Why was the error sent as a web page?

Using Telnet to Test TCP Services
a. In Part 1, nginx was found to be running and assigned to port 80 TCP. Although a quick Google search revealed that nginx is a lightweight web server, how would an analyst be sure of that? What if an attacker changed the name of a malware program to nginx, just to make it look like the popular web server? Use telnet to connect to the local host on port 80 TCP:

[analyst@secOps ~]$ telnet 127.0.0.1 80

Trying 127.0.0.1...

Connected to 127.0.0.1.

Escape character is '^]'.

b. Press a few letters on the keyboard. Any key will work. After a few keys are pressed, press ENTER. Below is the full output, including the Telnet connection establishment and the random keys pressed (fdsafsdaf, this case):

fdsafsdaf

HTTP/1.1 400 Bad Request

Server: nginx/1.10.2

Date: Tue, 28 Feb 2017 20:09:37 GMT

Content-Type: text/html

Content-Length: 173

Connection: close







400 Bad Request

nginx/1.10.2





Connection closed by foreign host.

Thanks to the Telnet protocol, a clear text TCP connection was established, by the Telnet client, directly to the nginx server, listening on 127.0.0.1 port 80 TCP. This connection allows us to send data directly to the server. Because nginx is a web server, it does not understand the sequence of random letters sent to it and returns an error in the format of a web page.

---

Nginx is a web server and as such, only speaks the HTTP protocol.