Websites that employ popular Content Management Systems (CMS) like Joomla and WordPress are subject to a code injector and redirector script. The new security threat apparently sends unsuspecting visitors to authentic looking but highly malicious websites. Once it has successfully redirected, the security threat then attempts to send infected code and software to the target computer.
Security analysts have uncovered a surprising security threat that targets Joomla and WordPress, two of the most popular and widely used CMS platforms. Millions of websites use at least one of the CMS to create, edit and publish content. The analysts are now warning owners of Joomla and WordPress websites of a malicious redirect script that is pushing visitors to malicious websites. Eugene Wozniak, a security researcher with Sucuri, detailed the malicious security threat that he had uncovered on a client’s website.
The newly discovered .htaccess injector threat doesn’t attempt to cripple the host or the visitor. Instead, the impacted website constantly attempts to redirect website traffic to advertising sites. While this may not sound highly damaging, the injector script also attempts to install malicious software. The second part of the attack, when coupled with legitimate looking websites can severely impact the credibility of the host.
Joomla, as well as WordPress websites, very commonly use the .htaccess files to make configuration changes at the directory level of a web server. Needless to mention, this is a rather critical component of the website because the file contains core configuration of the host webpage and its options which include website access, URL redirects, URL shortening, and access control.
According to the security analysts, the malicious code was abusing the URL redirect function of the .htaccess file, “While the majority of web applications make use of redirects, these features are also commonly used by bad actors to generate advertising impressions, and to send unsuspecting site visitors to phishing sites or other malicious web pages.”
What’s truly concerning is that it is unclear exactly how the attackers gained access to the Joomla and WordPress websites. While the security of these platforms is quite robust, once inside, the attackers can, rather easily, plant the malicious code into the primary target’s Index.php files. The Index.php files are critical as they are responsible for delivering the Joomla and WordPress web pages, like the content styling and special underlying instructions. Essentially, it is the primary set of instructions that instructs what to deliver and how to deliver whatever the website is offering.
After gaining access, the attackers can securely plant the modified Index.php files. Thereafter, attackers were able to inject the malicious redirects into the .htaccess files. The .htaccess injector threat runs a code that keeps searching for the .htaccess file of the website. After locating and injecting the malicious redirect script, the threat then deepens the search and attempts to look for more files and folders to attack.
The primary method to protect against the attack is to dump the usage of .htaccess file altogether. In fact, default support for .htaccess files was eliminated starting with Apache 2.3.9. But several website owners still choose to enable it.