What to do with Ransomware/virus warning message

Support intro

Sorry to hear you’re facing problems :slightly_frowning_face:

help.nextcloud.com is for home/non-enterprise users. If you’re running a business, paid support can be accessed via portal.nextcloud.com where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:

example

Or for longer, use three backticks above and below the code snippet:

longer
example
here

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can :heart:

Nextcloud version (eg, 20.0.5): 20.0.2.2
Operating system and version (eg, Ubuntu 20.04): Debian GNU/Linux 10. 5.10.103-v8+ (aarch64)
Apache or nginx version (eg, Apache 2.4.25): Server version: Apache/2.4.38 (Debian)
PHP version (eg, 7.4): PHP 7.3.31-1~deb10u5
NextcloudPi version v1.52.4
The issue you are facing:
I get the warning message, error message and a fatal message - I don’t know what to do with

Is this the first time you’ve seen this error? (Y/N):
Not sure

The output of your Nextcloud log in Admin > Logging:
There are number of these Level Warning App ransomware with the message:

[ransomware_protection] Warning: Prevented upload of Recordings From iPhone/GP Four Noble Truths/Tuesday 14-02-2023 1st meditation.aac because it matches extension pattern ".aac"

GET /remote.php/dav/files/Sherab/Recordings%20From%20iPhone/GP%20Four%20Noble%20Truths/Tuesday%2014-02-2023%201st%20meditation.aac
from 86.164.86.157 by Sherab at 2023-10-16T10:30:17+00:00

[ransomware_protection] Warning: Prevented upload of Music/2023 NKT AGM Recordings/p.6-2023-08-03-19-57-49.aac because it matches extension pattern ".aac"

GET /remote.php/dav/files/Sherab/Music/2023%20NKT%20AGM%20Recordings/p.6-2023-08-03-19-57-49.aac
from 86.164.86.157 by Sherab at 2023-10-16T10:30:17+00:00

There are quite a number of these warnings

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

PASTE HERE

The output of your Apache/nginx/system log in /var/log/____:
I take it you mean /val/log/syslog
It’s huge so here’s a link to pastebin

this is a reducted version of syslog https://pastebin.com/1KC8WJui because paste bin was not willing to take the entire file - too large

Output errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for errors. Use a pastebin service if necessary.

[ransomware_protection] Warning: Prevented upload of Music/2023 NKT AGM Recordings/p.6-2023-08-03-19-57-49.aac because it matches extension pattern ".aac"

GET /remote.php/dav/files/Sherab/Music/2023%20NKT%20AGM%20Recordings/p.6-2023-08-03-19-57-49.aac
from 86.164.86.157 by Sherab at 2023-10-16T10:30:17+00:00

and one fatal webdav with the message:


[ransomware_protection] Warning: Prevented upload of Music/2023 NKT AGM Recordings/p.6-2023-08-03-19-57-49.aac because it matches extension pattern ".aac"

GET /remote.php/dav/files/Sherab/Music/2023%20NKT%20AGM%20Recordings/p.6-2023-08-03-19-57-49.aac
from xx.xxx.xxx.xxx by Sherab at 2023-10-16T10:30:17+00:00

See here: .aac audio file is not kept on server - · Issue #96 · nextcloud/ransomware_protection · GitHub and here: https://github.com/nextcloud/ransomware_protection/issues/55 for an explaination why it was detected as ransomware and how you can add it to the exclude / allow list.

Thank you

This resolves the .aac files issue

I also have a ransomware .bin file appearing in one of my folders - which I don’t unedrstand where it comes from.
I will be making a new post about it.

Cheers