From: Dave Farrance on 17 Dec 2009 12:27
Martin Gregorie <martin(a)address-in-sig.invalid> wrote:
>It is. The exploit is said to be the injection of infected <iframe>
>structures into web pages hosted using nginx. IOW it seems to be a
>vulnerability in a minority web server I, for one, had never heard of.
>A quick search shows that nginx is a lightweight, high performance web
>server/reverse proxy and e-mail (IMAP/POP3) proxy. According to Netcraft
>its the number 4 web server, with 6.4% of the installed population.
My reading of the report is that the author started to notice a malware
attack that was distinct from the iframe injection attacks that he'd been
looking at. His hypothesis being that the attacker is getting hold of
admin passwords and actually installing nginx to work alongside apache on
the compromised servers.