Hi,
I found some login attempts in my logs. So I decided to upgrade my nextcloud version from 28 to 29 (29.0.7).
After the upgrade, which was successful and without errors, i found in the security warnings an error related to the file apps/suspicious_login/vendor/rubix/ml/mkdocs.yml, a hash error (INVALID_HASH). I read the documentation and replaced the file with one taken from the original archive taken from the nexcloud site. i re-ran the integrity check (occ integrity:check-app suspicious_login) and I didn’t receive any errors. After a few minutes (maybe after cron.php was executed) the hash error comes back. I replaced the file again but the problem came back.
What should I do?
Is it possible that they hacked my server and something is modifying the mkdocs.yml file?
There is a topic about this file in the bug tracker:
Perhaps some process in your server detect this “virus” as well and modifies the file. Can you check the difference between the version in the repository with the one you have?
Do you see successful suspicious logins?
For a public server, it is normal to see a number of login attempts, this is some noise in the background. You can use tools to block external ips after a number of attempts, I think Nextcloud itself slows them down.
Use good passwords, 2FA if possible, SSH login just with ssh keys, …
Hello and thanks for the kind reply.
It didn’t report a virus, but a problem in the integrity verification with an incorrect hash code.
I reloaded the file (taken from the installer archive from the nextcloud site) a few more times and finally it stopped giving me hash error. Is it a good thing or a bad thing?
I tried to compare the files with diff but it tells me they are the same.
I then activated the suspicious_login app.
The nexcloud log doesn’t report successful logins, but only failed ones, so I don’t know if they managed to get in.
That it works now is perhaps a good thing. However, it would have been great to figure out what has changed the file.
Then you know at least that no usual Nextcloud user logs in. If someone has root access, they could filter that out. You could use rkhunter or chrootkit to check the system for modifications.
If it is probably no attack, it is always good to keep an eye on the logfiles, and also put security fixes quickly. For Nextcloud these are the point releases, so the next one 29.0.8 (to be released the coming days). The major releases, you can check the time it suits you best.
Yes, it would be great to find out what changed the file.
Unfortunately my installation is on a hosting plan and I can’t use tools like chkrootkit or rkhunter.
I will update my system asap and see what happens with the code integrity check.
The following list covers which files have failed the integrity check. Please read
the previous linked documentation to learn more about the errors and how to fix
them.
diff Downloads/mkdocs.yml Downloads/nextcloud/apps/suspicious_login/vendor/rubix/ml/mkdocs.yml
320c320,329
< - ‘A high-level machine learning and deep learning library for the PHP language.’
