All files under /var/opt/gitlab/git-data/repositories/ are deleted after reboot

Hi, all
I was shocked today by finding out that all the files under the folder /var/opt/gitlab/git-data/repositories are deleted. This happened today, and I am not sure if it had to do with me rebooting the system. I’ve googled the entire day to try to find the cause/solution and failed.

My gitlab server is publicly accessible and is protected by ssl encryption. Is it possible that it is hacked ?

Does anyone have similar experience, and can help ?

Thank you.

Hi, what version of Gitlab do you have? The reason being there were RCE vulnerabilities in older versions, some 13.x versions also infected and much older versions as well. This post could help explain in more detail: CVE-2021-22205: How to determine if a self-managed instance has been impacted

Hi, iwalker

Thanks for the information. I’ve taken down the server since yesterday, and won’t have the access to it until later tonight. I believe my gitlab version is really old, and this RCE might be the cause of this incident. I’ll follow the link you provided and verify this.

I have some personal information on the gitlab server as well. Who should I report to on this incident for I believe this is a criminal activity. Is the hacker just randomly searching the internet for any gitlab server with RCE, or is the hacker one of the registered users on my gitlab server ? Can the hacker access other part/software of the server ?

This is horrible.


Yep, this is why updates should be done regularly to a server, especially when it’s available on the internet.

Due to the RCE, he could have created an account on your server and gained admin privileges, hence why all your repositories were deleted. Therefore you need to be restoring your server from a backup to get everything back to what it was before it was infected, and then upgrade your server. You will need to go through your entire user list and make sure that there are not any dodgy users registered - just make sure you don’t delete the gitlab-created users as these will break your install - they are needed for Gitlab to function, eg: ghost user.

The RCE explains what is possible, and what could have happened and what they could have gotten access to.