Slashdot Mirror
Netcraft Claims Apache Now Runs 2/3rds Of The Web
Mr Bill writes "According to NetCraft the Apache web server now owns over 2/3rds of the web. The jump of 2.8% since last month is mostly due to a number of large domain parking sites switching back to Apache from IIS. 'During 2001 and the first half of 2002 several companies hosting very large numbers of hostnames including Webjump, Namezero, Homestead, register.com and Network Solutions migrated to Microsoft-IIS. Subsequently these businesses have either failed, significantly changed their business model, or reverted to their previous platform, and Microsoft-IIS share is now in line with its long term pre-summer 2001 level of around 20%.' See the full report here."
Take a look at the article below. It's incredibly worrying how many sites are still using vulnerable versions of OpenSSL.
This month, we found
Magnus at netcraft dot com
From Netcraft's FAQ:
:-)
""
Why do you report impossible operating system/server combinations ?
Webservers that operate behind a caching system, load balancer, reverse proxy server or a firewall may sometimes report the operating system of the intermediate machine. Hence reports of 'Microsoft/IIS on Linux' may indicate that either the web server is behind a Linux server that is acting as a reverse proxy, or has configured the Akamai caching system such that the first request to the site goes to one of Akamai's servers [which run Linux], or as in the case of www.walmart.com has been configured to send a misleading signature.
""
RTFM
Problem with Zope is that it's often installed behind Apache which serves as proxy/urlrewriter and so Netcraft may only see Apache some times. (it correctly detects Zope for my own website though)
Votez ecolo : Chiez dans l'urne !
Ummm, could it be because it's their Unix. Hp push Linux too, and their website runs HPUX. All vendors use their own OS to run their websites. Can you imagine all the flack they would get if they didn't?
;-)
Funnily enough SCO are the only ones that don't run their own OS on their webservers. The run Linux, whats wrong with OpenServer???
Who really stands behind their products?
IBM run IBM/Apache on AIX
HP run Apache on HP-UX
SGI run Netscape Enterprise on Irix
Sun run SunONE webserver on Solaris
Apple run Apache on MacOS-X
FreeBSD run Apache on FreeBSD
NetBSD run Apache on Net/OpenBSD
OpenBSD runs Apache on Solaris? I'm sure thats because a uni hosts it.
Microsoft got scared at the last worm outbreak and now hide
2003 behind a Linux webcache farm
The one to beat them all.............
SCO run Apache on Linux
This valuable informative post got modded down to -1 even though it is nothing but 100% informative, and I rarely ever post it. Therefore I will post it three times in case the apache-fanboy mods it down to -1 again
:
I in 400 SECURE servers is still a classic Mac Os host even cccording to netcraft !
Because no mac in the history of the internet hosting a web server has ever been rooted or defaced remotely.
Why?
Because not one version of Mac OS has ever had a single exploitable hole ever discovered. (classic mac os now up to version 9.2.2 on currenlty sold g4 tolwers). OpenBSD has had no less than 5 holes (not one) in the default install in the last two years. Mac OS has had ZERO in over 7 years, even when paired up with its preferred web server app.
The Army (www.army.mil) has used Webstar for years on macs for security.
In fact in the entire SecurityFocus (BugTraq) database history there has never been a Mac exploited over the internet remotely. Scan it yourself.
For years, except, for a couple months ago, the army has always used MacOS and has never had a break-in on a Mac. Unlike their other MS defacements.
http://uptime.netcraft.com/up/graph?site=www.arm y. mil
That is why the US Army gave up on MS IIS and got a Mac for a web server, sometimes it is a honeypot for OSX testing, and US ARmy use regular Mac OS on other internal servers
I am not talking about FreeBSD derived MacOS X (which already had a more than a 50 exploits and potential exploits in BugTraq database) I am talking about current Mac OS 9.x and earlier which are highly sophisticated abstract-OS models.
Why is is hack proof? These reasons
1> No command shell. No shell means no way to hook or intercept the flow of control with many various shell oriented tricks found in Unix or NT. Apple uses an object model for procces to process communication that is heavily typed and "pipe-less"
2> No Root user. All mac developers know their code is always running at root. Nothing is higher (except undocumented microkernel stufff where you pass Gary Davidian's birthday into certain registers and make a special call). By always being root there is no false sense of security, and programming is done carefully.
