Slashdot Mirror
Netcraft Survey Updated
The latest survey is out and ready for reading from Netcraft. There's some interesting commentary in regards to Code Red, and its effects on web usage. One of the things that I found most interesting was the data showing that while the number of sites hosted by Apache continues to grow, the number of physical webservers running some variety of Windows is about half of the total. Worth checking out.
Well Netcrafts servers seem to handle the slashdot efect pretty well.
Wonder how long they'd have stayed up if they used IIS.
P.S Is it one of those urban myths or does IIS really stand for Internet Infection System ?
The weird thing is they're reporting a decline in the number of infected servers ... I don't know about you, but I've found there's actually an *increase* in the number of infected servers that try to get at my computer during the past week or so.
... what's up with that?
BTW, did you notice the rather large proportion of Linux pc's (not servers) hooked up to the web? Sure, it's not as much as Windows, but still quite a lot
News and bla for computer musicians: http://lomechanik.net/
Maybe I have been taking too much acid in the last couple of days (Wow, look! A rainbow Tux!), but I think this is part of Microsoft's plan.
If it takes 2 MS machines to replace every Apache machine MS will be sitting pretty. All they need is a few pointy haired bosses who are naive enough to spend more money for more machines. Then they can say they have the most marketshare. Combined with some FUD this makes a great way gain new clients. Eventually Apache will dwindle, and the corporate world will shun you unless you use MS.
Everytime you look at porn a devil gets their horns.
As the article itself said, even when many IIS sites have gone down, since Gartner's report. It is hard to tell wether they just chaged ip, as the systems were reinstalled etc.
On the other hand, I would see it positive, if it would change some IIS servers to linux. For the growth of linux on the pie has been taken from the other *nixes.
Are there any good ways do advocate such behaviour?
In dream society, people could be given the ability to mod replies. In real life, it would be disaster.
I'm surprised that they don't infer that a large number of those sites were alerted to the fact that they were running IIS when they were hit by code-red. They shut it down because they didn't need it, not because they replaced it!
Amazing how many of the code red servers were displaying the sample page.
they are nifty i86-worms since the shellcode they run is i86 :)
buffer overflows only works on the platform they are written for..
Our experience with our access provider is interesting in relation to the Code Red effects described in this report.
We live in a block of office units with shared network access. Our landlord is about as non tech as they come, the whole company, and outsource the LAN provision.
The phones and LAN went down twice due to Nimda, although our machines were unaffected - being patched!
The operator has given our landlord the following advice "Cut them off unless they have Norton". So we get a visit from a suit asking if we have Norton on our computers. We don't we have McAfee. His response?
"Get Norton by Friday or your being disconnected"
People just don't understand this stuff. We have fully patched machines, which run good virus software, but our PHB landlord denies us access to the network that WE PAY FOR beause we chose a different software solution.
- I am the unqualified systems admin for our company, and I've been asked to set us up a crappy website. I only use windows, so I use IIS
- I am the systems admin for a hosting company, with several dozen servers, each with many virtual hosts for my clients. Naturally I use Apache on L/Unix, as it's secure and reliable, and I know how to use a CLI.
Naturally Apache is going to have a greater number of sites per machine, whereas IIS is going to have a large number of physical machines hosting a single crappy home-made site.Comment removed based on user account deletion
This DOES NOT account for the number of Web servers running a particular package to do something, it accounts for the number of servers _installed_ whether intentionally or not.
Further, it doesn't account for website overloading whereby a number of sites reside on the same IP address. Does Geocities count as one site, as it [may] only be registered to one IP?
Hmmm, could be a bunch of folks realized that IIS server on their SQL server was unnecessary. Again, they may have 'disappeared', but it doesn't mean they were used in the first place.
I mention the above as it's how were functioning in OUR case. (3 or 4 machines that never used IIS have it turned off now, and we've got several large sites all sharing the same IP and servers)
"Draco dormiens nunquam titillandus."
What if next time the virus is a nifty I86 Assembly worm ?
.EXEs etc.) are written in pure x86 assembly. But they still are OS-specific.
