Cyber-security researchers are warning owners of Joomla and WordPress websites of a malicious redirect script that is pushing visitors to malicious websites and expose them to various malwares.
A renowned cyber-security researcher published a report outlining a rogue hypertext access (.htaccess) injector found on a client website. He reported that the impacted site was directing website traffic to advertising sites that attempted to install malicious software.
Both Joomla and WordPress sites use .htaccess files to make configuration changes at the directory level of a web server.
The file is used to configure a host of web page options, ranging from website access, URL redirects, URL shortening and access control. It’s unclear how attackers gained access to the Joomla and WordPress websites. However, once accessible, the hackers are able to plant code onto some of the website’s index.php files. Index.php files are used to deliver Joomla and WordPress web pages and determine the content, styling and special underlying instructions that the web pages should contain.
Those .htaccess files have long been targets of hackers. While .htaccess rules can be used to mitigate website threats, such as blocking spam bots and denying access to PHP backdoors, they have also just as easily been leveraged for nefarious purposes.
The .htacccess file has been implicated in a number different attacks, including, most recently, an assault that occurred in October. That’s when a plugin called jQuery File Upload placed 7,800 different software applications at potential risk for compromise and remote code-execution.
Default support for .htaccess files was eliminated starting with Apache 2.3.9 (though users can choose to enable it), leaving unprotected any code that used the feature to impose restrictions on folder access.
What’s truly concerning is the uncanny ability of the hackers in hacking the Joomla and WordPress websites. While the security of these platforms is quite robust, once inside, the attackers can, rather easily, plant the malicious code into the primary target’s Index.php files.
The Index.php files are critical as they are responsible for delivering the Joomla and WordPress web pages, like the content styling and special underlying instructions. Essentially, it is the primary set of instructions that instructs what to deliver and how to deliver whatever the website is offering.
After gaining access, the hackers can securely plant the modified Index.php files. Thereafter, attackers were able to inject the malicious redirects into the .htaccess files. The .htaccess injector threat runs a code that keeps searching for the .htaccess file of the website. After locating and injecting the malicious redirect script, the threat then deepens the search and attempts to look for more files and folders to attack.
The primary method to protect against the attack is to dump the usage of .htaccess file altogether. In fact, default support for .htaccess files was eliminated starting with Apache 2.3.9. But several website owners still choose to enable it.