waymo7 Posted September 6, 2022 Share Posted September 6, 2022 First I want to state that I am sure this was an issue with my configuration and security protocol I had implemented not being strong enough and no fault of UNRAIDs, but has anyone else been ransomewared? So I get back from vacation, and I saw that my nextcloud wasn't working on any of my devices. I clicked on the web shortcut to my subdomain and saw it was a 502 bad gateway error. I actually didn't figure it out for a hot minute because I was restarting containers, and reviewing logs. I have three main containers that are all connected to my Nextcloud Share (Nginx, MariaDB, and Nextcloud). What threw me off is that all three containers logs were going crazy (looping with the same error), so I was going down rabbit holes figuring out why MariaDB kept looping through an error "umask cahnged from 020 to 0640" and then nextcloud was also throwing a php config error, and I can't remember what Nginx was doing. Long story short when I started digging through the config directories, I realized that there was a funky file in each directory. It was like `$38DECRYPT-README$%^ something like that. When you read it, it had a message from whoever hacked me stating to pay them in bitcoin to decrypt my files. The good news is that I have a good backup process and none of the client files were harmed. The only thing that was harmed was the server/config files that were all attached to the Nextcloud share. So basically I blew away the Nextcloud share a redeployed. A day of down time, no harm no foul. But I guess the point of this thread is to, A: see if this has happened to anyone else? and B: what steps can be taken to better prevent against this in the future? Craig Quote Link to comment
Solution Kilrah Posted September 6, 2022 Solution Share Posted September 6, 2022 Was your nextcloud up to date, 2FA enabled etc? Quote Link to comment
waymo7 Posted September 6, 2022 Author Share Posted September 6, 2022 Kilrah, I did now. But not before. Just used my username and password thinking that'd be good enough. We'll see how this holds up. Craig Quote Link to comment
flowermoron Posted October 2, 2022 Share Posted October 2, 2022 that's terrible only nextcloud got hit? do you have fail2ban? was your ssh exposed? Quote Link to comment
waymo7 Posted October 2, 2022 Author Share Posted October 2, 2022 Yeah specifically nextcloud share folder. No ssh wasn't exposed and since then I blew away nextcloud and rebuilt, then implemented 2FA. Quote Link to comment
MrGrey Posted October 3, 2022 Share Posted October 3, 2022 I believe Nextcloud will pay $10,000 for any information leading to an, "actionable" error. Go for it! Quote Link to comment
waymo7 Posted October 17, 2022 Author Share Posted October 17, 2022 Sooooo... I had 2FA turned on and forced, whoever these turds are got into my NextCloud instance again... anyone have any other suggestions? Quote Link to comment
waymo7 Posted October 17, 2022 Author Share Posted October 17, 2022 Ohhhhhhhhhhh.... Just figured it out... it's the security with my UNRAID, not NextCloud. Because although the nextcloud share has been compromised, the /mnt/user/appdata/mariadb and /mnt/user/appdata/Nginx-Proxy-Manager-Official/data are also compromised along with the nextcloud config files. So if I am not mistaken, I need to bump up the security of my UNRAID. Can anyone confirm my assessment is accurate? Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.