Writing a worm in x86 assembly does not mean that you have an OS-independent worm.
Every worm needs a method to infect other hosts, and the only way is to exploit known vulnerabilities in legit services - ie, you are using applications' (IIS, Apache, bind, sendmail) and operating system's (Windows, Linux, Solaris) services to infect the host. The reason is that, on a network, you are not talking directly to the processor like you do with a local process. You are talking with software layers that manage your connection.
After you have unscrewed the software protections, you make your payload execute on the target host, using a nifty x86 assembly snipped designed to gain privileges. But this is still dependent on the OS.
In fact, many old-fashioned viruses (infected disks,
I'm just going to be a little bit picky since you started it.
Apache has nothing to do with the OS. Many W2K machines out there run PHP and Apache to serve up sites, use Exchange for their email and W2K file services for their file sharing.
Also, Linux/Apache servers are also doubling as mail servers in *most* cases that I know off. The ISP's and hosting companies rarely ever seperate the mail functions from the webserver.
What's with that? The end of month figures for vulnerable IIS systems show an increase in cross site scripting, accessible admin pages and viewable script source. Any guesses?
Is it just that they're more visible? Or is it a whole bunch of sysadmins formatting, re-installing, then selectively patching for the last three exploits that they can remember? Wierd.
If you were blocking sigs, you wouldn't have to read this.
Usually it is quite simple to migrate between Unices and Linux, but its quite a challenge to switch from a Microsoft platform to some *nix/Apache platform, if the server serves more than simple static pages.
I believe, the process to migrate from WinXXXX/IIS to *nix/Apache will take a few months, not weeks, for management decision (big corporations are not able to produce decisions in a few hours, but will take weeks - till the next "meeting" or so), reprogramming, data-migration, testing etc.
That's the reason, why Netcraft itself stated:
So give us time, and lets analyse the stats again in a few months.ms ms
It would be interesting to snoop traffic and extract header information to calculate the percentage of overall web traffic which is being served by each flavor of web server. Take a large enough sample from various points on the internet and you could get reasonable statistics though I'm not sure how the public at large would feel about being snooped.
-- Good judgement comes with experience. -- Experience comes with bad judgement.
Not necessarily.
.coms).
Last I checked, Apache could run on big Sun, HP and IBM boxes. And last I checked, IIS could run only in x86 and Alpha. Obviously the big boxes can run more sites than the x86 ones.
Also, Apache is deployed more on mass virtual hosting than IIS, which tends to be used more in corporates and single site setups (like
The majority of IIS sites typically run ASP applications, whereas the majority of virtual hosted Apache sites are static.
Without more data, you cannot possibly say that Apache uses the hardware more efficiently.
yet another narrow minded person from america... sheez...
considering even the usa has at least 3 time zones (I'm sure Hawaii probably counts for a 4th) I'm nearly at the point to call you plain stupid.
No wonder your foreign policy is up the creek.
Actually, a Windows webserver does not necessarily mean IIS. A lot of the systems surveyed were probably Windows systems running apache. Most sensible people know better than to run IIS. But not all those people are ready to run a Unix or Unix-like system.
XML is like violence. If it doesn't solve the problem, use more.
It seems Netcraft has a very hard job to do. Yes, I eagerly check them every month to see that my favourite web server (Apache ofcourse) is well on top. I'm also glad BSD isn't dying as some troll reported. 6% BSD on the web could mean many more times that in market share. 50% Windoze appears to count for only a tiny proportion of the computing power on the web. A good point was made that in this tabulation, a $1k "el cheapo" counts the same as a $1M top-of-the-line Sun!
For starters, maybe research should be done to determine which servers and platforms serve the most actual pages on the web. It is very reasonable to state the very same hardware will serve twice the volume with Apache Unix than IIS-win. The type of Unix may matter too. Large sites tend to use Linux, very large sites tend to use BSD. Moderate sites use Solaris (and only the smallest use IIS) in general. If security is of any concern, Windoze is a joke. Apache makes a Windoze version, but warns it should never be used in a production setting - just for a quick prototype. (to show management)
More interesting is which system serves the most data overall? The people that work on the 'big iron' say it is Linux by far, then a toss-up between Solaris and BSD. With a paltry 5%, comes the combined power of all Microsoft PC's.
