Owncloud:8.1 DES.php Webshell backdoor bug

Steps to reproduce

I deployed owncloud to Alibaba Cloud, and now it is scanned by Alibaba Cloud and it says there is a webshell backdoor in des.php,

Trojan file path: /proc/10090/root/var/www/html/3rdparty/phpseclib/phpseclib/phpseclib/Crypt/DES.php

File MD5: 54a30911125b0ac5add9d7a1ff67771b

Time of first discovery: 2022-05-11 01:38:42

Update time: 2022-05-11 01:38:42

Trojan type: Webshell​​​

A successful file was found and processed on your system detection center: it may represent the legitimacy of showing your ad after the event, and it is recommended that you show it on your website first. It can be seen that this file also has dangerous behaviors and has certain characteristics. It is not entirely possible, but it is indeed some potentially dangerous files, but it may be some dangerous website files that are deployed by employees themselves. The position selection is before selecting or issuing a command. It is recommended to set the saving path of http logs to a non-web path. If it is confirmed that it is an error report, it can be whitened through [Process] → [Add White], and the whitened path will continue to be used.

Source file download: Download

Container name: owncloud

Container ID: cc450a93421e4d71b6c8aee91d871e09b7210a0a3ae11ccf437a9d449dd4a0bc

Image ID: owncloud@sha256:c4a9a3031d63d949654e61d327da39a19dd39bfa0bc4fc29e7497bb0341deaac

Mirror name: owncloud:8.1

File path in the container: /var/www/html/3rdparty/phpseclib/phpseclib/phpseclib/Crypt/DES.php

Expected behaviour

Tell us what should happen

Actual behaviour

Tell us what happens instead

Server configuration

Operating system:
Ubuntu 18.04.1 LTS \n \l

Web server:
apache2ctl -v
Server version: Apache/2.4.10 (Debian)
Server built: Feb 24 2017 18:40:28

docker image mysql:5.7

PHP version:
php -v
PHP 5.6.30 (cli) (built: Jul 4 2017 04:28:04)
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies
with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2016, by Zend Technologies

ownCloud version: (see ownCloud admin page)
docker image owncloud:8.1

Updated from an older ownCloud or fresh install:
fresh install

Where did you install ownCloud from:
download docker images

Signing status (ownCloud 9.0 and above):

Login as admin user into your ownCloud and access 
paste the results into https://gist.github.com/ and puth the link here.

The content of config/config.php:
‘instanceid’ => ‘xxxxxx’,
‘passwordsalt’ => ‘passwd-salt’,
‘secret’ => ‘lB+B5dO+no1ReK+N7Um’,
‘trusted_domains’ =>
array (
0 => 'x.x.x.x:port,
1 => ‘xx.domain.com’,
2 => ‘x.x.x.x’,
‘datadirectory’ => ‘/var/www/html/data’,
‘overwrite.cli.url’ => 'http://x.x.x.x:port,
‘dbtype’ => ‘mysql’,
‘version’ => ‘’,
‘dbname’ => ‘owncloud’,
‘dbhost’ => ‘x.x.x.x:3306’,
‘dbtableprefix’ => ‘oc_’,
‘dbuser’ => ‘superadmin’,
‘dbpassword’ => ‘dbpassword’,
‘logtimezone’ => ‘UTC’,
‘installed’ => true,

I don’t know where to ask the security question, so I asked it directly here. If you need other information, please contact me

8.1 is way out of date. You need to update to ownCloud 10.9.1 or wait a bit until 10.10.0 is released soon.
Please, read the documentation about how to upgrade.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.