Nginx Service was down after running security audit by Acunetix

Nginx service has been stopped after running security audit on port 443 and affect to the cloud service was down.

Server Information:
Operating system: CentOS7
Web server: Nginx
Database: mariadb
PHP version: 5.6.31

Nextcloud version: 11.0.3
Source Nextcloud: source

Please help for fix about this.
Thank you in advance.

Hi,

What exactly has Acunetix done during the security audit? Did they find a security leak in nginx and where able to crash it?

There is the App “Issue Template” in the app store (https://apps.nextcloud.com/apps/issuetemplate). Could you please install it on your server and then go to the admin page (“Management” in english I believe) and on the left pane click “Issue Reporting”. There is the button “Show” next to “Server information details”. Please click and copy all the details from there into this thread here.

Hi Schmu, Thanks for your respond.
This is details from “Issue reporting” from you suggestion.

General server configuration

Operating system:* Linux 3.10.0-327.el7.x86_64 #1 SMP Thu Nov 19 22:10:57 UTC 2015 x86_64
Web server: nginx/1.12.1 (fpm-fcgi)
Database: mysql 5.5.52

PHP version: 5.6.31

PHP-modules loaded
 - Core
 - date
 - ereg
 - libxml
 - openssl
 - pcre
 - zlib
 - filter
 - hash
 - Reflection
 - SPL
 - session
 - standard
 - cgi-fcgi
 - bz2
 - calendar
 - ctype
 - curl
 - dom
 - mbstring
 - fileinfo
 - ftp
 - gd
 - gettext
 - iconv
 - exif
 - mysqlnd
 - PDO
 - Phar
 - posix
 - shmop
 - SimpleXML
 - sockets
 - sqlite3
 - sysvmsg
 - sysvsem
 - sysvshm
 - tokenizer
 - xml
 - xmlwriter
 - xsl
 - mysql
 - mysqli
 - pdo_mysql
 - pdo_sqlite
 - wddx
 - xmlreader
 - apcu
 - json
 - zip
 - mhash
 - apc

Nextcloud configuration

Nextcloud version: 11.0.3 (stable) - 11.0.3.2

Updated from an older Nextcloud/ownCloud or fresh install: YOUR ANSWER HERE

Where did you install Nextcloud from: YOUR ANSWER HERE

Are you using external storage, if yes which one: Array
(
[0] => \OC\Files\Storage\Local
[1] => \OCA\Files_External\Lib\Storage\FTP
[2] => \OC\Files\Storage\DAV
[3] => \OCA\Files_External\Lib\Storage\OwnCloud
[4] => \OCA\Files_External\Lib\Storage\SFTP
[5] => \OCA\Files_External\Lib\Storage\AmazonS3
[6] => \OCA\Files_External\Lib\Storage\Dropbox
[7] => \OCA\Files_External\Lib\Storage\Google
[8] => \OCA\Files_External\Lib\Storage\Swift
[9] => \OCA\Files_External\Lib\Storage\SFTP
)

Are you using encryption: yes

Are you using an external user-backend, if yes which one: YOUR ANSWER HERE (LDAP/ActiveDirectory/Webdav/…)

Signing status
[]
Enabled apps
 - activity: 2.4.1
 - admin_audit: 1.1.0
 - comments: 1.1.0
 - dav: 1.1.1
 - encryption: 1.4.1
 - federatedfilesharing: 1.1.1
 - federation: 1.1.1
 - files: 1.6.1
 - files_external: 1.1.2
 - files_pdfviewer: 1.0.1
 - files_sharing: 1.1.1
 - files_texteditor: 2.2
 - files_trashbin: 1.1.0
 - files_versions: 1.4.0
 - files_videoplayer: 1.0.0
 - gallery: 16.0.0
 - issuetemplate: 0.2.2
 - logreader: 2.0.0
 - lookup_server_connector: 1.0.0
 - nextcloud_announcements: 1.0
 - notifications: 1.0.1
 - password_policy: 1.1.0
 - provisioning_api: 1.1.0
 - serverinfo: 1.1.1
 - sharebymail: 1.0.1
 - survey_client: 0.1.5
 - systemtags: 1.1.3
 - templateeditor: 0.2
 - theming: 1.1.1
 - twofactor_backupcodes: 1.0.0
 - updatenotification: 1.1.1
 - workflowengine: 1.1.1
Disabled apps
 - external
 - files_accesscontrol
 - files_automatedtagging
 - files_retention
 - firstrunwizard
 - user_external
 - user_ldap
 - user_saml
Content of config/config.php
{
    "instanceid": "ocmpvci1ink1",
    "passwordsalt": "***REMOVED SENSITIVE VALUE***",
    "secret": "***REMOVED SENSITIVE VALUE***",
    "trusted_domains": [
        "REMOVED SENSITIVE VALUE"
    ],
    "datadirectory": "\/usr\/share\/nginx\/data",
    "overwrite.cli.url": "REMOVED SENSITIVE VALUE",
    "dbtype": "mysql",
    "version": "11.0.3.2",
    "dbname": "owncloudDB",
    "dbhost": "localhost",
    "dbport": "",
    "dbtableprefix": "oc_",
    "dbuser": "***REMOVED SENSITIVE VALUE***",
    "dbpassword": "***REMOVED SENSITIVE VALUE***",
    "logtimezone": "UTC",
    "installed": true,
    "memcache.local": "\\OC\\Memcache\\APCu",
    "theme": "",
    "maintenance": false,
    "mail_smtpmode": "smtp",
    "mail_from_address": "REMOVED SENSITIVE VALUE",
    "mail_domain": "REMOVED SENSITIVE VALUE",
    "mail_smtphost": "localhost",
    "mail_smtpport": "25",
    "logfile": "\/var\/log\/owncloud\/auth.log",
    "loglevel": 0,
    "log_authfailip": true
}

