Nginx http server, possibly a criminal indicator?
Just like using Linux doesn't automatically make you a criminal, I doubt that using Nginx (proncouned, "Engine-X") is necessarily a criminal act. But is it an indicator?
I noticed it today as part of a light analysis of a real world exploit of the Overlong RTSP link bug for Quicktime. This is a lightweight http server that is now associated with at least one case of network crime by serving up a fairly fresh exploit.
Again, most phishing sites today run on Apache with PHP, and most phishing login pages have words like "FDIC Insured" and "All Rights Reserved" and have a login form with a password input field. Taken separately, none of these indicators a phishing site make. Taken together, it's a strong indication of crime.
So, I'm wondering -- has anyone else run into Nginx doing evil? I'm curious what the evil:good ratio is in the real world, and if it's something defenders/auditors/LEOs can use to help profile potentially malicious sites.
I noticed it today as part of a light analysis of a real world exploit of the Overlong RTSP link bug for Quicktime. This is a lightweight http server that is now associated with at least one case of network crime by serving up a fairly fresh exploit.
Again, most phishing sites today run on Apache with PHP, and most phishing login pages have words like "FDIC Insured" and "All Rights Reserved" and have a login form with a password input field. Taken separately, none of these indicators a phishing site make. Taken together, it's a strong indication of crime.
So, I'm wondering -- has anyone else run into Nginx doing evil? I'm curious what the evil:good ratio is in the real world, and if it's something defenders/auditors/LEOs can use to help profile potentially malicious sites.
posted by todb at 11:50 AM
9 comments
links to this post
