Strange files in root

tienelle · May 21, 2025, 8:19am

Lists follow. The only app I remember intentionally installing (not including the base set) is “deck”. The webserver’s Apache 2.4.63, PHP is 8.2.28, I’m using PHP-FPM.

In terms of timing, these files appeared while I was running Nextcloud 31.0.4; I noticed them when I upgraded to 31.0.5.

occ config:list system:

{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost",
            "***REDACTED: external domain name***",
            "***REDACTED: server internal IP address***"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "pgsql",
        "version": "31.0.5.1",
        "overwrite.cli.url": "http:\/\/localhost",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0,
            "timeout": 0
        },
        "default_phone_region": "GB",
        "maintenance": false,
        "loglevel": 2,
        "theme": "",
        "maintenance_window_start": 22
    }
}

occ app:list:

Enabled:
  - activity: 4.0.0
  - app_api: 5.0.2
  - bruteforcesettings: 4.0.0
  - circles: 31.0.0
  - cloud_federation_api: 1.14.0
  - comments: 1.21.0
  - contactsinteraction: 1.12.0
  - dashboard: 7.11.0
  - dav: 1.33.0
  - deck: 1.15.1
  - federatedfilesharing: 1.21.0
  - federation: 1.21.0
  - files: 2.3.1
  - files_downloadlimit: 4.0.0
  - files_pdfviewer: 4.0.0
  - files_reminders: 1.4.0
  - files_sharing: 1.23.1
  - files_trashbin: 1.21.0
  - files_versions: 1.24.0
  - firstrunwizard: 4.0.0
  - logreader: 4.0.0
  - lookup_server_connector: 1.19.0
  - nextcloud_announcements: 3.0.0
  - notifications: 4.0.0
  - oauth2: 1.19.1
  - password_policy: 3.0.0
  - photos: 4.0.0-dev.1
  - privacy: 3.0.0
  - profile: 1.0.0
  - provisioning_api: 1.21.0
  - recommendations: 4.0.0
  - related_resources: 2.0.0
  - serverinfo: 3.0.0
  - settings: 1.14.0
  - sharebymail: 1.21.0
  - support: 3.0.0
  - survey_client: 3.0.0
  - systemtags: 1.21.1
  - text: 5.0.0
  - theming: 2.6.1
  - twofactor_backupcodes: 1.20.0
  - twofactor_totp: 13.0.0-dev.0
  - twofactor_webauthn: 2.1.0
  - updatenotification: 1.21.0
  - user_status: 1.11.0
  - viewer: 4.0.0
  - weather_status: 1.11.0
  - webhook_listeners: 1.2.0
  - workflowengine: 2.13.0
Disabled:
  - admin_audit: 1.21.0
  - encryption: 2.19.0
  - files_external: 1.23.0
  - suspicious_login: 9.0.1
  - twofactor_nextcloud_notification: 5.0.0
  - user_ldap: 1.22.0

fuxing · May 21, 2025, 10:29am

I’m pretty sure, that NC 30 already made those files.

NC29 didn’t, so there was no warning when updating to 30.
But as V30 created those files, the update to 31 brought the warning.

dl8bh · May 22, 2025, 7:27am

Just had the same issue on FreeBSD (nginx+php-fpm), was made aware by the nextcloud updater from 31.0.4 → 31.0.5
This made me an headache as I assumed, this might have been some artifact of an (hopefully unsuccessful) attack. Considering the attack surface of inkscape, my theory was, that an attacker tried to use inkscape for further actions… Good, that I had no inkscape installed in my nextcloud-jail.

Lukas_Ilavsky · May 22, 2025, 1:34pm

Unfortunately, I can’t tell in which version the files started to appear. I do know that they appear as soon as I load any page. The file is always created when I refresh the page using F5. I believe this is related to the svg image type.

jtr · May 22, 2025, 4:08pm

This does further suggest to me that this is somehow associated with ImageMagick. My understanding is that some versions / configurations of ImageMagick try to utilize Inkscape for SVG files.

ImageMagick is used by PHP’s Imagick.

Nextcloud utilizes PHP Imagick (if installed), but does not call Inkscape in any way directly.

Beyond that I don’t know why you’d be seeing these files, let alone seeing them in the root installation folder of Nextcloud.

My research suggests that ImageMagick’s temporary/work files are generally always called magick-[random_string]. So the naming scheme doesn’t seem to match that, but perhaps there are some ways of modifying that and/or scenarios where a different scheme is used.

As for these ending up in the installation folder, perhaps a non-default default temp directory configured somewhere?

Keep in mind that for the most part the prior to bits aren’t under the control of Nextcloud itself. Also, this doesn’t seem to be a universal problem. So identifying the culprit is starting to sound like looking at the broader environment your Nextcloud instance is running in.

So some ideas:

Check temporary directory related settings of the host, container, web server, PHP, etc
Check the specific versions (+package sources since compile time options could be a factor) of ImageMagick installed (and maybe compare against others experiencing the same behavior)
Check ImageMagick’s parameters in: { delegates.xml, configure.xml, etc. }.

bb77 · May 22, 2025, 5:37pm

Who knows what’s happening when clicking on the install button for Nextcloud on an Asustor NAS.

I can only say that much: I would never ever install ‘apps’ like Nextcloud through a propertary App Store of commercial NAS, unless maybe it’s documented in detail what happens when clicking on that install button.

A better option would probably be to spin upo a VM, and then use one of the officially supported installation methods:

Nextcloud docs: Installation and server configuration — Nextcloud latest Administration Manual latest documentation
Nextcloud AIO: GitHub - nextcloud/all-in-one: 📦 The official Nextcloud installation method. Provides easy deployment and maintenance with most features included in this one Nextcloud instance.

fuxing · May 23, 2025, 6:07am

I have set a custom tempdir in config.php. But removing it from config.php doesn’t make a difference for me…

sugarcube · July 9, 2025, 7:27pm

I see these files in my installation directory too. I grep’ed “inkscape” and got a result in [nextcloud-dir]/apps/maps/css/images.
maps_black.svg, marker-icon-bg.svg and marker-icon.svg contain a lot of references to inkscape.
The files appear, when I login in Firefox and nextcloud presents the dashboard. Every time I try this, new files appear.

I run NC 31.0.6 fully updated on an ASUSTOR AS6704T and it is a manual installed version.

system · October 7, 2025, 7:28pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.