Client configuration

Browser: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36

Operating system: YOUR ANSWER HERE

Logs

Web server error log
Insert your webserver log here
Nextcloud log (data/nextcloud.log)
Insert your Nextcloud log here
Browser log
Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log
c) ...

Hi,

Thank you for the details. Could you please also attach the nextcloud.log and the webserver log from the time when nginx crashed/ stopped?

@LukasReschke is this something you could have a look at?

After running scan time about 9 minutes the nginx service has been crashed and stop service.
Screenshot_1

As per your requested this is error log from nginx and Acunetic at the time crashed.

Nginx error log
2017/10/11 16:04:51 [error] 821#821: *4084 open() “/usr/share/nginx/html404” failed (2: No such file or directory), client: , server: hostname, request: “GET /wstat/ HTTP/1.1”, host: "hostname"
2017/10/11 16:04:56 [error] 821#821: *4104 open() “/usr/share/nginx/html404” failed (2: No such file or directory), client: , server: hostname, request: “GET /statystyka/ HTTP/1.1”, host: "hostname"
2017/10/11 16:05:01 [error] 821#821: *4124 open() “/usr/share/nginx/html404” failed (2: No such file or directory), client: , server: hostname, request: “GET /statystyka/ HTTP/1.1”, host: "hostname"
2017/10/11 16:05:06 [error] 821#821: *4144 open() “/usr/share/nginx/html404” failed (2: No such file or directory), client: , server: hostname, request: “GET /statystyka/ HTTP/1.1”, host: "hostname"
2017/10/11 16:05:11 [error] 821#821: *4164 open() “/usr/share/nginx/html404” failed (2: No such file or directory), client: , server: hostname, request: “GET /statystyka/ HTTP/1.1”, host: "hostname"
2017/10/11 16:05:16 [error] 821#821: *4184 open() “/usr/share/nginx/html404” failed (2: No such file or directory), client: , server: hostname, request: “GET /awstats.pl HTTP/1.1”, host: "hostname"
2017/10/11 16:05:17 [error] 821#821: *3947 upstream timed out (110: Connection timed out) while connecting to upstream, client: 203.170.50.50, server: hostname, request: “GET / HTTP/1.1”, upstream: “fastcgi://127.0.0.1:9000”, host: "hostname"
2017/10/11 16:05:17 [error] 821#821: *3947 open() “/usr/share/nginx/html/favicon.ico” failed (2: No such file or directory), client: 203.170.50.50, server: hostname, request: “GET /favicon.ico HTTP/1.1”, host: “hostname”, referrer: "https://hostname/"
2017/10/11 16:05:22 [error] 821#821: *4207 open() “/usr/share/nginx/html404” failed (2: No such file or directory), client: , server: hostname, request: “GET /awstats.pl HTTP/1.1”, host: "hostname"
2017/10/11 16:05:27 [error] 821#821: *4227 open() “/usr/share/nginx/html404” failed (2: No such file or directory), client: , server: hostname, request: “GET /awstats.pl HTTP/1.1”, host: "hostname"
2017/10/11 16:05:32 [error] 821#821: *4247 open() “/usr/share/nginx/html404” failed (2: No such file or directory), client: , server: hostname, request: “GET /awstats.pl HTTP/1.1”, host: "hostname"
2017/10/11 16:05:37 [error] 821#821: *4267 open() “/usr/share/nginx/html404” failed (2: No such file or directory), client: , server: hostname, request: “GET /sysstat/index.html HTTP/1.1”, host: “hostname”

This is Acunetix error log scan when crashing.

Thanks in advance for your help.

Looks like fastcgi died and not nginx. The Gateway timeout you saw on the white web page was shown because your PHP handler didn’t respond in time. So fastcgi went either down or simple couldn’t handle the amount of requests. Looks like your security scan was a denial of service attack in the end.

However this is no issue with Nextcloud.
It’s rather a matter of increasing performance of fastcgi. Maybe run it as socket instead of TCP connection:

upstream php-handler {
    #server 127.0.0.1:9000;
    server unix:/run/php-fpm/php-fpm.sock;
}

Maybe an update to a newer version would help as well. Just an idea.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.