Unauthorized user gain admin -- nextcloud compromized

Hacker on my serveur. 0271808u@gmail.com for email registration.

WTF ???

v18.0.4.2 something wrong here

If a nextcloud representative [official) need any logs happy to provide on request via MP

Resolve the immediate security issue first. Take it off the internet if necessary, remove the user, change all passwords on the system, use TOTP. Is their account an admin?

Then you need to do a full security review of your system. Determine if the attacker gained console access. Enforce 2FA for all users. Don’t allow any unnecessary ports. Make sure you aren’t allowing any self-registration. Update all software regularly. Scan with scan.nextcloud.com and www.ssllabs.com/ssltest after each update.

The server side is “solid”. 2FA is working, based on YUBIKO keys !

Firewall + fail2ban up and running.

Nextcloud side seem fine , both scan@ and ssllabs@ are A+ rated.

Self-reg is now turn off and 2FA sms/hardware is now up and running.

Will check on a hourly basis from now.

Actually going through all logs …

Lots of ways for someone to gain access to a server. You need to prove the issue was through nextcloud and not through another attack vector.

off course.

So far, on the server logs, it’s seem nice, but still checking.
All the services/app present are fine.

The user 0271808u@gmail.com is linked to an ip

So far, this user/ip only appear in the audit or nextcloud.log files …
Nothing on any others logs …

36 entry in nextcloud.log
{“reqId”:“h37nOiliscOvdFzfTw7z”,“level”:2,“time”:“2020-05-13T17:31:49+00:00”,“remoteAddr”:“”,“user”:"–",“app”:“no app in context”,“method”:“POST”,“url”:"/index.php/login",“message”:“Login failed: admin (Remote IP:”,“userAgent”:“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36”,“version”:“”}

oc_usage_report show around that date:
0271808u@gmail.com read 2020-05-13 19:18:1
something like 1500 hits

no apache error, no mysql error, no auth error,

still exploring

Are you sure 2FA was enabled for the “admin” user… was it using a common password with your 2FA?

What does mod security show? If they were trying to use an exploit it should be logged there.

yes, i am sure, the only admin account ( separated from my user account ) is locked without the proper yubikey hardware pass…

I am now looking a the last month logs. On may 7th, the same ip tried to brute force the serveur on port 22-ssh and port 443 and was kick by nft-rules to fail2ban for my usual 7 days kick-in-his-ass .

No matter what, i have now hardkick it in nft but it is a long shot …

Also, i did send a complain to google for hacking account, a nice mail to the user explaining his fixed IP was logged, i make an official complain to https://www.cybermalveillance.gouv.fr/ and report the IP to the FAI/ISP

Lets see what happens.

Seing 546554 sql requets from this users “0271808u@gmail.com, created, 2020-05-13 18:39:15” from oc_usage_report… seem to me like an exploit here !

If any admin from nextcloud wants logs or else, happy to provide in MP.

for me this looks like s sciptkid just trying to bruteforce into your server (as no real hacker would use a windows -machine, i think)

good luck!

will just turn selfregistration off from my server. good hint.

I don’t get what happened. Just a new user who registered himself? Or did he gain access or admin rights?


This user gain admin access

How ?. Honestly, I still don’t know.

I updated nextcloud to the latest 18.x.
I did the same for my debian 10.
I did a deep security scan, found nothing obvious

Since then, I had a network overhaul. Quit my 5 years old hardware for an ubiqity new setup.

I switch security like firewall and deep packet inspection to a dedicated appliances.

Since then, I watch carefully my serveur.
I kept this user but desable everything, change the account pass and mail.

Nothing new

On the main system or “just” a Nextcloud admin user?

Well if there is a bug, I’d prefer to have a fix.

The user gain nextcloud admin access. Nothing visible on Debian log. No strange behavior concerning the base system.

I am still not sure on exactly what happened.

The fact are as follows:

  • one user subscribe to the server.
  • he gain admin access somehow
  • used it to send nextcloud admin access to other users.
  • desabled all user.
  • I regain control via ssh and occ.

Could be a lot of thing. Could be a Debian breach, a SQL fault, a nextcloud flaw.