Back

Urgent: Nextcry ransomware

A recently disocever bug, CVE-2019-11043 opens the door for a newly identified ransomware named Nextcry. If you configured your Nextcloud to run on nginx as reverse proxy (I’m doing that and will still do that) you could be affected. Update php-fpm NOW.

Mitigation

On this Nextcloud page you find instructions how to mitigate the issue. I post it here as personal mirror

You need two changes in your ``nginx.conf`:

location / {
     rewrite ^ /index.php$request_uri;
 }

Becomes

location / {
     rewrite ^ /index.php;
}

And

location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+).php(?:$|\/) {
     fastcgi_split_path_info ^(.+?.php)(\/.*|)$;
     include fastcgi_params;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     fastcgi_param PATH_INFO $path_info;
     fastcgi_param HTTPS on;
     # Avoid sending the security headers twice
     fastcgi_param modHeadersAvailable true;
     # Enable pretty urls
     fastcgi_param front_controller_active true;
     fastcgi_pass php-handler;
     fastcgi_intercept_errors on;
     fastcgi_request_buffering off;
 }

Becomes (Add $try_files $fastcgi_script_name =404;)

location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+).php(?:$|\/) {
     fastcgi_split_path_info ^(.+?.php)(\/.*|)$;
     try_files $fastcgi_script_name =404;
     include fastcgi_params;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     fastcgi_param PATH_INFO $path_info;
     fastcgi_param HTTPS on;
     # Avoid sending the security headers twice
     fastcgi_param modHeadersAvailable true;
     # Enable pretty urls
     fastcgi_param front_controller_active true;
     fastcgi_pass php-handler;
     fastcgi_intercept_errors on;
     fastcgi_request_buffering off;
 }

Backups!

And a kind reminder, that the only viable protection against Ransomware are occurring offline backups on separate media. I burn my backups still on Blue-Rays, as this is the only fool-proof way of protecting your data against software threads like Ransomware or stupid user errors (Doh!).