Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

UNRAID / Nextcloud Share Ransomware

Featured Replies

  First I want to state that I am sure this was an issue with my configuration and security protocol I had implemented not being strong enough and no fault of UNRAIDs, but has anyone else been ransomewared? So I get back from vacation, and I saw that my nextcloud wasn't working on any of my devices. I clicked on the web shortcut to my subdomain and saw it was a 502 bad gateway error. I actually didn't figure it out for a hot minute because I was restarting containers, and reviewing logs. I have three main containers that are all connected to my Nextcloud Share (Nginx, MariaDB, and Nextcloud). What threw me off is that all three containers logs were going crazy (looping with the same error), so I was going down rabbit holes figuring out why MariaDB kept looping through an error "umask cahnged from 020 to 0640" and then nextcloud was also throwing a php config error, and I can't remember what Nginx was doing. Long story short when I started digging through the config directories, I realized that there was a funky file in each directory. It was like `$38DECRYPT-README$%^ something like that. When you read it, it had a message from whoever hacked me stating to pay them in bitcoin to decrypt my files. The good news is that I have a good backup process and none of the client files were harmed. The only thing that was harmed was the server/config files that were all attached to the Nextcloud share. So basically I blew away the Nextcloud share a redeployed. A day of down time, no harm no foul. But I guess the point of this thread is to, A: see if this has happened to anyone else? and B: what steps can be taken to better prevent against this in the future?

 

Craig

Solved by Kilrah

  • Solution

Was your nextcloud up to date, 2FA enabled etc?

  • Author

Kilrah,

 

  I did now. But not before. Just used my username and password thinking that'd be good enough. We'll see how this holds up.

 

Craig

  • 4 weeks later...

that's terrible :(
only nextcloud got hit? do you have fail2ban? was your ssh exposed?

  • Author

Yeah specifically nextcloud share folder. No ssh wasn't exposed and since then I blew away nextcloud and rebuilt, then implemented 2FA.

I believe Nextcloud will pay $10,000 for any information leading to an, "actionable" error. Go for it!

  • 2 weeks later...
  • Author

Sooooo... I had 2FA turned on and forced, whoever these turds are got into my NextCloud instance again... anyone have any other suggestions? 

  • Author

Ohhhhhhhhhhh.... Just figured it out... it's the security with my UNRAID, not NextCloud. Because although the nextcloud share has been compromised, the /mnt/user/appdata/mariadb and /mnt/user/appdata/Nginx-Proxy-Manager-Official/data are also compromised along with the nextcloud config files. So if I am not mistaken, I need to bump up the security of my UNRAID. Can anyone confirm my assessment is accurate?  

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.