Pierluigi Paganini May 27, 2019

Security researchers are monitoring a new hacking campaign aimed at Joomla and WordPress websites, attackers used .htaccess injector for malicious redirect.

Researchers at Sucuri are warning Joomla and WordPress websites admins of malicious hypertext access (.htaccess) injector found on a client website. The website was used by attackers to redirect traffic to advertising sites that attempted to deliver malware.

“During the process of investigating one of our incident response cases, we found an .htaccess code injection. It had been widely spread on the website, injected into all .htaccess files and redirecting visitors to the http[:]//portal-f[.]pw/XcTyTp advertisement website. ” reads the report.

.htaccess files are configuration files for web servers running the Apache Web Server software. These .htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features. The features include the redirect functionality, content password protection or image hot link prevention.

Sucuri spotted threat actors abusing the URL redirect function of the .htaccess file to redirect visitors of compromised websites to phishing sites, sites delivering malware, or simply to generate impressions.

At the time is not clear how attackers gain access to the Joomla and WordPress websites, we only know that they inject the malicious code onto some of the website’s index.php files.

“Below is the code within the ./modules/mod_widgetread_twitt/ index.php file on a Joomla website. This code is responsible for injecting the malicious redirects into the .htaccess files:“

“This code is searching for an .htaccess file. If found, this code will place malicious redirects in the file immediately after “# BEGIN WORDPRESS”.” continues the report.

A warning message from endpoint antivirus software when users try to visit malicious site redirected by Joomla and WordPress sites.

This .php code also searches for more files and folders, trying to search nested folders.

It’s not uncommon to see hackers targeting websites through .htacccess file, including, in October 2018 a security researcher discovered a zero-day vulnerability, tracked as CVE-2018-9206, in older versions of the jQuery File Upload plugin since 2010. Attackers exploited the issue to carry out several malicious activities, including defacement, exfiltration, and malware infection.

alled jQuery File Upload placed 7,800 different software applications at potential risk for compromise and remote code-execution.

The root cause of the problem is that Apache disabled support for .htaccess in version 2.3.9 to improve performance (the server doesn’t have to check for this file every time it accesses a director) and to prevent users from overriding security features that were configured on the server.

The side effect is that the technical choice left some developers and their projects open to attacks.

“While the majority of web applications make use of redirects, these features are also commonly used by bad actors to generate advertising impressions, send unsuspecting site visitors to phishing sites, or other malicious web pages.” concludes Sucuri.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – .htaccess, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]