Slashdot Mirror
Breakdowns of Website Defacement by Platform
SkiifGeek writes "Zone-H have recently posted the statistical breakdown of the collected website defacements from the last few years. Surprisingly, in 2007 more Linux servers suffered a successful attack than all versions of Windows, combined. Similarly, more Apache installations were successfully attacked than all IIS versions combined. A day after posting this data, Zone-H have questioned the appropriateness of continuing to operate the archive. Despite the valuable information that can be gleaned from the service, it may soon be lost to the world. The natural successor to the now-defunct Alldas archive of defaced websites, Zone-H's archive maintains records of over 2.6 million defaced sites but may be shut down due to the continuous accusations of impropriety leveled against them any time they disclose and mirror a reported defacement."
Even for slashdot that is terrible........
Websight? I hope that is in TFA, which due to tradition I did not read.
Signature v3.0, now with 42% less memory usage.
Given the proportion of Apache servers to IIS servers on the Internet, I don't think the ~280% difference is that strange. After all, most websites are vandalised through oversights in custom scripting etc., rather than security holes in Apache.
Actually mention proportions. Clever little summary, it was as if one million slashdot readers suddenly cried out in indignation... "I have to read the article? Nooo"
I record my sleeptalking
This is exactly why i don't install any 3rd party php scripts (only custom made) and run lighttpd/nginx (beside being faster than apache with php-fcgi)
Perhaps I missed it in TFA, but I saw no weighting for market share...
To pick an arbitrary statistic, in June 2007 Google reported Apache with a 66% market share and IIS with a 23% share (source). Given that the TFA lists "Attack against the administrator/user" as the most common attack method by a wide margin, and it seems to me that both Apache and IIS would be equally vulnerable to dumb administrators, wouldn't it make sense that the server with the larger market share would see more attacks?
I wouldn't be surprised if most Linux servers were defaced because of poor configurations, by home users. How many have the needed skill to do it well and really secure? How many home users wish to pay for IIS? Probably not many.
I guess IIS users on average are better at maintaining a server, as they probably are employed to do so.
It would be interesting to see a "demographic" breakdown on defaced servers, how many corporate Linux servers have been defaced. I believe the numbers will be different.
When the cure (more often than not these days) involves not having to disturb Apache at all (save for possibly changing something in httpd.conf), but instead fixing/dumping the bad script that let the baddies in, or patching PHP to plug the hole in it, then odds are good that it ain't Apache's fault, no?
To be fair, it would also be like blaming IIS for crap XML or ASP script, and MSFT would certainly waste no time in saying so.
Quo usque tandem abutere, Nimbus, patientia nostra?
Does apache still have a larger market share? the pure numbers are meaningless without market share info. That said even market share info is meaningless as its always going to be easier to hack a full website (especially those with user content, like forums) rather than a parking website (which ive heard account for a lot of IIS websites) or a single page hosting some stupid flash/silverlight stuff.
IranAir Flight 655 never forget!
"98% of all statistics are made up"
Are due to the 'programmer'/'sysadmin' not knowing wtf they are doing. SQL injection, Methods other than get/post, exposed admin pages, etc. This stuff, in my experience, is rarely a problem with the OS or web server itself, so these statistics are somewhat pointless.
Of course Apache and linux have more attacks than windows.
There are far more honda civics successfully stolen in the USA than BMW Isetta's Or Smart TwoFours This is because there are well over 5000 civics on the road for every BMW Isetta or Smart TwoFour on the road.
By the summary's mention and what it is alluding to, BeOS servers are the most secure because NONE of them have been compromised on the internet.
Do not look at laser with remaining good eye.
Was anybody else really confused for a second when they read the headline "Linux X Windows"? What does this article have to do with X-Windows? Then I realized they meant "versus".
A cat can't teach a dog to bark.
...issue is more serious than it really needs to be?
Using regular backup methods and unauthorized access alarms (access alarms that are either verified or not as a matter of access notification loops).
So when a site gets hacked there is timely notification and backup usage.
