Cybersecurity

The Wolves Have Learned to Rewrite the Gate Signs. Congratulations, Everyone.

Victor Woolridge

2 min read
The Wolves Have Learned to Rewrite the Gate Signs. Congratulations, Everyone.

I have been staring at this incident report for twenty minutes. Not because it is complex. Because it is embarrassing.

React2Shell. A campaign exploiting malicious NGINX configurations to redirect web traffic wholesale. Government domains. Asian TLDs. Baota panel installations. The wolves did not pick a lock. They walked up to the gate, changed the sign to read "Exit," and watched the entire flock trot cheerfully into the treeline.

This is what we have come to.

In the old days, you hardened your configuration files and then you guarded them. Physically, if necessary. I once kept a printed copy of a critical server config in a fireproof lockbox. My colleagues laughed. Those colleagues later got compromised by a man with a floppy disk and a grudge. Nobody laughed after that.

NGINX, for the uninitiated, is the mechanism that tells incoming traffic where to go. When a wolf rewrites those instructions, the flock stops arriving at your pasture and starts arriving at his pasture. Same gate. Different destination. The lambs never notice. They never do.

The campaign specifically targeted Baota panel deployments, which is a web hosting control panel popular across Asia. If you are running Baota and you are reading this, please close this tab and go check your configurations immediately. I will still be here, being correct, when you return.

The fact that government domains were caught in this net is, frankly, the only part that surprises me. Not because governments are secure. They are not. But because I assumed the wolves preferred softer targets. Apparently they have grown ambitious. Good for them, I suppose. Professionally speaking.

Modern configuration management tools will tell you everything is fine right up until it is catastrophically not fine. A magnetic tape backup and a paranoid systems administrator with trust issues would have caught this in 1994. I am just saying.

Remediation

The Shepherds will want to convene a meeting. Do not let them.

Instead, do the following:

  • Audit your NGINX configuration files now. Look for unauthorized proxy_pass, rewrite, or return directives pointing anywhere you did not put them.
  • Lock down your Baota panels. Restrict access by IP. If your panel is exposed to the open internet, that is not a configuration, that is an invitation.
  • Implement file integrity monitoring on your server config directories. If something changes, you should know before the flock does.
  • Apply all available shearing. Unpatched systems are how the wolves find their holes in the fence.
  • Check your DNS records too. Traffic hijacking rarely stops at one layer.

The Sky Pasture providers in this chain should also be auditing their logs, but I have learned not to expect initiative from that direction.

Stay suspicious, stay patched, and for the love of all that is holy, read your config files.

Original Report: https://thehackernews.com/2026/02/hackers-exploit-react2shell-to-hijack.html