All files has been dispear is my server underattack?

Guillermo · February 20, 2023, 4:38pm

My YunoHost server

Hardware: Old laptop
YunoHost version: 11.1.8.2
I have access to my server : All the way
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no

Description of my issue

Hello to you,

A little panic. I have on my pro PC, my connection to my YunoHost open via Nextcloud where I only synchronize my pro files and otherwise I use the virtual file system.

I have just returned to my post (pc locked) and I realize that in the Nextcloud window, all the files were marked deleted 3 or 4 hours ago.

I have been on the admin panel and I have no trace in the tools tab then abnormal stuff log.

From the console in ssh and as root, I don’t have any command line history with rm Rf or anything like that.

Do you have an idea ?
The data that left was on an external hard drive. The Nextcloud notes that are stored in the default location are still there.

I changed the admin password, root password, my user. How can I be sure there is no one else on my server?

Thanks for reading and thanks for your help.

Guillermo · February 20, 2023, 5:05pm

It’s strange because when i use

#!/bin/bash
set -eu
#Déplacement dans le répertoire de données Nextcloud.
cd /var/www/nextcloud
#Scan des fichiers des utilisateurs.
sudo -u nextcloud php occ files:scan --all

It return that before

Composer detected issues in your platform:
Your Composer dependencies require a PHP version ">= 8.0.0". You are running 7.4.33.

Starting scan for user 1 out of 4 (user1)
Starting scan for user 2 out of 4 (user2)
Starting scan for user 3 out of 4 (user3)
Starting scan for user 4 out of 4 (user4)
+---------+-------+--------------+
| Folders | Files | Elapsed time |
+---------+-------+--------------+
| 8888    | 46776 | 00:01:26     |
+---------+-------+--------------+

But when i go to the interface web of Nextcloud my DDE is empty
But when i ls/media/DDE it return my folder

So maybe note an attack ?
But why ?

Thanks for your help

charly · February 20, 2023, 9:31pm

Salut,

C’est quoi le DDE ?
Est-ce que tes fichiers sont bien dans /home/yunohost.app/nextcloud/data/ ?

metyun · February 20, 2023, 9:52pm

Hello,
For the php error, Nextcloud use php8.1 now. You must use this command now:

sudo -u nextcloud php8.1 /var/www/nextcloud/occ files:scan --all

The problem could be a problem of ownership or bad rights on parents folder or on files. It can also be something else but it is the first thing you must verify (with ls -la)

@charly : I guess DDE is “Disque Dur Externe”

Guillermo · February 22, 2023, 9:05pm

With time i thing it’s was bug of DDE, i have bought one more
How can be sure no one is on my server ?

@charly oui pardon disque dur externe

metyun · February 22, 2023, 11:06pm

To be honest, if we could be sure no one is on the server, the virtual world would be safer and cyber attack would not exist.
However, you can monitoring your server to detect intrusions with solution like wazuh/suricata/snort but i can’t give you any information because i don’t know these tools except by name. it is necessary to understand these tools if you use them otherwise it’s useless.
A good start can be to use logwatch and pflogsumm for mail. It’s not real time detection but it give you a report once a day and it can be useful to find problems on server. Logwatch read the log and give you a summary.

charly · February 23, 2023, 7:55am

You start with checking the logs and compare :
-This user logged on ssh at this time on that day, what is me ? Was is legitimate ?

But is the ssh port open on internet ? If yes, how complex is the password ?
Is your system up to date ?

Aleks · February 23, 2023, 3:00pm

Also it would be pretty unexpected that an attacker’s motivation would be « Lol I’m gonna delete a bunch of random files, this is gonna be so annoying yay ! »

Like, attackers usually hack into systems with incentives like 1) steal credentials or secret information like bank account from which there’s an actual gain such a ‘get money’, or 2) cryptoransomware, ie encrypt your files and ask for a ransom, or 3) enlarge their botnets or 4) ???

And in scenarios 1 and 3, I guess the attacker is more comfortable with leaving no obvious trace rather than doing anything like “delete all files in nextcloud randomly” that would bring attention to a possible breach in the server…

Guillermo · February 24, 2023, 1:16pm

It’s was my DDE with all files in it but your right
Juste never encount this scenario before and panic a little

Sorry for my spam

system · March 26, 2023, 1:17pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.