Snort Alert: JSP webshell backdoor detected



I noticed a number of Snort alerts in my firewall logs the other day pointing to the IP for my Nextcloud server.

-Nextcloud 14.0.4 running in a iocage VM. It’s externally accessible to the www and has a domain registered to the IP. Security scan came back with A+, no vulnerabilities found.

A couple of the most concerning examples:

-Nov 26 14:24:35 --> 192.168.***.***:80 MALWARE-BACKDOOR JSP webshell backdoor detected
whois query points to Tencent Cloud Computing (Beijing) Co. Ltd

-Nov 21 00:54:42 --> 192.168.***.***:80 SERVER-APACHE Apache Struts remote code execution
whois query points to ChinaNet Hubei Province Network

There’s quite a few other alerts for SSLv3 DDOS attacks and webapp attacks for various IP cameras pointing to the nextcloud server which is probably just bots poking around to see what hits. But remote code execution and trojan backdoor alerts make me worried. Are these strictly outside in attacks or does this indicate there’s malicous code running on my server? Is there a way to test my nextcloud instance to make sure all is well?