Netcraft posts May 2001 Web survey

Data frenzy

  • alert
  • submit to reddit

Top three mobile application threats

The Netcraft Web Server Survey is a survey of Web Server software usage on Internet connected computers. We collect and collate as many hostnames providing an http service as we can find, and systematically poll each one with an HTTP request for the server name. In the May 2001 survey we received responses from 29,031,745 sites.

Top Developers

Developer April 2001 Percent May 2001 Percent Change
Apache 17932251 62.55 18069603 62.24 -0.31
Microsoft 5918319 20.64 5958734 20.52 -0.12
iPlanet 1798490 6.27 1813244 6.25 -0.02

Top Servers

Server April 2001 Percent May 2001 Percent Change
Apache 17932251 62.55 18069603 62.24 -0.31
Microsoft-IIS 5916724 20.64 5957240 20.52 -0.12
Netscape-Enterprise 1762872 6.15 1778958 6.13 -0.02
Zeus 779209 2.72 798745 2.75 0.03
Rapidsite 402829 1.41 407488 1.40 -0.01
AOLserver 272815 0.95 377264 1.30 0.35
thttpd 369930 1.29 370282 1.28 -0.01
tigershark 200620 0.70 215321 0.74 0.04
WebSitePro 119586 0.42 118762 0.41 -0.01
ConcentricHost-Ashurbanipal 106443 0.37 109879 0.38 0.01

Active Sites

Developer April 2001 Percent May 2001 Percent Change
Apache 7015250 61.67 7230089 61.53 -0.14
Microsoft 2961984 26.04 3062949 26.07 0.03
iPlanet 294594 2.59 324722 2.76 0.17

Nb. iPlanet is the sum of sites running iPlanet-Enterprise, Netscape-Enterprise, Netscape-FastTrack, Netscape-Commerce, Netscape-Communications, Netsite-Commerce and Netsite-Communications. Microsoft is the sum of sites running Microsoft-Internet-Information-Server, Microsoft-IIS, Microsoft-IIS-W, Microsoft-PWS-95, Microsoft-PWS.

Around the Web

Web Server Security
Web Server Security has been at the forefront of the news throughout the last month, with the archive site attrition.org announcing that it had received a list of around 9000 Microsoft-IIS sites that had been successfully been taken control of by attackers. Subsequently Attrition stated that it would stop archiving mirrors of such sites as it was unable to keep pace with the number of successful attacks. Recently it has been receiving over 100 reports of successful attacks in a single day, more than for the entire years of 1995 & 1996.

CERT is also reporting on the sadmind/Microsoft-IIS vulnerability which is being actively exploited despite patches being available from Microsoft since October last year.

Separately, the main apache.org site and sourceforge.net, which hosts a large number of free software projects, were both compromised via a sniffing attack. Projects are currently undertaking code reviews to determine whether any covert channels have been placed in the source code.

The Microsoft-IIS and apache.org attacks raise the possibility of very large numbers of machines falling under the control of a single person, or group of people acting in concert, as Microsoft and Apache between them account for the great majority of Internet web sites. Indeed, there is a chance that this may have already happened.

Netcraft believes that it is more likely that the number of compromised Microsoft-IIS sites is in the order of hundreds of thousands rather than the 9000 figure widely reported in secondary coverage of attrition.org. In our own network security testing business, around a third of the 41 Microsoft-IIS servers we have tested for the first time since the attrition.org posting have been vulnerable, while four had already been exploited, and taken control of by an attacker without the knowledge of the site owner. Around half of the internet's e-commerce sites run on Microsoft-IIS, and there is the potential for a great deal of economic damage.

Traditionally the mainstream media portrays this scenario as having been created by the software developer, who should have been more careful when coding, but this seems to be pointing the finger in completely the wrong direction when a well documented patch has been available for six months, or in the case of the Apache, a crack code review team is assembled within hours of finding the intrusion.

Currently many e-commerce site owners operate without any regular security testing, and it is shocking to see third-party privacy and encryption assurance seals giving the Internet community confidence that it is safe to shop on servers which have not been patched or upgraded in a year, are patently vulnerable and possibly already under the control of a criminal third-party.

Netcraft itself will do two things to help this situation. Firstly, we will introduce an optional assurance seal for our customers such that people can show that their site is being tested on a regular basis, and the date of the last clean test. Secondly, we will introduce a tariff for a single host or ip address, such as commonly found at dedicated server companies, so that our own cost barrier to regular, frequent detailed testing is much lower. Details will appear on our site over the next two weeks, and in the interim we encourage people to mail us to request information.

Server Blades vs Cobalt

RLX Technologies launched its ServerBlade this month, which perhaps presents the most significant change in hosting technology since the introduction of the 1U server. Over the last two years Cobalt has come to lead America's dedicated server industry, and make significant inroads into several European markets. It is conceivable that the Server Blade may change this. However there are reasons other than size why people like to run Cobalt, including the user interface and ease of administration. One anticipates that dedicated server companies will be strongly attracted to Server Blades, because of the power and space advantages, and because it is has been very hard to make a profit from providing Cobalt hosting, which, modulo network performance and availability, is a market close to perfect competition.

However, the impact of server blades is by no means certain. The dedicated server companies' customers may be less easy to persuade, as they do not see the power or space issues, just the Cobalt GUI, and if customers ask for Cobalt, then that is what the dedicated server companies will have to buy.

Microsoft will have a key roll to play in determining RLX's success, as server blades stand a good chance of being deployed when a customer asks for a Windows server, and Microsoft made an announcement of its own plans for server appliances to coincide with the RLX Launch. If Microsoft can successfully compete with Cobalt at a software level, then RLX will have the opportunity to compete at the hardware level.

Ironically, RLX's own site, hosted at leading dedicated server company rackspace.com runs Linux and Apache. ®

Top three mobile application threats

More from The Register

next story
Sorry London, Europe's top tech city is Munich
New 'Atlas of ICT Activity' finds innovation isn't happening at Silicon Roundabout
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
prev story


Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.