Owncloud installation on server hacked


#1

Hi

Long time no problems and a smooth working Owncloud installation.
Thanks for that!

But today i get a email from our server provider that our Owncloud installation on the server is hacked. So, the server provider has blocked our Owncloud installation on that server.
There are 19 people that use daily that Owncloud installation and are connected thru that.

What are the steps that Owncloud administrators take when there Owncloud installation is hacked?

Info about the hack:

www-data 4513 93.8 0.2 589280 65816 ? R sep27 63437:01 /usr/sbin/apache2 -k start

****@:/tmp# lsof -p 4513
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
apache2 4513 www-data cwd DIR 8,2 4096 151260060 /var/www/htdocs/
***/public/owncloud
apache2 4513 www-data rtd DIR 8,2 4096 2 /
apache2 4513 www-data txt REG 8,2 666552 58852395 /usr/sbin/apache2


#2

I’m not a sysadmin, but I’m not sure this shows enough information for anyone to come to any conclusions for you. How did they identify the server was hacked? The Apache server is necessary to run your ownCloud installation. You bolded the entry that basically states your apache server is running properly and serving. I’m actually surprised there weren’t more open files noted.