file IRouter.php changed; hacked?

[ppoetsma]

Steps to reproduce

n/a

Expected behaviour

Cron job flawless run every 15 minutes.

Actual behaviour

Since aug 15th 2018 about 14.00 CET I get this error message, produced by the cron job:

PHP Fatal error: Namespace declaration statement has to be the very first statement or after any declare call in the script in /var/www/clients/client1/web15/web/nextcloud/lib/public/Route/IRouter.php on line 28

Server configuration

Operating system:
Linux MY_HOSTNAME 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) x86_64 GNU/Linux

Web server:
Apache

Database:
MySQL

PHP version:
7

Nextcloud version: (see Nextcloud admin page)
Latest 13.0.5

Updated from an older Nextcloud/ownCloud or fresh install:
Update from 13.0.x

Where did you install Nextcloud from:
Regular download site

Signing status:

Signing status

Login as admin user into your Nextcloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results here.

No errors have been found.

...
Before I add more and more informatie, this the case:

1. 13.0.5 works fine on two sites
2. one site started reporting error on cron jobs
3. the file IRouter.php was 17938 on the "wrong" site and 3039 on the still working site
4. copied from good to bad site
5. all works fine again

I added the bad IRouter.php file to this issue. What's wrong with it? It has been modified, although the timestamp has not.

IRouter.zip

[nextcloud-bot]

GitMate.io thinks possibly related issues are #545 (OCR all images without changing image files), #2427 (Statement.php change breaks oc_authtoken insertion), #2743 (Personal Settings - User cannot change language. Missing file.), #6784 (Php error?), and #2373 (htaccess.RewriteBase in config.php is not changing behaviour of nextcloud).

[rullzer]

Can you post that file somewhere?

[kesselb]

He did. Just open "signing status".

[ppoetsma]

In the meantime I found another modified file; core/Command/Maintenance/UpdateHtaccess.php

How can I run an integrity check on an existing installation? When I upgrade Nextcloud this check is run, how can I run it manually?

[edit] added file

UpdateHtaccess.zip

[j-ed]

Check out the following information: Code signing

[ppoetsma]

@j-ed thanks, that is what I was looking for

Result is below. The two extra files "origineel-20180816" are copies of the modified files I reported before. The report shows new and modified files. So I am going to redo the install because of undesired activity.

  - INVALID_HASH:
    - 3rdparty/symfony/routing/Exception/MissingMandatoryParametersException.php:
      - expected: 1bf23f896f244ee50df9eea475ce00efb6edf36674d245c1358a0cd508bcad5a8599f0c1a96427e93f3339d7ceb84b9c1ac0b7ea64c8954015e24241c9ca1621
      - current: 8becb598b2914638fa09e6f2ccbc459b808dbd52127c195c3e184110b4015190deff95969c3a54699b7aea909c2e28b0de21566b993e61f4d3db9c4e00fec538
    - 3rdparty/symfony/translation/MessageCatalogue.php:
      - expected: fc764d53b6bb1488b982d1f8cc428dd811f8b53cac8cbe57601abcd83a8e295b8608d821773c404118589f42366af015ae0f85301cd46ab3948fe04452832955
      - current: 089a8f2f515eb1c89afe066ebc84798b9b783de6b0b5321a946f984270375d86aa052124da626603c410516c2b0caf29035b7fc69e80fcfed284b5f54efb8df0
    - lib/private/DatabaseSetupException.php:
      - expected: 9873bbb682fdd720539fcf291b09a5f902f5d8388f393ef8e93f42f5a1a285a1f6c53652e112a76770f0ad62be5931eb5c83a719b975aa1049e1f15114a9c101
      - current: ea0ede65cdcbd0a4afd5ffe95a2d0f74a8c920fddbcca87b092b6a308422a47bd4738a380e90e85af023dd0745994533e5652d1906573051a6d259dc9b1a9fa8
    - lib/public/AutoloadNotAllowedException.php:
      - expected: e7a071361783afebf183caaf99abdb9c1529cb11124878ef2842877ba57c90ef7090988a0586bec6f6615dd54a3809ce20143bfa442a23ef652d52418f4558f9
      - current: b89094ac09835978c3453b01280be0273146375b5bb9ee503af3d98c663170b3f8908dd9a0ac5a9c0e99451becc67b30049f31d343b097a74b69a0e603ceb2fe
  - EXTRA_FILE:
    - 3rdparty/swiftmailer/swiftmailer/azjbftdn.php:
      - expected:
      - current: 29d1935823625a1b260cd05b8efc26a1024eae3f13b9243fdede9a62d88730b6bfeff9c8038e5adada3f7d4a442506780e55bcb2ba2735479b0176f68e219318
    - 3rdparty/guzzle/yxlcgrch.php:
      - expected:
      - current: fb2c19efcf52a036e74c202093af87f62852f51a96c1df484f2ce71b0f6da1a1a7a09cced335dac83379ed891d46519bdfadbc6ffe3cb2f12fbfa8b03e0c487b
    - lib/public/Route/IRouter.php.origineel-20180816:
      - expected:
      - current: 19d850a217282baf96685d4172b15d603ac96e0876c192445337ce26621813b00943d42eedc3f6a2e10b88d5c41fa920762c0cc052733e233283c8a7956ec406
    - core/Command/Maintenance/UpdateHtaccess.php.origineel-20180816:
      - expected:
      - current: a3e9f24cca679f3c5cbbfc7f55af65a3ced941d4458beae33dd7c23c807ecfef7913dff04749f3a3dc0e0b9089d005c9dcd12e53c73ba16a0951125598598ea4

[ppoetsma]

I think they came in via the CMS ModX or Nextcloud. Both are infected. This is what I found:

//Galerz Xh33l Backdoor
//Redesign By x48 a.k.a UstadCage_48

I will close this issue as this is not a Nextcloud issue.