I have been looking at my web server access logs for my Nexcloud vhost and find a repeated series of GETs from a variety of source IP addresses. None are sources known to me, or have any reason to access my server. All access attempts seem to know that they are probing a Nextcloud server, as will be clear from the logs. When I try the same URL as an attacker, but obviously not logged in, I see the server does indeed return some information, though I am not sure what it is or why it is of interest to the attacker.
This question came up here in 2018 - https://help.nextcloud.com/t/should-i-be-worried-access-log-findings/34098 but sadly there was no response to it.
My question is the same as with the original - I need help understanding what it is the attacker is seeking to do. The probes, as one expects from a scripted attack, take place within a second or so, so fail2ban is not an option, taking too long to respond.
Notice the attempts to access specific core files, as well as specific apps, including theming.
Nextcloud version 20.0.8
Operating system Debian 10
Apache 2.4.38-3+deb10u4
PHP version 7.3.27-1~deb10u1
Sample sanitised log: XXX.XXX.XXX.XXX is the source “attacker” IP, mynexcloud is my server.
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:38:58 +0000] “GET / HTTP/1.1” 302 0 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:38:58 +0000] “GET /index.php/login HTTP/1.1” 200 3933 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:38:58 +0000] “GET /apps/files_rightclick/css/app.css?v=46c85d58-12 HTTP/1.1” 200 199 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:38:58 +0000] “GET /core/css/guest.css?v=53781f69-12 HTTP/1.1” 200 5525 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:38:59 +0000] “GET /core/js/dist/files_fileinfo.js?v=53781f69-12 HTTP/1.1” 200 8605 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:38:59 +0000] “GET /core/js/dist/files_client.js?v=53781f69-12 HTTP/1.1” 200 40997 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:38:59 +0000] “GET /apps/files_sharing/js/dist/main.js?v=53781f69-12 HTTP/1.1” 200 590 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:38:59 +0000] “GET /index.php/core/js/oc.js?v=53781f69 HTTP/1.1” 200 3911 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:38:59 +0000] “GET /index.php/apps/theming/styles?v=12 HTTP/1.1” 200 1233 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:38:59 +0000] “GET /index.php/js/core/merged-template-prepend.js?v=53781f69-12 HTTP/1.1” 200 2982 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:38:59 +0000] “GET /apps/files_pdfviewer/js/files_pdfviewer-public.js?v=53781f69-12 HTTP/1.1” 200 7603 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:38:59 +0000] “GET /apps/files_videoplayer/js/main.js?v=53781f69-12 HTTP/1.1” 200 2945 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:38:59 +0000] “GET /apps/files_rightclick/js/script.js?v=53781f69-12 HTTP/1.1” 200 3219 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:38:59 +0000] “GET /apps/files_rightclick/js/files.js?v=53781f69-12 HTTP/1.1” 200 1268 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:38:59 +0000] “GET /apps/theming/js/theming.js?v=53781f69-12 HTTP/1.1” 200 60 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:38:59 +0000] “GET /index.php/apps/theming/image/logo?v=12 HTTP/1.1” 200 12097 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:38:59 +0000] “GET /core/js/dist/main.js?v=53781f69-12 HTTP/1.1” 200 437680 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:38:59 +0000] “GET /index.php/apps/theming/image/logo?useSvg=1&v=12 HTTP/1.1” 200 12097 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:38:59 +0000] “GET /index.php/apps/accessibility/css/user-a82fd95db10ff25dfad39f07372ebe37 HTTP/1.1” 200 26899 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:38:59 +0000] “GET /core/js/dist/login.js?v=53781f69-12 HTTP/1.1” 200 244107 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:38:59 +0000] “GET /core/img/actions/confirm-white.svg?v=2 HTTP/1.1” 200 405 “http://mynextcloud/core/css/guest.css?v=53781f69-12” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:39:00 +0000] “GET /core/img/loading-dark.gif HTTP/1.1” 200 4683 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”
XXX.XXX.XXX.XXX mynextcloud - [16/Mar/2021:22:39:00 +0000] “GET /core/img/actions/toggle.svg HTTP/1.1” 200 308 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.97 Safari/537.36”