Joomla and WordPress Found Harboring Malicious Redirect Code | Threatpost

Security researchers are warning owners of Joomla and WordPress websites of a malicious redirect script that is pushing visitors to malicious websites.

On Thursday, Eugene Wozniak, a security researcher with Sucuri, published a report outlining a rogue hypertext access (.htaccess) injector found on a client website. He reported that the impacted site was directing website traffic to advertising sites that attempted to install malicious software.

Both Joomla and WordPress sites use .htaccess files to make configuration changes at the directory level of a web server. The file is used to configure a host of web page options, ranging from website access, URL redirects, URL shortening and access control.
Adversaries in the context of Sucuri’s research were abusing the URL redirect function of the .htaccess file, the researcher said.

“While the majority of web applications make use of redirects, these features are also commonly used by bad actors to generate advertising impressions, and to send unsuspecting site visitors to phishing sites or other malicious web pages,” he wrote.

It’s unclear how attackers gained access to the Joomla and WordPress websites. However, once accessible, adversaries are able to plant code onto some of the website’s index.php files. Index.php files are used to deliver Joomla and WordPress web pages and determine the content, styling and special underlying instructions that the web pages should contain. By planting the index.php files, attackers were able to inject the malicious redirects into the .htaccess files, Wozniak wrote.

A warning message from endpoint antivirus software when users try to visit malicious site redirected by Joomla and WordPress sites.

“This [.php] code is searching for an .htaccess file. If found, this code will place malicious redirects in the file,” he wrote. “The code searches for more files and folders, trying to search folders in a deeper level.”

Those .htaccess files have long been targets of hackers. While .htacess rules can be used to mitigate website threats, such as blocking spam bots and denying access to PHP backdoors, they have also just as easily been leveraged for nefarious purposes.

The .htacccess file has been implicated in a number different attacks, including, most recently, an assault that occurred in October. That’s when a plugin called jQuery File Upload placed 7,800 different software applications at potential risk for compromise and remote code-execution.

Default support for .htaccess files was eliminated starting with Apache 2.3.9 (though users can choose to enable it), leaving unprotected any code that used the feature to impose restrictions on folder access. Sucuri did not reply to queries seeking specifics about the attacks outlined in Wozniak’s report.

Want to know more about Identity Management and navigating the shift beyond passwords? Don’t miss our Threatpost webinar on May 29 at 2 p.m. ET. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow.