Zone-H web defacement data shows platforms don't matter

Zone-H web defacement data shows platforms don't matter

Summary: Web defacement archive Zone-H.org has produced a comprehensive three-year report on Web Server defacements for 2005 to 2007.

SHARE:

Web defacement archive Zone-H.org has produced a comprehensive three-year report on Web Server defacements for 2005 to 2007.  What makes the Zone-H archive unique is that the data is gathered from the hackers/defacers themselves and every defaced website is confirmed and mirrored on Zone-H permanently.

Contrary to popular perception, Linux/Apache websites gets broken in to far more often than Windows/IIS websites.  Given the fact that Windows/IIS and Linux/Apache market share is comparable in recent years, the comparison is a valid one.  The following is a chart I compiled from the Zone-H three-year report.

As it turns out, this has little to do with the fact that Microsoft IIS 6.0 has far fewer vulnerabilities than Apache 2.0.  When we look deeper at the "Attack Method" data in the Zone-H report, it turns out that the OS and Web Server platform you run has little to do with how secure you are.  What does seem to make all the difference in the world is how well you administrate the website and how carefully you write your web applications.

By looking at the trend in the last three years, it would seem that website administrators may have finally wised up to "File Inclusion" attacks.  In 2005 and 2006, "File Inclusion" was the most likely way a website gets defaced but it declined to third place in 2007.  The overall trend seems to be positive as website defacement peaked in 2006 and started to drop in 2007.  The bad news is that password stealing or sniffing has spiked upwards in 2006 and 2007 and became the most likely attack vector.

Topics: Software Development, Browser

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

21 comments
Log in or register to join the discussion
  • No surprise

    Just like Windows OS is the biggest target on the desktop, Apache is the bigger target in the web serving world.
    croberts
  • Certainly guts a lot of the rivalries

    For all the Linux vs Windows, Open Source vs. Microsoft screamers, this should kill most of their screaming points.

    Ultimately it comes down to the competency of the implementer, and not necessarily what tools they choose to use.
    ejhonda
    • Some people will always scream

      Some people will always scream. They need something to scream about.

      But you are right that it is the admin and programmer at the end of the day that determines security.
      georgeou
      • I'll give you one fr0thy - be here any minute

        ...
        ItsTheBottomLine
        • HAHAHAHA

          Love it!
          top100developers
    • There's bound to be a spike

      when people come over from the Windows camp. I didn't know much about security when I started with Linux in the late nineties.

      As the article says, a lot of the insecurities are from poor coding practices, and only experience amongst a knowledgeable crowd can ever help with that.
      fr0thy@...
  • I've got some problems finding data that supports this remark

    [i]Given the fact that Windows/IIS and Linux/Apache market share is comparable in recent years, the comparison is a valid one.[i]

    Where did you find the data to support this?
    tombalablomba
    • Netcraft

      Last time I checked:

      Apache is around 60%
      IIS is around 35%

      Apache dominates the personal web space (price!) and IIS does much better in corporate web site arenas.

      Security of both come down to the monkey who operates the box.
      toadlife
      • Clarification

        When I say "IIS does much better in corporate web site arenas" I don't mean they have a higher market share, I mean their share is closer to Apaches.

        They might actually have a slightly higher share with business sites though.
        toadlife
      • Programmer capability...

        Many corporates use IIS as their webserver because it integrates into the corporate data infrastructure, departmental servers and so forth. Any such organisation will have programmers experienced in .NET, VB and other MS technologies so using IIS is the logical choice. It also means that their programmers should be more proficient than some of the Apache user base many of whom will be hobbyists or amateurs.

        In addition, it would not surprise me if many of the Apache hacks were through PHP with "register_globals" enabled or SQL injection attacks since PHP makes it easy to be prone to both these.
        bportlock
        • I learned how to code php...

          ...by being involved with a community site, OFPEC. The entire site was written from scratch by people who at the time didn't think much about security. As a result, the site suffered quite a few defacements. I taught myself PHP, and my first big project was going through every line of code and fixing to work with register_globals off.

          What fun that was! ;)
          toadlife
          • The curse of "register_globals"...

            ... is easily avoided. Our business refuses to alter the base configuration to accommodate any software that needs register_globals turned on. It has cost us but on shared servers it simply is not worth the risk.

            I've also found a significant number of PHP "programmers" never seem to think about escaping their data before insertion into the database.

            Ironically enough, the website with the stats is thinking of closing itself down and the voting on the closure may have been hijacked!! :-)

            More here http://www.theregister.co.uk/2008/03/17/zone_h_vote/
            bportlock
    • Netcraft data

      Netcraft data has it. If you're talking about public and ACTIVE web sites, then Linux might have like a 12% advantage in market share. If you include parked websites, then IIS is about the same or slightly higher.

      But remember that Godaddy had 38,500 parked Windows sites hacked due to a misconfiguration by Godaddy.com and that got counted in the Zone-H report (http://blogs.zdnet.com/Ou/?p=239). Therefore, you must compare the market share of all publicly available websites, both active and parked. So the number of available targets on the web is around the same or higher for IIS over Apache and that is what's important.
      georgeou
  • As with the other article

    I always scoff at the screamers. Most people tend to stfu when they actually see facts. Until they see facts, they just continue to blurt out whatever their co-haters spew.

    The numbers really do reflect the respective surface areas.
    Been_Done_Before
    • I think Windows has slightly more when you include parked sites

      I think Windows has slightly more when you include parked sites. But parked site defacement was included in the Zone-H report. You also have to remember that in 2006, 38,500 parked Windows sites got hacked in a single incident because GoDaddy didn't patch a misconfiguration problem they were warned about for a year. http://blogs.zdnet.com/Ou/?p=239.

      So the market shares are equivalent since we are counting parked sites.
      georgeou
      • i wonder what the numbers would be if...

        we knew how many sites each host actually hosted.

        By this i mean one windows server hosts 200 websites. That server is breached and 50 of those sites are "hacked", do they count the 50 sites, all 200 sites or 1 server?
        Been_Done_Before
  • Very interesting...

    I would have thought that Windows IIS would have been higher, but that is interesting. As usual nicely done George.
    ItsTheBottomLine
  • "Administrate"?

    Ouch. That one hurts me still. Yes, I know that a language that doesn't grow and change with time ceases to be useful, but I can't quite make the transition from the verb "administer" to the increasingly popular but still grammatically incorrect "adminsitrate."

    http://englishplus.com/grammar/00000172.htm

    It's a good article otherwise, George. I always enjoy reading your entries.
    Lizzie_B
    • It would help if _I_ could type...

      "adminsitrate"? Sheesh...

      Hangs head in shame...
      Lizzie_B
    • Yes, "administrate" sucks, but:

      Checking out the Wiktionary entry for "administer", http://en.wiktionary.org/wiki/administer, one finds four entries, zero of which actually fit the usage in the article. In this case, "administrate" means both overseeing and actual hands-on work. <BR><BR>
      "Administrate" really sucks, but is the best choice for the job. The ZDNet(?) spell-check likes it, though.
      Master Dave