Recently, security researcher found that sites running on Joomla and WordPress redirected to malicious websites. Read on to know more about it…
Recently, security analysts have uncovered a surprising security threat that targets Joomla and WordPress, two of the most popular and widely used CMS platforms. Joomla and WordPress based websites was targeted by new .htaccess code injector and redirector script. Millions of websites through out the world, use at least one of the Content Management Systems (CMS) to create, edit and publish content.
The new security threat apparently redirects unsuspecting website visitors to authentic looking but highly malicious websites. Once it has successfully redirected, the security threat then attempts to send infected code and software to the target computer. Eugene Wozniak, a security researcher with Sucuri, detailed the malicious security threat that he had uncovered on a client’s website.
According to the security analysts, the malicious code was abusing the URL redirect function of the .htaccess file, “While the majority of web applications make use of redirects, these features are also commonly used by bad actors to generate advertising impressions, and to send unsuspecting site visitors to phishing sites or other malicious web pages.”
This code injection technique is possibly used to carry out phishing campaigns by exploiting redirects. “While the majority of web applications make use of redirects, these features are also commonly used by bad actors to generate advertising impressions, send unsuspecting site visitors to phishing sites, or other malicious web pages,” the Sucuri researchers suggest.
Joomla, as well as WordPress websites, very commonly use the .htaccess files to make configuration changes at the directory level of a web server. Needless to mention, this is a rather critical component of the website because the file contains core configuration of the host webpage and its options which include website access, URL redirects, URL shortening, and access control.
The newly discovered .htaccess injector security threat does not attempt to cripple the host or the visitor. Instead, the impacted website constantly attempts to redirect website traffic to advertising websites. While this may not sound highly damaging, the injector script also attempts to install malicious software. The second part of the attack, when coupled with legitimate looking websites can severely impact the credibility of the host. Upon successful code injection, another long piece of PHP code is executed which searches through all the source files and folders extensively.
According to researchers from Sucuri, the injection spreads all over the site and affects all related .htaccess files. It then redirects users to a malicious advertisement site http[:]//portal-f[.]pw/XcTyTp. The .htaccess file is a configuration file which is used on web servers running the Apache Web Server software.
To stay safe from this, website owners who use Joomla and WordPress are advised to check for code injections and malicious redirects in their pages.
The primary method to protect against the attack is to dump the usage of .htaccess file altogether. In fact, default support for .htaccess files was eliminated starting with Apache 2.3.9. But several website owners still choose to enable it.