Owncloud Database Wiped by Randsomware

Hello,

Sorry in advance, i am new to this forum and i hope i will be following its guideline.
Yesterday, my owncloud MariaDB database was hacked (wiped) asking for some bitcoin exchange.

Files are still there on the server (no loss) just the DB (so i guess all the user schema definition and file sharing access permission).

This is not a big deal but i want to understand what vulnerability was use to fix it before restoring

MariaDB port is not open on the internet
Owncloud use defaut https port (version 10.8.0.4)
phpmyadmin is opened to internet (version 5.2)

The owncloud db access was secured with a strong password.
Actually, there was another database on accessible with this user that did not get wiped (only the owncloud db)

This is why i believe it is not a php issue but a proper owncloud vulnerability
The version is not last one (10.10) but pretty recent. It is running on php 7.3

Have you heard such vulnerability on owncloud 10 ?

MAny thanks for your feedback / expertise.

AsTernes

Actual behaviour

DB hacked and Wiped :frowning:

Server configuration

Operating system: Asustor NAS latest OS (Linux based)

Web server:
Apache 2.4.54.r16
Database:
MariaDB 10.7.3.r61
PHP version:
7.3.33.r228
ownCloud version: (see ownCloud admin page)
10.8.0.4
Updated from an older ownCloud or fresh install:
more than a year ago from v9
Where did you install ownCloud from:
on premise taking the official community edition

The content of config/config.php:

<?php $CONFIG = array ( 'instanceid' => 'ochc97m805z3', 'passwordsalt' => 'NOTPROVIDED', 'secret' => 'NOTPROVIDED', 'trusted_domains' => array ( 0 => '192.168.1.20', 1 => 'NOTPROVIDED' ), 'datadirectory' => '/volume1/Web/owncloud/data', 'overwrite.cli.url' => 'https://192.168.1.20/owncloud', 'dbtype' => 'mysql', 'version' => '10.8.0.4', 'dbname' => 'owncloud', 'dbhost' => 'localhost', 'dbtableprefix' => 'oc_', 'dbuser' => 'NOTPROVIDED', 'dbpassword' => 'NOTPROVIDED', 'logtimezone' => 'UTC', 'installed' => true, 'theme' => '', 'loglevel' => 3, 'log_rotate_size' => false, 'maintenance' => false, 'enable_avatars' => false, 'updater.secret' => 'NOTPROVIDED', 'mail_domain' => 'NOTPROVIDED', 'mail_from_address' => 'NOTPROVIDED', 'mail_smtpmode' => 'smtp', 'mail_smtpauthtype' => 'LOGIN', 'mail_smtphost' => 'ssl0.ovh.net', 'mail_smtpport' => '587', 'mail_smtpauth' => 1, 'mail_smtpname' => 'NOTPROVIDED', 'mail_smtppassword' => 'NOTPROVIDED', ); **List of activated apps:** Contact

I don’t think it’s an ownCloud thing. Otherwise, there would be many similar attacks reported.

Maybe it’s your device?