|Your Daily Source for Apache News and Information|
|Breaking News||Preferences||Contribute||Triggers||Link Us||Search||About|
The Netcraft Web Server Survey is a survey of Web Server software usage on Internet connected computers. We collect and collate as many hostnames providing an http service as we can find, and systematically poll each one with an HTTP request for the server name.
Microsoft is the sum of sites running Microsoft-Internet-Information-Server, Microsoft-IIS, Microsoft-IIS-W, Microsoft-PWS-95, & Microsoft-PWS.
Platform groupings are here.
Around the Net
Web Server Security
Web Server Security has been at the forefront of the news throughout the last month, with the archive site attrition.org announcing that it had received a list of around 9000 Microsoft-IIS sites that had been successfully been taken control of by attackers. Subsequently Attrition stated that it would stop archiving mirrors of such sites as it was unable to keep pace with the number of successful attacks. Recently it has been receiving over 100 reports of successful attacks in a single day, more than for the entire years of 1995 & 1996.
CERT is also reporting on the sadmind/Microsoft-IIS vulnerability which is being actively exploited despite patches being available from Microsoft since October last year.
Separately, the main www.apache.org site and www.sourceforge.net which hosts a large number of free software projects were both compromised via a sniffing attack. Projects are currently undertaking code reviews to determine whether any covert channels have been placed in the source code.
The Microsoft-IIS and apache.org attacks raise the possibility of very large numbers of machines falling under the control of a single person, or group of people acting in concert, as Microsoft and Apache between them account for the great majority of Internet web sites. Indeed, there is a chance that this may have already happened.
Netcraft believes that it is more likely that the number of compromised Microsoft-IIS sites is in the order of hundreds of thousands rather than the 9000 figure widely reported in secondary coverage of attrition.org. In our own network security testing business, around a third of the 41 Microsoft-IIS servers we have tested for the first time since the attrition.org posting have been vulnerable, while 4 had already been exploited, and taken control of by an attacker without the knowledge of the site owner. Around half of the internet's ecommerce sites run on Microsoft-IIS, and there is the potential for a great deal of economic damage.
Traditionally the mainstream media portrays this scenario as having been created by the software developer, who should have been more careful when coding, but this seems to be pointing the finger in completely the wrong direction when a well documented patch has been available for six months, or in the case of the Apache, a crack code review team is assembled within hours of finding the intrusion.
Currently many ecommerce site owners operate without any regular security testing, and it is shocking to see third party privacy and encryption assurance seals giving the internet community confidence that it is safe to shop on servers which have not been patched or upgraded in a year, are patently vulnerable and possibly already under the control of a criminal third party.
Netcraft itself will do two things to help this situation. Firstly, we will introduce an optional assurance seal for our customers such that people can show that their site is being tested on a regular basis, and the date of the last clean test. Secondly, we will introduce a tariff for a single host or ip address, such as commonly found at dedicated server companies, so that our own cost barrier to regular, frequent detailed testing is much lower. Details will appear on our site over the next two weeks, and in the interim we encourage people to to request information.
Server Blades v Cobalt
No talkbacks posted.
|About Triggers||Media Kit||Security||Triggers||Login|
All times are recorded in UTC.
Linux is a trademark of Linus Torvalds.
Powered by Linux 2.4, Apache 1.3, and PHP 4