Web Traffic Under Siege: Inside the NGINX Server Redirection Scandal

When you type in your favorite website, you expect to land exactly where you intended. But what if, behind the scenes, your web request is quietly detoured, sending you into the jaws of a phishing scam or a digital gambling den - while the real site remains blissfully unaware? That’s the chilling reality uncovered by security researchers, as a new wave of cyberattacks targets NGINX servers across the globe.

The Anatomy of a Silent Heist

Security experts at Datadog Security Labs have traced a sophisticated hacking campaign that quietly manipulates the heart of web traffic routing: the NGINX configuration files. By injecting rogue proxy_pass rules into location blocks, attackers orchestrate a seamless redirection of visitors to websites under their control. The affected servers often run the Baota (BT) control panel - a popular web hosting manager in Asia - making them especially vulnerable.

The operation is methodical, leveraging a five-stage chain of shell scripts: Stage 1 drops an orchestrator script to establish communication and pull further payloads, even evading blocked download utilities. Stage 2 targets Baota-managed environments, injecting malicious rules tailored to specific domains and quietly reloading NGINX to avoid detection. Stage 3 broadens the attack to general Linux systems, ensuring syntax validity before restarting services. Stage 4 is more aggressive, focusing on containerized deployments and regional domains, with forced restarts if needed. Stage 5 completes the loop by reporting hijacked domains back to the attackers’ command center.

The damage? Users think they’re browsing legitimate sites but are funneled to phishing pages, scam operations, or illegal gambling portals. The compromised websites themselves rarely show obvious symptoms, allowing the attackers to persist and profit unchecked. Beyond redirection, the attackers have the potential to inject malicious ads, steal login credentials, or harvest private browsing data.

Who’s at Risk - and How to Fight Back

The campaign’s stealth and adaptability put a wide array of services in danger, especially e-commerce, VPN, and remote access providers relying on the integrity of web routing. Security professionals urge administrators to routinely audit their NGINX configuration files, paying special attention to unexpected proxy_pass directives in location blocks. Implementing strict file integrity monitoring, limiting the exposure of administrative panels, and keeping software patched are critical steps in defending against these silent takeovers.

Conclusion: The New Normal?

This campaign is a stark reminder that web infrastructure - often invisible to users and even some administrators - can become a weapon in the hands of cybercriminals. As attackers grow bolder and more sophisticated, only vigilance, routine auditing, and rapid patching will keep the world’s digital highways safe from silent hijacking.

WIKICROOK

• NGINX: NGINX is an open-source web server and reverse proxy that efficiently manages, routes, and balances network traffic for websites and applications.
• proxy_pass: Proxy_pass is an NGINX directive that forwards client requests to another server or backend, enabling reverse proxy, load balancing, and improved security.
• Shell script: A shell script is a text file with commands for automating tasks in a command-line shell, used to streamline system and security operations.
• Baota (BT) panel: Baota (BT) Panel is a web-based Linux server management tool offering easy website, database, and security administration through a graphical interface.
• Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.