Nginx http server, possibly a criminal indicator?
Just like using Linux doesn't automatically make you a criminal, I doubt that using Nginx (proncouned, "Engine-X") is necessarily a criminal act. But is it an indicator?
I noticed it today as part of a light analysis of a real world exploit of the Overlong RTSP link bug for Quicktime. This is a lightweight http server that is now associated with at least one case of network crime by serving up a fairly fresh exploit.
Again, most phishing sites today run on Apache with PHP, and most phishing login pages have words like "FDIC Insured" and "All Rights Reserved" and have a login form with a password input field. Taken separately, none of these indicators a phishing site make. Taken together, it's a strong indication of crime.
So, I'm wondering -- has anyone else run into Nginx doing evil? I'm curious what the evil:good ratio is in the real world, and if it's something defenders/auditors/LEOs can use to help profile potentially malicious sites.
I noticed it today as part of a light analysis of a real world exploit of the Overlong RTSP link bug for Quicktime. This is a lightweight http server that is now associated with at least one case of network crime by serving up a fairly fresh exploit.
Again, most phishing sites today run on Apache with PHP, and most phishing login pages have words like "FDIC Insured" and "All Rights Reserved" and have a login form with a password input field. Taken separately, none of these indicators a phishing site make. Taken together, it's a strong indication of crime.
So, I'm wondering -- has anyone else run into Nginx doing evil? I'm curious what the evil:good ratio is in the real world, and if it's something defenders/auditors/LEOs can use to help profile potentially malicious sites.
posted by todb at 11:50 AM
9 Comments:
This is interesting because I had the same feeling when I was analysing some malware. The only time I have encountered nginx web servers, they were hosting malicious files.
There is no reason why nginx can't be used legally but I would have to say evil++
That would make me a criminal also. Which is non-information, since you probably don't know about me =)
I can see two thought-streams leading you to this irrational conclusion. First, up until a few weeks ago, nginx was quite under-documented in English, most of the users were using the Russian documentation. The content produced by them (or their users) is possibly a bit removed from the English blogosphere. Second, as nginx is a bit obscure, but high performance web/proxy server, it will be found by those who want to serve more pages than usually possible with traditional solutions. Again, these people may do things many of us don't approve, like hosting spam or malware target links, squeezing out more performance from a current machine.
Basically what you are saying is that people who are using more efficient technology than needed by the mainstream are doing shady things, which sounds a bit silly, and makes to me just as much sense as belittling Linux.
Mind you, I'm using both, and I'm quite happy with nginx as a frontend proxy server (to a single Apache, no less!). Also I don't really care about malware and who's hosting it, since my environment is not really prone to infection...
What jason said.
We use nginx because it screams on our hardware and reduces the load on the machine as well as allow the machine to host **significantly** more connections. Being a legitimate web design company I find your post both reaching and silly in the conclusion it forms. I guess you're saying that http://www.fastmail.fm/ is criminal as well eh?
I think this post should be called 'Profiling criminal behaviour by web server' or something like that.
If it turns out that nginx is used mostly for that, then inevitably companies will use it as an indicator.
I think you're right, Michael.
Now that I've a few more months to look at the criminal http space, it's becoming more clear that nginx has plenty of non-criminal users (as was expected).
What wasn't expected was that the more popular and successful Storm variants use Nginx as a core http server... :)
So I think it's still +5 evil points or so.
sorry, it's a complete bullshit.
when two event happen together, it doesn't mean they are correlated.
with the same success you may guess whether using a computer is a criminal indicator.
or having two eyes - there more and more cases when crimes are performed by beings having two eyes. do you have two yes? very suspicious...
- anton
Found your post through google... my LAN people at work are telling me my laptop is running nginx and they are worried about it and want me to make it stop. I don't know why it's on there, I don't need a web or mail server on my laptop. It's windows Vista Home Premium. So I'm wondering how I can get it off. Seems malicious to me!
Cynthia -- get your LAN people to reinstall your operating system. You have been almost certainly been compromised with Storm or a variant.
Nginx is very easy-to-use fast webserver, but I suppose you can profile on anything if it is predictive.
It's extremely simple to make one webserver pretend to be another though...
Post a Comment
Links to this post:
Create a Link
<< Home