The point is clear and we have all heard it: "You can prove or dis-prove anything by how you manipulate statistics". So M$ is the best from their prospective, and so is Linux from theirs and the same for Sun, BSD and all the others. BSD does make a good point that they can serve 100x the data for the same cost as Microsoft, and that assumes you *pirated the Microsoft software* and does not include 'down time' so many Microsoft users can relate to, nevermind all the email worms and Trojans either!
I'm not too sure about this whole NetCraft thing, but if it has Neve Campbell and Robin Tunney, you can count me in.
Wouldn't it be event more deadly than a simple IIS targeted one ?
No, because you can't arbitrarily execute x86 machine code on my x86-based server. You have to exploit a hole first, then get your code to execute. Since I run Apache instead of IIS, it's much harder for you to get into my system, and since I run Linux (properly configured) instead of Windows (misconfigured by a PHB who thinks the pretty dialog boxes make him a sysadmin), it's harder for you to do significant damage if you do get your code to run (because Apache setuids itself to a non-root user).
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
The majority of IIS sites typically run ASP applications, whereas the majority of virtual hosted Apache sites are static.
How did you arrive at that conclusion?
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Does Intel's 90% dominance disturb anyone else? It's a good thing that there is competition within that 90%. Oh well, this user will probably continue to buy cheap AMD mobos.
Friends don't help friends install M$ junk.
Unfortunately the number of Windows boxen out there is probably higher than the survey would indicate.
Remember that Netcraft's OS detection only detects the OS of the machine that is directly connected to the Internet. See their own faq
at http://uptime.netcraft.com/up/accuracy.html
If you put your company's NT server behind a Unix-based firewall or proxy, it will be detected by Netcraft as Unix. This is probably a pretty common setup at many companies hosting their own web sites.
where there's fish, there's cats
Annecdotally, I can say that about a dozen machine linux servers I know are each running 3 or more separate hosts.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
This kind of implies to me that at least 78,000 of the machines Netcraft have been counting as IIS Web servers were in fact just machines on which IIS had been loaded by default, and were never serving any real content anyway. If that's true of 78,000, how many more is it true of? In other words, are Netcraft systematically overcounting IIS by counting all machines with IIS running whether they are in fact serving any real content or not? Likewise, how many of the 'Apache' servers counted are in fact just 'out of the box' Linux installs with no real content?
I'm old enough to remember when discussions on Slashdot were well informed.
If they have that much NT in their makeup, unless they're using hardware firewalling (Such as a Cisco box) they're going to be using Checkpoint or Guardian on an NT box. That way they don't need that extra Unix expertise.
If you think I'm kidding or trolling, I'm not- they actually THINK that way in business. And there's little wrong with it, in and of itself. It's just the choice of OS they settled on that's the problem.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
You have to get in there first.
And if you do, even MS use the x86 protection mechanism and run most code in ring 3. Since the account Apache runs in would not have the priviledge to install & run arbitrary ring 0 code (as would be the case with IIS [running as Local System] installing device drivers) there are limits on what can be done.
Maybe there's an argument for an OS which has two modes which are mutually exclusive. You can use the machine (run applications etc.) or you can administer the machine (install drivers etc.). You cannot do both from the same account. Many Windows users run their day to day work under accounts with admin priviledges - or worse still, domain admin privildges. Why? Do people really need to switch from document writing to driver installation so quickly that they need be done without an additional login? Does anyone really need god-like priviledges from a regular account?
Of course, I may be talking rubbish.
This sig made only from recycled ASCII
i was under the impression apache can be run
:)
:)
under microsoft windows...
the survey site seems to assume that anything
windows must not be anything but an MS webserver.
i'll just sit back and assume the microsoft
server numbers
are even lower than presented
woohoo!
Netcraft isn't stupid.... see netcraft mechanics and how many active sites are there?.
