Someone scans the internet for NC/OC instances

We are hosting a few NextCloud instances and we recognize regular scans for NC and OC instances on almost any domain. The apache access log shows lines like these:

x.y.z.a - - [16/Feb/2017:09:33:17 +0100] "GET /owncloud/status.php HTTP/1.1" 403 3484 "-" "GuzzleHttp/6.2.1 curl/7.47.0 PHP/7.0.13-0ubuntu0.16.04.1"
x.y.z.a - - [16/Feb/2017:09:33:17 +0100] "GET /oc/status.php HTTP/1.1" 403 3478 "-" "GuzzleHttp/6.2.1 curl/7.47.0 PHP/7.0.13-0ubuntu0.16.04.1"
x.y.z.a - - [16/Feb/2017:09:33:17 +0100] "GET /nextcloud/status.php HTTP/1.1" 403 3485 "-" "GuzzleHttp/6.2.1 curl/7.47.0 PHP/7.0.13-0ubuntu0.16.04.1"
x.y.z.a - - [16/Feb/2017:09:33:17 +0100] "GET /status.php HTTP/1.1" 403 3475 "-" "GuzzleHttp/6.2.1 curl/7.47.0 PHP/7.0.13-0ubuntu0.16.04.1"
x.y.z.a - - [16/Feb/2017:09:33:17 +0100] "GET /oc-shib/status.php HTTP/1.1" 403 3483 "-" "GuzzleHttp/6.2.1 curl/7.47.0 PHP/7.0.13-0ubuntu0.16.04.1"

This is happening in waves and all the IP addresses (deliberatly not disclosed here) are listed on https://www.abuseipdb.com as abusive and are all based in France.

Is anyone else seeing the same behavior?

Any idea what the objective might be?

1 Like


Ask the Nextcloud GmbH. :wink:

I can see the same in my apache access logs. Just above 1000 since 7 February. Seems they are trying go get some info from status.php, in various paths.

I have not tried to track the IPs though.

Interesting, I’ve block those IPs in the meantime.

good idea. Maybe fail2ban could be taught to ban such attempts. It is interesting that the requests cover some frequently used urls (/nextcloud/status.php, /oc/status.php and so on).
Is access to that URL needed for the outside net in the first place?
Monitoring tools are located in internal networks.

I think this is Nextcloud, they have been sending abuse complaints to my provider because we haven’t patched our Owncloud, yes Owncloud, yet. They sent a link to https://scan.nextcloud.com/results/ with your results.

I have already sent them a email to stop doing this, it’s abuse of the abuse process in my opinion. Also it creates a lot of unnecessary hassle with providers while I have the patch moment planned already.

Before starting some case with lawyers (like mentioned in the link above) I would prefer to collect the actual resulting problems with that checks and discuss if the benefits are worth these problems. Same thing with the existence of the mentioned status.php and the possibility to check the nc instance with it for good or bad reasons.

In the end Nextcloud GmbH has the possibility to make their decision considering the community opinion. Wanted or not that means an opened discussion, but as these two topics exist now it is opened anyway. So make the best out of it ;).

It is a marketing campaign to raise the installation count of Nextcloud.
In the case of the BSI, it is the misuse of an authority for private purposes.

I’m a bit surprised by this. Surely advertising software versions through a publicly available page is a poor security practice?

Not really, the other way around it would be security through obscurity.

But shouldn’t we usually take steps to ensure that the version information of our web stack is concealed, as far as possible? I thought this was good practice.

It seems at the very least like something that should be opt-in…

My guess is that it was meant as a nice gesture but devs didn’t really think things through and also communicated it badly.

But shouldn’t we usually take steps to ensure that the version information of our web stack is concealed, as far as possible? I thought this was good practice.
It seems at the very least like something that should be opt-in…

AFAIK certain services that use the API depend on it. Also I don’t think it really changes anything, most automated attacks don’t care about that and just brute force all the vulnerabilities ranging from newest to oldest.

Intentionally hiding version numbers is only security through obscurity and not really super useful.

If it helps it’s trivial to get the WordPress version a site runs generally also, which Google recently leveraged to send site console messages to admins informing them to upgrade from an insecure version.

I haven’t noticed these in my logs, but I might look for them now :slight_smile:

I’d have thought that security through obscurity is inadequate in itself, but not of zero value.

WTF? If a software company needs a federal agency to notify you about updates what does that tell about their update notification and update procedures? And if this were an advertisement for ownCloud users, this would be really really poor…

1 Like

I followed the German thread very lightly with imperfect translations. What exactly happens with this letter? Who are the providers who get it and what are they expected to do?

Nothing happened so far and in my opinion there is also no chance/reason that it will.

The results of the status.php scan were for germany forwarded to the german federal office for internet security (BSI) and they informed the respective ISP to inform at last the nextcloud operator.

So some people interpreted this as “attack” where actually just the anyway opened status.php was scanned. So in my opinion there is no chance (and also no reason) to harm Nextcloud GmbH in a legal way.
Also it is criticized that the federal office is used for private purpose in this case. But actually the BSI states on there website: “The BSI protects the networks of the Confederation; But it is also aimed at commercial and private providers such as users of information technology.” So it explizit also handles private providers and as nextcloud/owncloud is growing it becomes a more important share of public and private used web services. I don’t know what other “privat” cases the BSI normally deals with, but at least there is some argument that they could also use their possibilities to force nextcloud/owncloud operators to do security updates.

But of course so far I would also always prefer a transparent way of doing such and let people make their own decision about if/when they want to do their updates/security hardening. Of course some well published information about all that security topics should be there, which IS on docs.nextcloud.com and here in the forum.

I hope I got everything right so far :stuck_out_tongue:.

Except that you could be freaked out and just remove such hard-to-upgrade software.

I really don’t understand the purpose of this bizarre action, if you really worry about users and their setups, you could provide an online check like ssllabs for the SSL setup except very specific for Nextcloud. With your server address and an empty account, they can check the webdav functionalities (litmus test) and the version.

2 Likes

Here’s the email our provider got, apparently they sent lists of Own/Nextcloud instances to all providers. Not sure who sent the email, my provider won’t tell me that because multiple customers are involved. I removed the Nextcloud email address to protect against spambots etc.

http://pastebin.com/XPhxpUva

My main issue with this is that the abuse process is meant for actual abuse. Sending spam or hacking attempts things like that. Not patching your software is simply not abuse. If every software developer starts doing this providers are going to be very busy very quickly.

It would be great if Nextcloud stops this practice.

I really don’t understand the purpose of this bizarre action, if you really worry about users and their setups, you could provide an online check like ssllabs for the SSL setup except very specific for Nextcloud. With your server address and an empty account, they can check the webdav functionalities (litmus test) and the version.

I suppose this stuff is mainly targeted at users that wouldn’t even use an extra service like this because the either dont care or dont know. It’s not that hard to follow new releases. I mean: do you really want to know that you are running an old version if you are running an old version ;D?

Other actions could include:

  • Automatic updates (people will kill you)
  • Update nagging like showing popups to people every day for out of date installations