Joomla and WordPress based sites targeted by new .htaccess code injection

• The injection affects all .htaccess files associated with the Joomla or WordPress-powered sites.
• It eventually redirects users browsing these sites to a malicious advertisement website.

Security researchers have come across a new .htaccess code injection that is being used in sites managed by content management systems (CMS) such as Joomla and WordPress. According to researchers from Sucuri, the injection spreads all over the site and affects all related .htaccess files. It then redirects users to a malicious advertisement site http[:]//portal-f[.]pw/XcTyTp.

The .htaccess file is a configuration file which is used on web servers running the Apache Web Server software.

Worth noting

• Sucuri’s researchers uncovered a piece of malicious code written in PHP targeted against a Joomla site. This was used to inject malicious redirects through the .htaccess files in the site.
• The code initially searches for a .htaccess file, and if detected, proceeds with injecting redirects into this file.
• Upon successful code injection, another long piece of PHP code is executed which searches through all the source files and folders extensively.

What is the motive behind this?

This code injection technique is possibly used to carry out phishing campaigns by exploiting redirects. “While the majority of web applications make use of redirects, these features are also commonly used by bad actors to generate advertising impressions, send unsuspecting site visitors to phishing sites, or other malicious web pages,” the Sucuri researchers suggest.

To stay safe from this, website owners who use Joomla and WordPress are advised to check for code injections and malicious redirects in their pages.