In other words, should access happen but not getting verification within a set amount of time, reverts back to the pre-unverified access state of the site.
perhaps we can write this in PHP or python?
So, Apache, with a larger market share (66%, ?) has been the server serving the application which was hacked/defaced. That is news how? For example when facebook was broken into and the private images downloaded and put up on torrents, Apache was probably serving the files but not the vulnerable point!
Lets look at it this way, if there is such a wave of defacements, how come whitehouse.gov which runs linux/freebsd and Apache, how come they arent getting defaced? Because someone serious took the time to configure the damn server properly. How hard is that? google->hardening apache. then use common sense when handling input in your applications/scripts.
facebook@netcraft Apache/1.3.37.fb1
".fb1"? how customised do you suppose fb1 is? If it were defaced, would it be apache's fault, a 0day exploit perhaps, or due to the configuration (or "fb1" whatever that means, if anything)?
This report draws poor conclusions and blames the OS and the server for badly written PHP apps. Badly written PHP apps have been the bane of the LAWP community and now this is haw they make Linux look bad. This is just another FUD attack.
This is my sig. There are many like it but this one is mine.
Kill the messenger!
What?
Heck, I do all that too, AND not only that, I create the content on the site I also keep it off-line (through local host, don't want to open up those vulnerable external connections) and am the only visitor in order to ensure that the user base is completely trustworthy.
The necessity to change every three hours the three - 127 character passwords with mandatory 'No more than two letters/numbers/symbols together' rule does make memorization a tad challenging.
"Enjoy what you're doing! If it becomes drudgery, you're doing it wrong!" - Jim Butterfield
Probably can be written in PHP or python. But the way I see it, the scripts themselves are the vulnerabilities in most websites. So if they can hack a site using script vulnerabilities, what's to stop them from hacking this script as well?
Taking the posted ratio of 66% Apache (assuming all Linux, which I know is not true) to 23% IIS that means that:
There are 2.869 times as many Apache installations as IIS. Windows is reported with 139,503 defacements. Linux is reported with 306,076 defacements.
If we scale the Windows defacements by the ratio of Apache/IIS we get: Windows scaled: 400,313 (rounded up) defacements Linux (raw): 306,076 defacements
Draw your own conclusions. (Realizing that this is flawed and meaningless.)
The article says that there were 1,485,280 Apache defacements and 815,119 IIS defacements. This implies a total of 2,300,399 samples, of which 64.6% were Linux. For comparison, other posters here have cited a Google survey reporting that 60% of webservers run Apache. That would seem to imply that, if you pick an IIS server at random or an Apache server at random, each is about as likely to be successfully attacked as the other.
Conclusion: IIS is just as good as Apache (contrary to popular Slashdot opinion). Of course, there's a flip side: Apache is just as good as IIS -- and it's free.
[Take all this modulo the fact that 370% of statistics are, if not made up on the spot, at least full of so much noise as to be meaningless. (Sometimes the Law of Large Numbers really does require large numbers!]
You know it comes across as interesting that whenever statistics come out that show that "Windows had more worms and viruses this year than Linux or MacOSX!" people use that as fuel to the fire to continually denounce Windows as a bad platform, Microsoft is the devil, Microsoft is evil, and any other number of ways of putting down Windows to make themselves feel better.
Then a statistic that comes out that shows Linux/Apache at the top of a security vulnerability list, and it's immediately "Oh it's the users! They don't know how to implement the platform properly! It's the scripting language they used! These numbers are meaningless without marketshare values!"
What we have as facts when it comes to security vulnerabilities:
1. When more people use it, there is a tendency to have more security vulnerabilities since more eyes are scrutinizing what is or isn't possible with that platform.
2. No matter which platform, it is only as secure as the person's implementation. If they don't know how to configure the system properly, it doesn't matter in the end.
So why all the hate against Microsoft for their products if these same problems affect all platforms?
What the fuck are you talking about?
Linux - 306,076
All Windows combined - 139,503
Did you accidentally smash your head in with a frying pan while you were adding things together?
