Ethical Hacking News
Hackers are compromising NGINX servers to redirect user traffic and reroute it through their backend infrastructure, exploiting a configuration file vulnerability that makes it difficult for security teams to detect. This sophisticated attack highlights the importance of vigilance in securing web services and underscores the need for organizations to prioritize IT infrastructure security.
NGINX servers have been targeted in a new hijacking campaign by threat actors. The attacks use a sophisticated script-driven toolkit that operates in five stages to compromise NGINX servers and redirect user traffic. The attackers inject malicious 'location' blocks into existing NGINX configuration files, capturing incoming requests and forwarding them through attacker-controlled domains. The attacks are difficult to detect as they do not exploit an NGINX vulnerability and appear legitimate due to preserved request headers. Organizations must prioritize web infrastructure security to protect themselves from similar attacks in the future.
NGINX, a widely used open-source web traffic management software, has become the target of a new hijacking campaign by threat actors. This malicious activity involves compromising NGINX servers to redirect user traffic through attacker-controlled infrastructure, raising concerns about the security and integrity of web services.
The attacks were discovered by researchers at DataDog Security Labs, who identified a sophisticated script-driven toolkit used by the attackers. The toolkit operates in five stages, each with a specific purpose: Stage 1 – zx.sh, which acts as an initial controller script; Stage 2 – bt.sh, which targets NGINX configuration files managed by the Baota panel and injects malicious instructions; Stage 3 – 4zdh.sh, which enumerates common NGINX configuration locations and validates changes before reloading; Stage 4 – zdh.sh, which uses a narrower targeting approach focused mainly on .in and .id domains; and Stage 5 – ok.sh, which scans compromised NGINX configurations to build a map of hijacked domains and exfiltrate data to a command-and-control server.
The attackers modify existing NGINX configuration files by injecting malicious 'location' blocks that capture incoming requests on attacker-selected URL paths. They then rewrite these requests to include the full original URL, forwarding traffic via the 'proxy_pass' directive to attacker-controlled domains. This abuse of the directive allows NGINX to reroute requests through alternative backend server groups, making it difficult for security teams to detect the attacks.
Request headers such as 'Host,' 'X-Real-IP,' 'User-Agent,' and 'Referer' are preserved to make the traffic appear legitimate, further complicating the detection process. The attackers use a fallback mechanism that sends raw HTTP requests over TCP if curl or wget are unavailable, adding an extra layer of complexity to their toolkit.
These attacks are hard to detect because they do not exploit an NGINX vulnerability; instead, they hide malicious instructions in its configuration files, which are rarely scrutinized. Moreover, user traffic still reaches the intended destination, often directly, making it unlikely to be noticed unless specific monitoring is performed.
The future of IT infrastructure relies heavily on software like NGINX, and this recent hijacking campaign serves as a reminder of the importance of vigilance in securing web services. As technology continues to evolve, security teams must stay alert and adapt their strategies to address emerging threats.
In conclusion, the recent hijacking campaign against NGINX servers highlights the need for organizations to prioritize web infrastructure security. By understanding the tactics used by threat actors like these, businesses can take steps to protect themselves from similar attacks in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/Hijacking-NGINX-Traffic-A-New-Threat-to-Web-Infrastructure-ehn.shtml
https://www.bleepingcomputer.com/news/security/hackers-compromise-nginx-servers-to-redirect-user-traffic/
https://www.csoonline.com/article/4127554/threat-actors-hijack-web-traffic-after-exploiting-react2shell-vulnerability-report.html
Published: Wed Feb 4 17:34:24 2026 by llama3.2 3B Q4_K_M
