Slashdot Mirror

← Back to Stories (view on slashdot.org)

Breakdowns of Website Defacement by Platform

Posted by CmdrTaco on from the something-to-think-about dept.

SkiifGeek writes "Zone-H have recently posted the statistical breakdown of the collected website defacements from the last few years. Surprisingly, in 2007 more Linux servers suffered a successful attack than all versions of Windows, combined. Similarly, more Apache installations were successfully attacked than all IIS versions combined. A day after posting this data, Zone-H have questioned the appropriateness of continuing to operate the archive. Despite the valuable information that can be gleaned from the service, it may soon be lost to the world. The natural successor to the now-defunct Alldas archive of defaced websites, Zone-H's archive maintains records of over 2.6 million defaced sites but may be shut down due to the continuous accusations of impropriety leveled against them any time they disclose and mirror a reported defacement."

18 of 203 comments (clear)

  1. Websight?? by Rovastar · · Score: 5, Funny

    Even for slashdot that is terrible........

    1. Re:Websight?? by skimitar · · Score: 5, Funny

      Yes. The day slashdot spells 'website' incorrectly is the day the terrorists have one ^H^H^H won.

    2. Re:Websight?? by Anonymous Coward · · Score: 5, Funny

      Sometimes you surf the web.

      Sometimes the web surfs back.

    3. Re:Websight?? by MrNaz · · Score: 5, Funny

      I think it was an oversite on their part.

      --
      I hate printers.
  2. Hopefully not missing something... by gigne · · Score: 5, Funny

    Websight? I hope that is in TFA, which due to tradition I did not read.

    --
    Signature v3.0, now with 42% less memory usage.
  3. "Surprisingly"? by Quietus · · Score: 5, Interesting

    Given the proportion of Apache servers to IIS servers on the Internet, I don't think the ~280% difference is that strange. After all, most websites are vandalised through oversights in custom scripting etc., rather than security holes in Apache.

    1. Re:"Surprisingly"? by Rovastar · · Score: 5, Insightful

      It is difficult to get accurate stats on this. Most will be stealing passwords, XSS, SQL injections, etc. So it does seem unfair and/or pointless to list via web server software or OS platform when that has little to do with it actually software you run it on. This is dodgy admin and slack devs are to blame not the technologies. For reference there have been no exploits at all in IIS 6.0, which comes with Windows 2003, whereas they have been a few with Apache.

    2. Re:"Surprisingly"? by call-me-kenneth · · Score: 5, Informative

      Two factors. One, there are dozens and dozens of utterly lame hosting control panels, content management systems, messageboards and suchlike written in PHP. Secondly, IIS is far, far more secure than it was back in the bad old days. (And I speak as a fervent Apache supporter.)

    3. Re:"Surprisingly"? by ozmanjusri · · Score: 4, Insightful
      So now, in this case it **is** true that there are more succesful attacks on Apache just because it is the more populat server. Well, come on people...

      It still makes sense because the bulk of successful attacks on webservers result from attack methods that are not platform specific (Attack against the administrator/user (password stealing/sniffing), Shares misconfiguration, File Inclusion, SQL Injection etc).

      The bulk of successful attacks against Windows, at least until very recently, have resulted from OS flaws.

      --
      "I've got more toys than Teruhisa Kitahara."
    4. Re:"Surprisingly"? by multisync · · Score: 4, Funny

      I know. It's almost like there is more than one person posting on the bbs.

      --
      I don't care why you're posting AC
    5. Re:"Surprisingly"? by jsiren · · Score: 4, Insightful

      Harrumph.

      A platform that is reasonably popular or otherwise interesting, and unsecure by design will be attacked. A more secure platform, which is also reasonably popular or otherwise interesting, will get attacked less.

      Now, looking at the attack method table, it's obvious that in a case of defacement, the underlying web server platform is largely irrelevant. Web sites these days are complex arrays of application logic and databases. Rarely does a large web site consist of a web server dealing out static files. This change enables more dynamic content and easier content administration than before; then again, it adds several places where things can go wrong. What the Zone-H statistic really tells is that in a complex setup where there are components that can be compromised, the front end web server is usually running Apache. This tells nothing about its security, since it's usually not the front end web server software that is compromised.

      Now, if the site included common web applications and application platforms in its reporting, the statistics would have much more value.

