Steps to reproduce
I deployed owncloud to Alibaba Cloud, and now it is scanned by Alibaba Cloud and it says there is a webshell backdoor in des.php,
Trojan file path: /proc/10090/root/var/www/html/3rdparty/phpseclib/phpseclib/phpseclib/Crypt/DES.php
File MD5: 54a30911125b0ac5add9d7a1ff67771b
Time of first discovery: 2022-05-11 01:38:42
Update time: 2022-05-11 01:38:42
Trojan type: Webshell
A successful file was found and processed on your system detection center: it may represent the legitimacy of showing your ad after the event, and it is recommended that you show it on your website first. It can be seen that this file also has dangerous behaviors and has certain characteristics. It is not entirely possible, but it is indeed some potentially dangerous files, but it may be some dangerous website files that are deployed by employees themselves. The position selection is before selecting or issuing a command. It is recommended to set the saving path of http logs to a non-web path. If it is confirmed that it is an error report, it can be whitened through [Process] → [Add White], and the whitened path will continue to be used.
Source file download: Download
Container name: owncloud
Container ID: cc450a93421e4d71b6c8aee91d871e09b7210a0a3ae11ccf437a9d449dd4a0bc
Image ID: owncloud@sha256:c4a9a3031d63d949654e61d327da39a19dd39bfa0bc4fc29e7497bb0341deaac
Mirror name: owncloud:8.1
File path in the container: /var/www/html/3rdparty/phpseclib/phpseclib/phpseclib/Crypt/DES.php
Expected behaviour
Tell us what should happen
Actual behaviour
Tell us what happens instead
Server configuration
Operating system:
Ubuntu 18.04.1 LTS \n \l
Web server:
apache2ctl -v
Server version: Apache/2.4.10 (Debian)
Server built: Feb 24 2017 18:40:28
Database:
docker image mysql:5.7
PHP version:
php -v
PHP 5.6.30 (cli) (built: Jul 4 2017 04:28:04)
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies
with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2016, by Zend Technologies
ownCloud version: (see ownCloud admin page)
docker image owncloud:8.1
Updated from an older ownCloud or fresh install:
fresh install
Where did you install ownCloud from:
download docker images
Signing status (ownCloud 9.0 and above):
-_-
Login as admin user into your ownCloud and access
http://example.com/index.php/settings/integrity/failed
paste the results into https://gist.github.com/ and puth the link here.
The content of config/config.php:
‘instanceid’ => ‘xxxxxx’,
‘passwordsalt’ => ‘passwd-salt’,
‘secret’ => ‘lB+B5dO+no1ReK+N7Um’,
‘trusted_domains’ =>
array (
0 => 'x.x.x.x:port,
1 => ‘xx.domain.com’,
2 => ‘x.x.x.x’,
),
‘datadirectory’ => ‘/var/www/html/data’,
‘overwrite.cli.url’ => 'http://x.x.x.x:port,
‘dbtype’ => ‘mysql’,
‘version’ => ‘8.1.12.2’,
‘dbname’ => ‘owncloud’,
‘dbhost’ => ‘x.x.x.x:3306’,
‘dbtableprefix’ => ‘oc_’,
‘dbuser’ => ‘superadmin’,
‘dbpassword’ => ‘dbpassword’,
‘logtimezone’ => ‘UTC’,
‘installed’ => true,