Nginx http server, possibly a criminal indicator?
Just like using Linux doesn't automatically make you a criminal, I doubt that using Nginx (proncouned, "Engine-X") is necessarily a criminal act. But is it an indicator?
I noticed it today as part of a light analysis of a real world exploit of the Overlong RTSP link bug for Quicktime. This is a lightweight http server that is now associated with at least one case of network crime by serving up a fairly fresh exploit.
Again, most phishing sites today run on Apache with PHP, and most phishing login pages have words like "FDIC Insured" and "All Rights Reserved" and have a login form with a password input field. Taken separately, none of these indicators a phishing site make. Taken together, it's a strong indication of crime.
So, I'm wondering -- has anyone else run into Nginx doing evil? I'm curious what the evil:good ratio is in the real world, and if it's something defenders/auditors/LEOs can use to help profile potentially malicious sites.
I noticed it today as part of a light analysis of a real world exploit of the Overlong RTSP link bug for Quicktime. This is a lightweight http server that is now associated with at least one case of network crime by serving up a fairly fresh exploit.
Again, most phishing sites today run on Apache with PHP, and most phishing login pages have words like "FDIC Insured" and "All Rights Reserved" and have a login form with a password input field. Taken separately, none of these indicators a phishing site make. Taken together, it's a strong indication of crime.
So, I'm wondering -- has anyone else run into Nginx doing evil? I'm curious what the evil:good ratio is in the real world, and if it's something defenders/auditors/LEOs can use to help profile potentially malicious sites.
posted by todb at 11:50 AM
15 Comments:
This is interesting because I had the same feeling when I was analysing some malware. The only time I have encountered nginx web servers, they were hosting malicious files.
There is no reason why nginx can't be used legally but I would have to say evil++
That would make me a criminal also. Which is non-information, since you probably don't know about me =)
I can see two thought-streams leading you to this irrational conclusion. First, up until a few weeks ago, nginx was quite under-documented in English, most of the users were using the Russian documentation. The content produced by them (or their users) is possibly a bit removed from the English blogosphere. Second, as nginx is a bit obscure, but high performance web/proxy server, it will be found by those who want to serve more pages than usually possible with traditional solutions. Again, these people may do things many of us don't approve, like hosting spam or malware target links, squeezing out more performance from a current machine.
Basically what you are saying is that people who are using more efficient technology than needed by the mainstream are doing shady things, which sounds a bit silly, and makes to me just as much sense as belittling Linux.
Mind you, I'm using both, and I'm quite happy with nginx as a frontend proxy server (to a single Apache, no less!). Also I don't really care about malware and who's hosting it, since my environment is not really prone to infection...
What jason said.
We use nginx because it screams on our hardware and reduces the load on the machine as well as allow the machine to host **significantly** more connections. Being a legitimate web design company I find your post both reaching and silly in the conclusion it forms. I guess you're saying that http://www.fastmail.fm/ is criminal as well eh?
I think this post should be called 'Profiling criminal behaviour by web server' or something like that.
If it turns out that nginx is used mostly for that, then inevitably companies will use it as an indicator.
I think you're right, Michael.
Now that I've a few more months to look at the criminal http space, it's becoming more clear that nginx has plenty of non-criminal users (as was expected).
What wasn't expected was that the more popular and successful Storm variants use Nginx as a core http server... :)
So I think it's still +5 evil points or so.
sorry, it's a complete bullshit.
when two event happen together, it doesn't mean they are correlated.
with the same success you may guess whether using a computer is a criminal indicator.
or having two eyes - there more and more cases when crimes are performed by beings having two eyes. do you have two yes? very suspicious...
- anton
Found your post through google... my LAN people at work are telling me my laptop is running nginx and they are worried about it and want me to make it stop. I don't know why it's on there, I don't need a web or mail server on my laptop. It's windows Vista Home Premium. So I'm wondering how I can get it off. Seems malicious to me!
Cynthia -- get your LAN people to reinstall your operating system. You have been almost certainly been compromised with Storm or a variant.
Nginx is very easy-to-use fast webserver, but I suppose you can profile on anything if it is predictive.
It's extremely simple to make one webserver pretend to be another though...
cum hoc ergo propter hoc!
Correlation does not imply causation
Lots of comments to the effect of "not all nginx users are malicious" and "just because you have encountered it in some malicious contexts...".
Not that is not what the author was saying at all. He was saying HTTP server used might be useful information in developing a profile by which to judge the odds of an HTTP server being malicious. If 90% (random figure) of nginx servers are set up for malicious purposes, then when encountering such a server you might want to investigate it further. Also, the author was wondering if there were other factors which could be taken into account to further refine these criteria.
I came upon this page while investigating a fresh malware and rootkit infestation on a computer. The malicious files installed a browser hijack that redirected to several sites including clickfraudmanager.com, which appears to be running nginx 0.7.30.
Thus, so far I support the assertion that nginx is indicitive, but not a guarantee of, of criminal intent.
Seems like "Anonymous" really likes NginX. Wonder what he is up to. lol.
This is awesome... so what you are saying it that using MS Windows is an indicator of criminal behavior.
Go OS X and Linux!!
anyone in their Right mind wouldn't spend $$$ on Mac Crap.. OS X is for dumbasses that can't figure out how to use/setup a real OS like Linux and build their own computer using off the shelf parts for a significantly lower cost... I mean pic any Mac Laptop - what do you get for $1200
over say one from ASUS or Toshiba. I can buy 2 ASUS laptops and run circles around OS X for $1200. Only thing cool from Apple is the Ipod.
You can betcha, those White Hats and most certainly the Black hats know which HTTP server is best for hosting Malicious Websites...
LAMP FTW!
Post a Comment
Links to this post:
Create a Link
<< Home