NGINX Under Siege: Cybercriminals Hijack Web Servers to Funnel Users Into Scam Traps

On a quiet morning, an unsuspecting website owner pours coffee and checks their visitor stats - unaware that, behind the scenes, their server has become a silent accomplice in a global cybercrime operation. In a sophisticated campaign echoing the notorious “React2Shell” attacks, hackers are now targeting NGINX servers with surgical precision, rewriting the very rules that govern online traffic. The result: thousands of web visitors are discreetly whisked away from trusted sites and delivered straight into the hands of scammers, gamblers, and malware peddlers.

Fast Facts

• Attackers are exploiting NGINX servers managed via the Baota (BT) panel, a popular web server management tool.
• The campaign covertly alters server configuration files, hijacking web traffic with malicious proxy directives.
• A five-stage toolkit automates infection, adapts to different environments, and reports successful hijacks back to attackers.
• Victims include websites in India and Indonesia, with attackers focusing on domains ending in .in and .id.
• Security experts urge admins to review NGINX config files for suspicious proxy_pass entries.

Inside the NGINX Hijack: Anatomy of a Server Takeover

NGINX is the digital traffic cop for millions of websites, deciding which requests go where. But in this new wave of attacks, cybercriminals are rewriting the rules - literally. Their weapon: a suite of malicious scripts, each with a specialized role in the infection chain.

It begins when attackers breach a server, often targeting those managed with the Baota panel. The initial script, dubbed zx.sh, acts as a command center, downloading and executing further payloads. Next, bt.sh scans for configuration files specific to Baota, injecting malicious rules that silently intercept and reroute web requests. For targets outside Baota, 4zdh.sh focuses on standard Linux NGINX setups, built with error-checking to avoid tipping off administrators through crashes.

The campaign shows particular aggression in containerized environments and in websites with Indian or Indonesian domains, deploying zdh.sh to forcefully restart servers if needed. The final act is ok.sh, a reporting tool that catalogs hijacked domains and sends intelligence back to the attackers’ control center.

What makes this campaign especially dangerous is its stealth. By embedding malicious proxy_pass directives deep within NGINX’s configuration, attackers can redirect visitors to phishing, gambling, or scam sites without any visible trace for the site owner - unless they know exactly where to look.

Security researchers at Datadog Security Labs warn that the only defense is vigilance: regular, manual inspection of all NGINX location blocks, especially for unfamiliar or suspicious entries. Automated infection scripts mean that a single oversight could turn a trusted website into a weapon against its own visitors.

Conclusion

This campaign is a stark reminder that the battle for the web’s soul is often waged in the shadows of configuration files. For every flashy ransomware headline, there are quieter threats - like these NGINX hijacks - that quietly undermine trust and safety online. As attackers grow more sophisticated, so too must our vigilance. The next time you visit a familiar website, consider: is it really who it claims to be?

WIKICROOK

• NGINX: NGINX is an open-source web server and reverse proxy that efficiently manages, routes, and balances network traffic for websites and applications.
• Baota (BT) Panel: Baota (BT) Panel is a web-based Linux server management tool offering easy website, database, and security administration through a graphical interface.
• proxy_pass: Proxy_pass is an NGINX directive that forwards client requests to another server or backend, enabling reverse proxy, load balancing, and improved security.
• Command and Control (C2) server: A Command and Control (C2) server remotely manages malware-infected devices, sending instructions and receiving stolen data from compromised systems.
• Containerized environment: A containerized environment runs applications in isolated containers, boosting security, scalability, and consistency, especially in cloud and DevOps settings.