But then, look at the number of IIS exploits and the ones on Apache, even though Apache has more then double the market share of IIS.
Add to that, that most exploits on Apache where due to vulnerable CGI scripts.
Apache actually has quite a good track record, regarding security and admins installing Apache are more likely that they know what they do
Now, what bugs me about Microsofts WDI (worms deployment engine) is that a lot of NT/W2K user don't even know that they have a web server running. It installed by default, with all its glorious vulnerabilities...
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
...that the vast majority of those IIS machines now taken off the web are just offline so they can be de-wormed, patched, and generally brought back into working order - I know, I've watched this happen (nasty Nimda infestation). People are acting like the only reason NT servers ever go down are Apache installs or permanent removals!
The military has already shutdown a large number of their websites. Generally, each unit has their own website/server. Sometimes sections within each unit will also have their own website/server depending on how important they view themselves as being. The information those sites provide is usually basic, very rarely has dynamic content, and can very easily be obtained by other means.
Those who have had sites that were shutdown now have to get approval (from several echelons up) before that can put their sites back up. I'm not going to say what the new web servers will be running, but it WILL NOT be Miscrosoft's IIS. The websites that are still running IIS are actively scanned for vulnerabilities (by someone other then several thousand script kiddies).
I will not be surprised if ALL of the webservers run by the military will be moved over to something else.
Go not unto/. for advice, for you will be told both yea and nay (but have nothing to do with the question)
My university switched from Sendmail to Exchange last year. In the process, we went from 1 Solaris machine to 4 Dual-Pentium/II Windows boxes.
That's how you win market share...
My uneducated opinion tells me that the reason half of the physical servers are running IIS is because small companies get a NT or 2K server for their business, then realize "hey, it's got IIS, we can have a website..." they accept the default. Of course, their server that's got all of their corporate secrets is now open to the internet.
I'd be willing to guess (but not to wager) that a majority of sites running on IIS are on single-site servers.
Those in the know know that there are other webservers which are more stable than IIS for multi-site hosting. (OK, there are some that are less stable, believe it or not, but they are few and far between.) Having your webserver running on your corporate server is a Bad Thing (tm). Having Exchange on your corporate server and open to the internet is a Bad Thing (tm). Having postfix running on a firewall, forwarding to Exchange is a Better Thing.
P.S. -- the OS irrelevant here, well, except that IIS only runs on M$......
Give me my freedom, and I'll take care of my own security, thank you.
IIS is NOT installed by default in W2K Pro.
Bleh!
Netcraft operating system detector
;)
Is that a euphemism for nmap ive never heard...?
That has to be a darn small ISP. My ISP uses at least four incoming MX'es, eight maildrop boxes, four outgoing SMTP's and a couple of loadbalanced pop3 servers. The webservers are loadbalanced too and are running Apache on *BSD. Then again, they must have about 60.000 clients on dialup and DSL.
This is your sig. There are thousands more, but this one is yours.
No I'm not sure how many IIS servers are running
.NYET!
their databases on the same machine or how accessable a database would be onced IIS was hacked and admin priv's were gained, but they, the press, never mention how vulnerable the customers data is on a Microsoft system. My CC has already been stolen and I'm darn sure it was because one site used IIS. Actually both mine and my wifes CC numbers were stolen and used for similar purposes.
Other similarities pointed to a ASP based server we used for a service we bought online.
The press is still leaving Microsoft alone as far as I'm concerned. They need to be called for what they are.
Bad for ebusiness, bad for corporate profits, and not to be trusted with customer data.
FEAR
IMHO.
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
I thought so, but some of the rises are (proportionately) sharp, and they're not universal. It doesn't quite match a flurry of new, nekkid machines. Still, with IIS, who knows? ;)
If you were blocking sigs, you wouldn't have to read this.
There actually is a "good" reason that even people that know better often do this on NT(aka 2k). If you're sitting there word processing, logged in as a non-admin, and someone calls you and needs, let's say, a new account made for the new hire - you must close out of your program, log out of windows, log back in, then make the account. It's a pain. Whereas on a *nix box it's as it should be, you just open an xterm, su, and make the account. It's very handy to be able to change the user in a controlled way like that in an existing session, without affecting the other stuff you are doing.
