php?
Just for the record, our current understanding is that the servers (both known cases) were entered via the NGINX + PHP_FPM security issue we blogged about 3 weeks ago (october 24th):
We are still trying to completely verify this, but that is only possible once one of the 2 affected instances can provide us with usable access-log files.
FYI, this article has just been posted at Heise Security:
Sadly Heise didn’t notice the original bleeping computer article was updated with our response:
We are confident that the attack vector was the nginx+php-fpm security issue that hit the web some time ago.
While it was not an issue in Nextcloud itself, we informed our users through all channels we had available, including a direct notification to Nextcloud servers. This likely explains why so few servers were impacted out of the hundreds of thousands of Nextcloud servers on the web.
Let me add:
PHP bug report: PHP :: Sec Bug #78599 :: env_path_info underflow in fpm_main.c can lead to RCE
Our blog: https://nextcloud.com/blog/urgent-security-issue-in-nginx-php-fpm/So the “task” of the hacker was:
- read our blog
- find Nextcloud servers
- Try to execute the exploit of php_fpm+nginx
The attacker bothered to write a python script to explicitly target Nextcloud servers. We hope the lack of results will help act as a deterrence from doing this in the future…
Given we have a USD 10K security bug bounty program, we’d expect most hackers that find an issue in Nextcloud serious enough to do this to report it to us.
Bleepingcomputer noted about the bitcoin wallet:
no transactions have been recorded until now
6 Likes
@jospoortvliet Eventually it would be worse to contact the author of the article to get the missing information added. As you know the c’t magazine is an IT reference and most articles will be published in the printed medium too 
I’ll try. Also, we did put the statement in a blog:
Of course, in the end, it is a non-story about how somebody tried and failed to exploit Nc servers, finding out our users are awesome at keeping their servers up-to-date. At least I think that a hit rate of 2 out of 300.000 is pretty good for an issue we warned about 3 weeks ago, compare that to how many Windows systems still get taken over with bugs that are years old, known and patched
So pat yourself on the back, dear Nextcloud users! 
I’m still sorry for the two users who got hit, it is of course super frustrating and I hope neither really lost any data. Shows the importance of backups, for sure… Even if Nextcloud would be perfectly secure your server can still be hacked through issues in other parts of the server, like the webserver, kernel and so on. Sad reality 
This is of course also why we have the ‘server checks’ that try to find non-Nextcloud issues in your server, same with the security scanner. Use them! 
3 Likes
Speaking about Heise and Reference, Heise was a reference. This article clearly shows the lack of quality. For many years I do not buy anything from them.
They pretty much only referenced the Beepingcomputer article, not any substantial additional information except a translation into German basically. Is Heise now a translation service only? No deep digging into the issues anymore? Maybe trying to find the instances affected and investigating a bit like good investigative journalists would do?
Sad to see what became of them.
2 Likes