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
I have to kind of sit back and laugh, since the defense to Apache/Linux comes in the form of "bad scripting" or other holes created by poor admin skills.
And I totally agree.
Then why do we always sit here and blast Windows and Microsoft, when in fact good admins keep their boxes running with an optimal uptime, performance, etc? I will agree with the 95/98/ME era, but coming into XP and 2003 Server, I think that it comes down to the skill of the admin to eek out the performance out of the Windows boxes rather than to expect it like most people here do. It seems quite hypocritical to me, but hey.. I'll probably be modded down for coming to a logical argument that might cast Microsoft in a positive light. I'm not a zealot, but I've seen both sides of the coin and I know that Windows boxes can be stable and bulletproof, if you have a good admin. And those admins get blue screens -- when hardware fails. I don't know what happens in Linux, but last I checked it doesn't deal with a bad RAM chip any better than Windows does.
Just food for thought.
The price is always right if someone else is paying.
Well,
/etc/passwd), while ASP is a pain in the back with these things ( include($variable) in ASP?? )
When you allow larger flexibility of doing things, you open doors.
PHP allows you to do ANYthing, including remote includes and relative and absolute includes (../whatever.php or
What I am trying to say, is that I am 90 percent sure, most of the defacements came from badly written code, such as index.php?news=page.php, and the include($_GET[page] kind of ignorant coding. Did I do that unthinkingly? OH yes. Everyone does, but then you learn.
Same with linux. Many people I know have servers with ssh and FTP enabled with super safe passes:
My favourite :
Company name: Heartless Buthcers LTD
Login: Heartless
pass: Butchers
Also I write a script in 5 minutes that logs into remote systems that do this and that with scripting, but I am in trouble doing anything on a remote access login to a gui, which is hardly scriptable (OK maybe that is my lack of knowledge of Wintel systems.
Just my 2 cents: with flexibility you open doors, and I think that is where it all boils down in this case.
Last I checked, IIS was at about 35% and Apache at 50%.
--> http://news.netcraft.com/archives/2008/02/06/february_2008_web_server_survey.html
Of course, these are just statistics...
-mverwijs
M$-Webservers are far more "Likely to be Defaced than L/FOSS websites"; So, SkiifGeek is M$Geek.
... tells all!
If M$ webservers made up 54% of the market,
then L/FOSS and M$-Win webservers would be
proportionally equal in "Likelihood to be Defaced".
However, it is far more likely that L/FOSS (Apache/Google...)
webservers are about +60% of total webservers. This would indicate
(I think) that M$-websites are about 60% (I suspect, two times more) "Likely
to be Defaced than L/FOSS." IOW: Use M$-webservers at your own financial risk.
Numbers are just numbers, but proportions, algorithms, math
Why trust M$-stats in the USA when you can't even trust voting/election numbers.
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
small penis syndrome
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
There is one key piece of valuable information missing from these stats: Attack type against OS/Web Server. So what if 300 some attacks were via cracked passwords. Were they all on Linux? where they all on Windows?
It's like saying that 99% of people are murderers, but failing to explain that you only included a 2 year old and everyone else was on death row in your statistic.
I kind of feel that it was irresponsible to publish these statistics without publishing more information.
(I'll gladly retract that comment if someone can produce the desired information of course)
You're batting a thousand!
It is not surprising that a majority of defacements are on linux servers, considering the majority of web servers are linux based. However defacement is not usually a result of the underlining OS but a result of poor web programming practices and using insecure web services (FTP). So who is to blame here? All those noob web programmers that don't follow basic programing practices to prevent SQL injection, improper file permissions, path checks or just plainly horrific access logic. FTP is also to blame, most dumbass IT managers don't know the security hazard FTP is and insist on using it.
For once that's on topic. I stated to rant like everybody else on how this was skewed by not taking into account the market share of Apache vs. IIS, but that's not the real story here.