Another reason that this is done a lot is that there are a lot of NT admins out there that just don't know what they are doing. You tell them you need two accounts and they think you're trying to scam them. These people are just jokes, but if they happen to be over you in the local hierarchy there isn't often a lot you can do about them. So you do it their way, and just hope you don't get hit when it hits the fan.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
"It is very reasonable to state the very same hardware will serve twice the volume with Apache Unix than IIS-win. "
No, that's not at all reasonable to assume that. In fact, IIS5 outperforms Apache by quite a bit.
You may be thinking of Tux, which has outperformed IIS in benchmarks, but isn't in high use.
As far as the $1k server versus $1M server. The Netcraft survey also doesn't account for machines behind a load balancer, which is the typical configuration of $1k servers running Linux/Apache or Windows/IIS.
A quick glance through Netcraft's Most requested sites over the last 30 days shows that part of Microsoft's Zone website stats.zone.com runs on Linux using Apache/1.3.9 (Unix) mod_fastcgi/2.2.2.
Love it!
"With most Windows servers I see, and I would say this sticks for the whole gamut of Windows usuage"
That's an awfully big assumption.
"Also, one final note, compare all of that to how people use the different servers: Apache is very heavily used by ISPs, IIS is heavily used by do-it-yourself admins who dont know all that much. "
That's another awfully wrong assumption.
IIS is much more heavily used by corporations because it is much more efficient to develop dynamic content web sites than is Apache.
I have been a MacOS user all the live long day, and I damn well know that I want to be able to install printer drivers without any of this logging in and out authentication nonsense. Of course, if I were running a server, I'd want more stringent security. However, viewed objectively it is nonsense to make a single-user, or even multi-user, system force me to log out just to install drivers. This is poor interface design and nothing else, if you aren't running a server. (hence OS X)
--hongpong.com
A couple years ago, my school switched from the Linux webserver that I had been administrating to a Mac server. Our site is now running on an iMac, I believe, using AppleShareIP. Naturally I did not support this change, as they've jumped years backwards in technology (and made a new site that's horrible to boot). However, I suppose one advantage of this is a little bit of security for obscurity. Because nobody's stupid enough to run a website off of an iMac, nobody wastes his time trying to find exploits for such a small target audience.
Yes! That guy!
Comment removed based on user account deletion
However, viewed objectively it is nonsense to make a single-user, or even multi-user, system force me to log out just to install drivers. This is poor interface design and nothing else
/* -rf isn't just for Unix.)
WRONG
For home use, your assumption is (at best) debatable - separating regular use accounts from system admin accounts is a good way to prevent viruses and trojans, and to make sure that you can't screw up the machine accidentally (rm
For corporate use, it is a neccessity. Even though our salesmen are still stuck in windows land, I praised the day we switched them from Win98 to NT/2000 - yes, we get calls from them saying that "I can't install this program", but it's a small price to pay to prevent them from installing non-work related software, or trashing the machine.
The thing that interested me about this one was that the focus was clearly on Linux and Microsoft. The tone was that Linux was something that was just an ordinary part of life.
For example this quote: "One significant site to switch away from Microsoft recently is infoseek, though it is not known whether this is related to security concerns."
The article didn't say what operating system infoseek had switched to. But everyone reading the article would just assume (correctly) that they had switched to Linux. A year ago, a website this large switching to Linux would have been big news but now it's something that is just taken for granted.
As always however, it is frightening to see how many people use apache. Apache is a great web server but the worst security problem facing the internet today is not poor software but mono culture.
Please support alternative open source web servers.
The ex-IIS sites I've seen or created have all decided that since they're going to the trouble of dumping IIS, they may as well dump Windows too. Also, many of them dump IIS because they're dumping Windows, at least for that server. This is only my own experience, the global stats may side with your point.
Got time? Spend some of it coding or testing