We’ve been looking into the reports on the forum and source of the virus. We are confident that the attack vector was the nginx+php-fpm security issue that hit the web some time ago.
While it was not an issue in Nextcloud itself, we informed our users through all channels we had available, including a direct notification to Nextcloud servers. This likely explains why so few servers were impacted out of the hundreds of thousands of Nextcloud servers on the web.
Nextcloud’s recommendation for administrators is to upgrade their PHP packages and NGINX configuration file to the latest version.
Fortunately, as far as anyone can determine, this appears to be tied to using nginx as the web server, which Neth doesn’t do (nor does my FreeNAS script, but that’s a separate issue).
But the exploits rely on PHP https://nvd.nist.gov/vuln/detail/CVE-2019-11043
as remote code execution vulnerability and NGINX has been used as a bridge to deliver the code. (by the way, nginx and varnish as reverse proxy are quite interesting tool if the webserver has plenty of users)
regardless of the specific case: maybe de ransomware app can prevent something in the future
@stephdl
I have also considered whether the list of suspect files/file extensions can be added to Clamscan to provide additional protection beyond NextCloud.
