Just an FYI - not looking for support as have now wiped hdd and run away from Nextcloud
I setup a nextcloud server on a fresh Ubuntu 20.04 install 2 days ago. I then installed various plugins for images; the ones i remember are: Maps, Camera RAW Previews, Face Recognition, MediaDC, Recognize. I also enabled the external hdd file access plugin.
The next day I discovered I had Ransomware that had encrypted all my files. As such i’m pretty sure it came from one of the plugins, and recommend someone takes a look.
If the encryption comes from Nextcloud apps then it comes from Nextcloud and then it comes from your webserver user (e.g. www-data). Is only data from www-data encrypted? This is a sign that there was no other cause.
Can you post more details from your server- and client-settings? Logs, …
I think it can be very interesting.
Sorry but I doubt that you got ransomware through an app from the Nextcloud app store…
Is it possible that you have enabled encryption and thereby also encrypted your external storage mountpoint? If so you should have decrypted it before you ran away from nextcloud.
No, on the server, in each sub-folder of the data folder. Every file was encrypted, renamed .XXX and each sub-folder had a text file demanding bitcoin for decrypting the data. I only wiped the external hdd so i’ll pull up the logs from my (now quarantined) server and post them later.
Its the 0XXX virus. It’s not on my windows client computer (according to spyhunter) - no other client has connected to this server. Apparently this is normally infected by a phishing scam (i haven’t used email on this server so unlikely) or by a trojan app. There’s also some mention in the forums of it possibly attacking exposed samba mounts (which my hdd was briefly). I’ve only installed some basic ubuntu packages from apt, also piwigo, nextcloud and the plugins mentioned previously.
Unhelpfully, the data that’s encrypted is on an NTFS external drive which doesn’t show which user (e.g. www-data) created it. Of note is that it hasn’t attacked any of the files in the default nextcloud data directory, just that accessed when i enabled external hdd sources. So maybe its not nextcloud’s fault.
There’s nothing useful in the logs, and i don’t want to stick another usb drive in the machine, or connect it to my network, so I can’t easily share them with you.
Anyway, i’m done. I suggest you check your samba mounts are locked down tight, and that there’s nothing untoward recently added to those plugins.
As if a virus would not fool the virus scanner first. If you harbor viruses and ransomware, you should question everything.
Logs to proof this? Perhaps you have allowed it from the internet
Perhaps because the ransomware cannot attack web folders or does not even run in the web server context. But i am not an expert for 0XXX ransomware. Sorry.
Sorry there is only one solution: restore
Restore of all systems who belongs to the ransomware. I’m not sure if nextcloud is part of this. Probably not.
That’s a pretty big assumption. You didn’t provide much detail in your post, and only made it clear it was actual ransomware with a later post about it asking for bitcoin (with no further detail). You’ve provided no logs, and no evidence this had anything to do with Nextcloud.
Yet you’ve “run away” from Nextcloud, blaming plugins. You claim to have “wiped hdd”, but “don’t want to stick another USB drive in the machine”, which is unnecessary since you can just ssh in.
You’ve demonstrated very little knowledge of how anything here works, but when challenged, concede “maybe its not nextcloud’s fault”. Well, no shit.
it’s pretty unlikely that NC or one of it’s apps would be the source for your ransomwareproblem.
I. myself, am running Maps and MediaDC on my server and didn’t get infected. And I’m pretty sure that we would have known of any other ransomware-attacks if one of the other mentioned apps was affected.
So where did you get your installationfiles from? Was it always the official repository, only? (starting with installing Ububtu)
By all means… it could be that it came from somewhere else. I mean even IF there was this glitch in samba that you talked of - we on the forum would have known it since long.
