Myspace Hax0rs

So, over the weekend, this popped up on the usual mailing lists: Month of MySpace Bugs, Yes!, or MOMBY.

Loyal readers will know I've poked at MySpace a time or two, and faithfully reported my findings to what I've guessed is the right place (security@myspace.com and abuse@myspace.com), to be met with indifference from News Corp and quizzical looks from peers as to why I'm even bothering.

So, hopefully, this goofy project will succeed in its two stated goals: Kill off Month Of .* Bugs, and catch the attention of News Corp that yes, vulns in very popular websites are kind of a big deal.

Nginx http server, possibly a criminal indicator?

Just like using Linux doesn't automatically make you a criminal, I doubt that using Nginx (proncouned, "Engine-X") is necessarily a criminal act. But is it an indicator?

I noticed it today as part of a light analysis of a real world exploit of the Overlong RTSP link bug for Quicktime. This is a lightweight http server that is now associated with at least one case of network crime by serving up a fairly fresh exploit.

Again, most phishing sites today run on Apache with PHP, and most phishing login pages have words like "FDIC Insured" and "All Rights Reserved" and have a login form with a password input field. Taken separately, none of these indicators a phishing site make. Taken together, it's a strong indication of crime.

So, I'm wondering -- has anyone else run into Nginx doing evil? I'm curious what the evil:good ratio is in the real world, and if it's something defenders/auditors/LEOs can use to help profile potentially malicious sites.

Let's do the Timewarp again!

Weird little PoC popped up on milw0rm a few days back -- a buffer overflow in Netrek.

Just made me chuckle. I haven't played Netrek in maybe, what, 15 years? Besides, everyone knows that Nethack is the best game ever, and that's one I still play (though usually in its Slash'em incarnation).