3> Pascal strings. ANSI C Strings are the number one way people exploit Linux and Wintel boxes. The mac avoids C strings historically in most of all of its OS. In fact even its roms originally used Pascal strings. As you know pascal strings are faster than C (because they have the length delimiter in the front and do not have to endlessly hunt for NULL), but the side effect is less buffer exploits. Individual 3rd party products may use C stings and bind to ANSI libraries, but many do not. In case you are not aware of what a "pascal string" is, it usually has no null byte terminator.
4> Macs running Webstar have ability to only run CGI placed in correct directory location and correctly file "typed" (not mere file name extension). File types on Macs are not easily settable by users, expecially remotely. Apache as you know has had many problems in earlier years preventing wayward execution.
5> Macs never run code ever merely based on how a file is named. ".exe" suffixes mean nothing! For example the file type is 4 characters of user-invisible attributes, along with many other invisible attributes, but these 4 bytes cannot be set by most tool oriented utilities that work with data files. For example file copy utilities preserve launchable file-types, but JPEG MPEG HTML TXT etc oriented tools are physically incapable by designof creating an executable file. The file type is not set to executable for hte hackers needs. In fact its even more secure than that. A mac cannot run a program unless it has TWO files. The second file is an invisible file associated with the data fork file and is called a resource fork. EVERY mac program has a resource fork file containing launch information. It needs t
What's interesting about this one is that results can be viewed by domain. The highest proportion, and highest growth, of IIS seemed to be in the gov domain, where Apache is actually decreasing. IIS usage in education was also pretty high.
Use of Apache was particularly high in Germany .
sorry, I would call this that flaimbait. But since it is well argumented i will reply...
1> No command shell.
Absence of features is not always a good thing. now you will have to add scripting in the webserver.
2> No Root user
Like windows 95?.. see 1.
3> pascal strings
but you can have buffer overflows with pascal strings if you fail to allocate enough memory for the string.
4>..only run CGI placed in correct directory location..
And if you get a script in there you have the same problem. And it is not easy to remotely administer....
5> Macs never run code ever merely based on how a file is named. ".exe" suffixes mean nothing!
You mean like the unix "x" attribute that was in the very first unix? This is a thing that windows has badly affected. But is this a thing that affects web servers or clients......
4> Stack return address positioned in safer location than some intel OSes
There are 3 kind of people.. that that can count and those who cannot 8-).
But a better solution would be not to have the stack in memory that can be executed.
7> There are less macs, though there are huge cash prizes for cracking into a
The fact that there are huge cash prices would
not be a ood advertisement for safety. And generally they are set on well protected servers that are doing nothing.
8> MacOS source not available traditionally,
same argument goes for ISS
no mac web server has ever been rooted,defaced,owned,scanned,exploited, etc.
I am 100% sure that they get scanned all the time. which makes me doubt all the other points. But then you can always blaim the user.
Well, yes; sometimes it feels that way. ;-)
Actually, of course, it's just normal American corporate management practices that I'm talking about here. I keep getting the feeling that it's not outsourcing to cheaper parts of the world that we should be worried about. If any other part of the world ever invents a rational scheme for organizing companies, they'll wipe out our economy overnight.
Fortunately, there seems little danger of this threat materializing.
The funniest case was a few years back, when the project's management decreed the Netscape server as the standard. We tried several times. But the same thing always killed the effort: This server can be configured only through its web interface. Invariably, we would make some config mistake that turned the server into a zombie. At that point, there was no way to correct the problem because we couldn't change the configuration any more. We'd wipe the server's directories, reinstall -- and it would happen again. Sometimes we'd get it running for a few days, but every config change carried with it the possibility that we'd have to wipe the server and start over.
You'd think that people would understand why you can't trust a web server to handle changing its own config files. But the managers couldn't be convinced that there was a fundamental problem here. And we never found a way to get at those files with a plain editor. They just didn't make sense, and weren't documented anywhere that we could find.
I've long argued that one of apache's real strengths is its plain-text config file (with lots of good comments in the text). The commercial guys don't seem to be able to figure out why this is a good idea.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.