Owncloud hacked


This post was flagged by the community and is temporarily hidden.


hello forum members,

this is my first post and i am not sure if i did it correct. i just have a short question.

a few months ago my server was offline. when i checked the server i saw that over night
somebody or something had created kind of a new sql db (i believe) which was active and
some how the access to my owncloud mysql DB was blocked. after checking closer i
saw it was just a few files and some new user was created and some permissions changed.

as i run a clone job daily i started the older clon on a other server. then i compared all within
mysql and deleted all the files which where new on the hacked system and reset all the permissions to previous status. then everything was working again. i also cut the connection
of the server to the WAN and closed the router/firewall ports which i had open to access it
from the WAN. means no i just use it in the LAN (it’s only used by me to keep files in sync.
between 3 computers i use).

my question is, was this a so named SQL injection attack and is there a way to save me
from this without having to do a massive effort (i.e update). if yes where this sql commands
submitted thru the login prompt of the ownCloud user login site, and if yes can i just do the
login site inaccessible and i be save or do i misunderstand something thinking like that ?

thank you very much for your help and efforts.

best regards santi



thank you for your reply. as i wrote, this happened some time ago and i rolled back the
clone and the next night the original was overwritten by the “ex” clon as backup, so the
hacked system is not accessible means i can not provide a lot of the details you ask for.

i will try to provide what i can:

os : mac os x mojave
browser : safari (but i only access via oc client (newest))
oc version server : 10.0
external user-backend : no
encryption of data ? : no (or what you mean by encryption? )

let me know if you need more. my main question was to know
if it was a sql injection and if i still risk a injection when cloud is
not reachable with browser, only client.

i modified the index.php by rename it, so the login mask is
not shown even when url still works, just to clarify what i mean
by unreachable with browser.

thank you santi