Take a look at the "Webserver defaced" table. It's badly formatted in a couple of respects. Here's a copy of the interesting data with defacement numbers sorted by server platform:
nginx 729
IIS (total) 447
Apache 319
Rapidsite 244
SonataServer 178
nginx doesn't run on Windows; I'd expect most sites deploying it would be on Linux or BSD. Rapidsite runs on a customized Apache, and again while I haven't found a definitive statement here I'd expect virtual hosting using Apache is going to be Linux or BSD as well. I'd welcome corrections here if I'm wrong about that.
Combine this with the Netcraft data and the initial conclusion I would reach is that Linux+Apache is still the most secure platform. The only reason the Linux numbers are so inflated is that they include some really crappy web servers with significant vulnerabilities running something other than stock Apache.
I wish I had the raw data so I could ask some more interesting questions, like how things change you take the stupid user/admin data out. I don't care that it's possible to setup a platform up wrong and get simple vulnerabilities, I only care about how vulnerable a good installation is.
Windows costs money. So in general, you can be pretty sure that a business is behind a Windows server, which means vested interest in keeping it alive, which means at least some level of investment in a somewhat competent administrator to manage them. Linux is free, so every server set up by some random kid, hobbyist, or idiot is not going to drop a grand on Server 2008. They're going to install what they find for free that has easy documentation on setup.
Rex is 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
On a side note, why do some people use commas to delimit sets of 10^3 and others use decimal points? And moreover which one is more correct, localization issues not withstanding?
A number of people posting in this discussion have pointed out that Apache is used in technically different ways from IIS. A site with lots of complex middle components, PHP, etc. is more likely to use Apache for technical reasons. That shows that there can be a sort of apples to oranges comparison in looking at total statistics. Similarly, what about the possibility that sites who know that they are more likely to be a target for defacement will choose a web server or platform accordingly. Could it be that more sensitive sites tend to pick Apache more often because of real or perceived security advantages and then proceed to get defaced anyway because of poor systems administration, weak passwords, etc.
Yes, but your approach assumes that people are actually trying to make things secure. The problem is that they aren't.
And frankly, I can't really blame them. When you are just getting started, or when you are under time pressure (often, one of these applies), you are happy enough once you get it to set up so that the happy flow works. Then you move on to other stuff.
And let's face it: security is difficult. There are many factors you don't control, and you must guard against all possible attack vectors while still keeping the system usable. Before you can do a good job at that, there is a _lot_ you need to know. I can imagine that if you are a budding coder, or a sysadmin with no real experience in programming, you'll be hard pressed to even understand a large part of the security literature. Yet I bet it's those people who set up the most websites.
Please correct me if I got my facts wrong.
Like many things there's an element of truth to the assumption that Windows has more users worthy of blame than most OSes other than possibly OSX.
Except we're discussing servers here, and rather than 'users' it is presumably 'admins' being counted.
Netcraft.com's February 2008 report http://news.netcraft.com/archives/2008/02/06/february_2008_web_server_survey.html says that Apache has 48.84% & IIS has 36.05%. This causes some issues for your argument... /i
They count things like weak passwords as a "hack".
This definitely has no relation to platform.
No sig today...
Ignorant cunt.
All 19 hijackers were known terrorists 09-10-2001. Lack of FBI intelligence does not justify warrantless wiretaps..
2. kernel-patch-badram Kernel patch allowing to use partly-bad RAM modules
This package contains a patch to the Linux kernel, which allows to tell the kernel which parts of a RAM module are bad. This allows you to use old RAM modules, when for example just 1 bit in your 256MB module makes it otherwise unusable.
Packages memtest86 and memtest86+ allow to test the RAM for such problems, and are able to tell you what parameters to give to a badram-enabled kernel. I guess you haven't checked very recently, or very thoroughly -- which is it?
All 19 hijackers were known terrorists 09-10-2001. Lack of FBI intelligence does not justify warrantless wiretaps..
In Soviet Russia, the web surfs you!
Yes, I am a smart ass; it's better than the alternative.
