1

Something very terrible happened to one of the sites I work on yesterday.

I was called that the site was redirecting to https://www.loyaltycommunication.com. The domain was managed on AWS Route53 and calls are forwarded to an ALB which pushes the request to some EC2 instances.

When I traced the request I realized that the request rightly got to the EC2 instances but NGINX on the instances is the one throwing 302 and redirect to the website.

After trying everything I decide to restart all NGINX, and that was it, the issue got solved. But how am I going to assure stakeholders that this will not repeat again since I don't know what kind of attack this is? Can anyone help shed light on this?

EDITED

The site is cached on AWS CloudFront, the NGINX configuration is very long posting it here will be an abuse of the internet.

Moreover, there is nothing wrong with configuration since I just issued service Nginx restart and everything started working fine again.

Aderemi Dayo
  • 111
  • 5
  • Your question is lacking in detail. What is your NGINX configuration? Do you have any caching? (Varnish, etc.). – Danila Vershinin May 30 '20 at 08:43
  • @DanilaVershinin The configuration is quite long and running on live servers, I don't think anyone will want to publish that. The site is cached with AWS CloudFront anyways and I just want to know if there is a security vulnerability in NGINX that can be exploited this way and how to avoid it. – Aderemi Dayo May 30 '20 at 15:04
  • If there was an actual vulnerability in NGINX causing direct behavior like you described, it would be well known, but that's not so. So my suspicion is the misconfiguration that causes a malicious player to cause a redirect that is then cached. Since it does sound like a misconfiguration you'd need to at least post essentials of your configuration or setup. – Danila Vershinin May 30 '20 at 15:49

0 Answers0