      --
      Usage: km/h for speed (kilometers per hour); kph for very slow impulses (kilopond hours).
  4. FYI The article does by sleeponthemic · · Score: 5, Funny

    Actually mention proportions. Clever little summary, it was as if one million slashdot readers suddenly cried out in indignation... "I have to read the article? Nooo"

    --
    I record my sleeptalking
  5. Weighted for market share? by JshWright · · Score: 5, Insightful

    Perhaps I missed it in TFA, but I saw no weighting for market share...

    To pick an arbitrary statistic, in June 2007 Google reported Apache with a 66% market share and IIS with a 23% share (source). Given that the TFA lists "Attack against the administrator/user" as the most common attack method by a wide margin, and it seems to me that both Apache and IIS would be equally vulnerable to dumb administrators, wouldn't it make sense that the server with the larger market share would see more attacks?

    1. Re:Weighted for market share? by hey! · · Score: 4, Funny

      Personally, I was alarmed by the rapid spike in website defacements on Windows 2003 during the period, which started at 72 thousand in 2005 and soared to 114 thousand in 2007. I'm sticking with Windows 2000, which started at 101 thousand in 2005 and dropped to under 24 thousand in 2007.

      If this trends continues, there will be negative fourteen thousand defacements of Windows 2000 this year -- that is to say fourteen thousand anti-defacements. Fourteen thousand webmasters hosting on Windows 2000 will find their sites say what they meant to say, despite their having actually said the wrong thing.

      It's like having an operating system that, instead of asking "where do you want to go today?" simply tells you where you ought to go.... Oh,wait.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  6. Demographic breakdown by G3ckoG33k · · Score: 4, Insightful

    I wouldn't be surprised if most Linux servers were defaced because of poor configurations, by home users. How many have the needed skill to do it well and really secure? How many home users wish to pay for IIS? Probably not many.

    I guess IIS users on average are better at maintaining a server, as they probably are employed to do so.

    It would be interesting to see a "demographic" breakdown on defaced servers, how many corporate Linux servers have been defaced. I believe the numbers will be different.

  7. !Apache, but PHP by Penguinisto · · Score: 5, Insightful
    Seriously... by this point, Apache can't do much more to stop someone from taking advantage of crap script and the underlying (and very likely unpatched) PHP running it.

    When the cure (more often than not these days) involves not having to disturb Apache at all (save for possibly changing something in httpd.conf), but instead fixing/dumping the bad script that let the baddies in, or patching PHP to plug the hole in it, then odds are good that it ain't Apache's fault, no?

    To be fair, it would also be like blaming IIS for crap XML or ASP script, and MSFT would certainly waste no time in saying so.

    /P

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?
  8. Numbers! by TerranFury · · Score: 4, Insightful

    The article says that there were 1,485,280 Apache defacements and 815,119 IIS defacements. This implies a total of 2,300,399 samples, of which 64.6% were Linux. For comparison, other posters here have cited a Google survey reporting that 60% of webservers run Apache. That would seem to imply that, if you pick an IIS server at random or an Apache server at random, each is about as likely to be successfully attacked as the other.

    Conclusion: IIS is just as good as Apache (contrary to popular Slashdot opinion). Of course, there's a flip side: Apache is just as good as IIS -- and it's free.

    [Take all this modulo the fact that 370% of statistics are, if not made up on the spot, at least full of so much noise as to be meaningless. (Sometimes the Law of Large Numbers really does require large numbers!]

  9. Interesting by magamiako1 · · Score: 5, Insightful

    You know it comes across as interesting that whenever statistics come out that show that "Windows had more worms and viruses this year than Linux or MacOSX!" people use that as fuel to the fire to continually denounce Windows as a bad platform, Microsoft is the devil, Microsoft is evil, and any other number of ways of putting down Windows to make themselves feel better.

    Then a statistic that comes out that shows Linux/Apache at the top of a security vulnerability list, and it's immediately "Oh it's the users! They don't know how to implement the platform properly! It's the scripting language they used! These numbers are meaningless without marketshare values!"

    What we have as facts when it comes to security vulnerabilities:

    1. When more people use it, there is a tendency to have more security vulnerabilities since more eyes are scrutinizing what is or isn't possible with that platform.

    2. No matter which platform, it is only as secure as the person's implementation. If they don't know how to configure the system properly, it doesn't matter in the end.

    So why all the hate against Microsoft for their products if these same problems affect all platforms?