Why are you even bothering to argue this? The data doesn't tell us anything about Linux vs. Windows security. Just look at the top 5 methods by which the defacement happened:
1. Attack against the administrator/user (password stealing/sniffing): 141.660
2. Shares misconfiguration: 67.437
3. File Inclusion: 61.011
4. SQL Injection: 35.407
5. Access credentials through Man In the Middle attack: 28.046
(Those are the 2007 numbers)
That's a total of 333,561 total intrusions, and not one of those is due to inherent insecurity in anything. They are all configuration problems or bugs in the web apps themselves. And that's about 70% of the intrusions. Plus, many of the other attack vectors were of the same class. Only 13,405 were "web server intrusions" which is about 3%. If you take "RPC Server Intrusion" and "Other server intrusion" together as platform bugs (and I'm guessing most aren't), then you still only end up with another 3%.
Therefore, all this story tells us is that the software industry has to do a lot of work to protect users from themselves. It doesn't tell us that Apache or IIS or Windows or Linux is more secure than something else. It tells us users suck at security and programmers suck at making security simple.
I work for a hosting company where we run three different web servers which a customer will use depending on their need (one on Windows, two on Linux). All the defacements I have seen our customers suffer from have been all because the script, shopping cart, forum etc they have downloaded off the web and dropped onto their site is old and has known vulnerabilities and they are not willing to upgrade to a newer version to fix the problems or you get some users who love uploading files as world writable.
:P
To sum up, I would guess that 99% of defacement attacks are due to ill educated or lazy users
You totally missed the point.
I'm saying that Windows machines have the ability now, to be reasonably secure enough for 99.9% of attackers to be kept out -- IF the Admins are good enough to keep them that way.
The same is true of Linux.
Additionally, if you found that Linux had the market share of Windows, I'd be hard pressed to see it make the strides over time (from 98 to XP for example) that Microsoft has.
I have friends who are hardcore Linux admins. I have friends who work for Microsoft. I'd say they are both extremely smart, and I'd venture to guess that Microsoft doesn't tend to hire stupid programmers too often. So why is it that people assume Microsoft is stupid -- I mean, their employees are extremely smart, and there are often limits put on what they can, and can't accomplish due to the nature of supporting their business.
That's just my thought. Your immediate defense of Linux and semi-Microsoft bash tells me you're not a lot different than the folks I was mentioning that do exactly that.
The price is always right if someone else is paying.
... It doesn't tell us that Apache or IIS or Windows or Linux is more secure than something else. It tells us users suck at security and programmers suck at making security simple.
True, perhaps. But what it also tells me is that regardless of OS, the software's documentation sucks, especially on security issues. While it may be true that there are lots of idiot users who'll never learn, I think most of us here have also found themselves frustrated by the sorry state of the documentation on their favorite system. I know, as a longtime unix/linux user, I agree fully with the ongoing criticism of the sketchy nature of much of the documentation. Much of what I know, I learned by experimenting, or by asking others who have learned by experimenting. Sometimes, I've also dug into the source code, which is more possible on linux systems than on others, but that's difficult and time consuming, and also doesn't usually lead to full understanding.
As long as software producers insist on keeping their users ignorant of how to use the software correctly, you can't fully blame the users for their ignorance.
Security is especially a problem. I learned the hard way that, if you ask security questions, you tend to rapidly get a "hacker" reputation. So it's common to not pry too deeply into security, but to rather sit at the side and try to learn by osmosis. This is not especially effective. But in most organizations, it's safer for your professional reputation if you don't become known as the one who's constantly prying into security issues.
I'd say that a great deal of users' ignorance of security issues is due to a combination of the general refusal to fully document security issues, and the punishment brought down on users who try too openly to learn about security.
That, and the idiocy of a large fraction of the users, of course.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
On a side note, why do some people use commas to delimit sets of 10^3 and others use decimal points? And moreover which one is more correct, localization issues not withstanding?
;-)
If the author is in North America, the comma is correct. If the author is in Europe, the period is (mostly) correct.
And, of course, if you're the reader, you usually can't know where the author was, so you have no clue.
Ain't standards wonderful? The phrase "divided by a common language" comes to mind.
(And if you do figure out a reliable solution to this puzzle, your next task is to find a reliable way to decode dates and convert them to the ISO standard date format. Start with "What date is 2/4/6?" If you solve that one, you can advance to the next puzzle: figuring out the time zone of the writer.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
You totally missed the point.
Correction: I dismissed the point, which I could not have done had I missed it! And, as you acknowledged with "semi-" in your description of my comment as a "bash," I did not dismiss it out of hand, but I specifically dismissed what I see as a false implication that tends to follow from your comment, without discounting in any way the true parts of your statement. So, I'll try to make that clearer, and see whether you then agree that I dismissed your point, fairly: I can agree -- with qualifications that the default configuration is still atrocious, and completely inappropriate to the home market, which is a major and important component of Microsoft's business, which in fact they need in order to retain their "Enterprise" customers -- that more recent Windows systems are not as insecure as their predecessors that you cited, but I will not agree with any statement that suggests that, generally, Windows is [now, and still less for any previous time] "secure" because ...
I'm saying that Windows machines have the ability now, to be reasonably secure enough for 99.9% of attackers to be kept out -- IF the Admins are good enough to keep them that way.
The same is true of Linux.
OK, sure, but the important distinction you're ignoring is that Joe Sixpack isn't, and doesn't have, an Admin. He only has on his Dell "out of the box" the OS and third party anti-virus trialware, a package which is advertised as suitable for him to play video games, visit only the websites he chooses to visit, send data only to the parties he wishes, and generally to pursue his happiness by extending his practical ability to exercise his rights to speak and associate as he chooses with only those whom he chooses. In short, Windows is presented as a commodity or appliance, and fails to deliver on claims that are not made by Linux at all, generally. Using Windows as-is "out of the box" in fact demonstrably diminishes his practical ability to associate freely according to his wishes, which is my greatest complaint about Microsoft. An unsecured web server vs. an unsecured home user's Internet/multimedia + maybe word processing/financial planning appliance is not a legitimate comparison, and that in a nutshell is the whole point, and the kernel of my refutation of your claim that I "missed" your point. I didn't miss it, I disagree with it. If you really enjoy sarcasm for its own sake, or if you really want to advocate for Microsoft, you might want to keep reading. I feel it's only fair to warn you, that although I thought your tone was pretty moderate and I wanted to discuss civilly, your content, especially the idea that Microsoft is criticized unfairly on Slashdot, was like Kryptonite to my Supermanners. But, I had too much fine writing it to delete it all and just say "but Linux doesn't target Joe Sixpack, then paint a target on him." /warning
Additionally, if you found that Linux had the market share of Windows, I'd be hard pressed to see it make the strides over time (from 98 to XP for example) that Microsoft has.
Why? Would more users, more contributing programmers or more revenue be the problem, or something else even funnier? What "point" are you going to say I have "totally missed" now? ;-) I have friends who are hardcore Linux admins. I used to, but their bellies are flabby now. They're more like beer belly Linux admins these days.
I have friends who work for Microsoft. I'd say they are both extremely smart, and I'd venture to guess that Microsoft doesn't tend to hire stupid programmers too often. So why is it that people assume Microsoft is stupid
I don't know. You'd have to ask somebody who has said that. I talk about the operating system and the marketing, not the people. Well, except recently for Steve Ballmer, but I have the impression you're fair enough, or recognize the need to publicly
All 19 hijackers were known terrorists 09-10-2001. Lack of FBI intelligence does not justify warrantless wiretaps..
Canadians enjoy a particularly severe strain of dating schizophrenia. I have discovered a good solution to the 2/4/6 problem. Avoid doing transactions on any day less than the current month and during any month less than the current year.
Of course, in 2012 I'll have to compress my yearly shopping between December 12 and December 31. Hopefully nobody else figures this out, so the stores won't be too crowded.
I always write year/month/day and use 4 numbers for the year. This gives 2006/02/04 or 2006/04/02 depending. I first learned the D/M/Y then switch to M/D/Y. They are ambiguous and don't sort easily. Using YYYY/MM/DD is unambiguous; I've never seen or heard of anybody using Y/D/M.