Netcraft Web Survey: August 2001

Stats'n'facts from around the Web

  • alert
  • submit to reddit

The essential guide to IT transformation

Top Developers
Developer July 2001 % August 2001 % Change
Apache 18382308 58.73 17874757 58.08 -0.65
Microsoft 8099757 25.88 8146372 26.47 0.59
iPlanet 1345566 4.30 1321544 4.29 -0.01
Zeus 793587 2.54 811406 2.64 0.10
Active Sites
Developer July 2001 % August 2001 % Change
Apache 7314577 60.53 7156849 60.33 -0.20
Microsoft 3372341 27.91 3356363 28.29 0.38
iPlanet 282517 2.34 275619 2.32 -0.02
Zeus 184895 1.53 181098 1.53 0

Around the Net

Absolute number of sites found falls
The total number of sites in the survey actually fell this month, as a result of failures and business model changes at several mass hosting companies. Microsoft continues its recent gains, with a further half a per cent rise, due in part to the remainder of a large domain hosting system at Network Solutions completing a migration to Windows 2000, and in part because it has far less exposure to the mass hosting companies than Apache. Our data was collected at the start of the month, and we will have a clearer picture of whether Code Red has caused any significant movement away from Microsoft-IIS in September.

Code Red: the catalyst for internet security

The combination of the Code Red worm and the first cumulative patch for Microsoft-IIS has significantly improved the security of Microsoft-IIS systems on the Internet. Figures are shown below are for the vulnerability of Microsoft-IIS sites tested for the first time by our security services over the last year. This is typically in the range of a few hundred systems in each month.

Percentage of Microsoft-IIS SSL Sites Vulnerable
  May 01 Jun 01 Jul 01 Aug01
Administration pages accessible 23.08% 35.71% 11.76% 10.26%
Cross-site scripting 73.08% 57.14% 36.47% 19.23%
URL decode bugs 34.62% 42.86% 32.94% 16.67%
Sample pages and scripts 15.38% 28.57% 14.12% 16.67%
Server paths revealed 36.54% 50.00% 22.94% 6.41%
Viewing script source code 25.00% 21.43% 11.18% 3.85%
WebDAV configuration 30.77% 50.00% 47.65% 43.59%
IIS .printer overflow 23.08% 21.43% 10.00% 2.56%
Code Red Vulnerable 0.00% 14.29% 34.71% 2.00%
root.exe installed 5.77% 7.14% 10.00% 12.82%

The table demonstrates in part the deep-set complacency regarding security amongst ecommerce sites, and in part the difficulties in maintaining a reasonable level of security without the benefit of regular external testing. The high visibility of Code Red induced many e-commerce sites running Microsoft-IIS to patch their systems for the first time, and the availability of a cumulative patch has eliminated a lot of earlier vulnerabilities from many sites.

Note that the patch does not necessarily remove the root.exe facility installed by both sadmind/IIS and Code Red II. root.exe allows anyone on the internet to have commands on the machine executed with Web server privileges, and can typically be used to set up logging of credit card information and other sensitive data on SSL servers. This has created a new class of ecommerce site which has been correctly patched for known server vulnerabilities, but have a live backdoor facility enabling attackers to continue to remain in control of the machine. Currently around 12 per cent of SSL sites running Microsoft-IIS tested for the first time are in this state.

Self-interest dictates we mention that Netcraft's business includes automated penetration testing, site audits, and site monitoring.

Itanium systems available shortly, and likely to extend the momentum of Intel Architecture in e-commerce

Recently Microsoft announced that Windows Advanced Server is available for the Itanium, and will start shipping within the next month. Broadly similar announcements have been made by Red Hat, Covalent and Zeus. One of the key early adopter markets for the Itanium will be SSL sites, as the Itanium has on-chip crypto instructions that provide a disproportionate improvement in the performance of SSL transactions.

One anticipates that all the Intel-based system vendors will quickly target this market as one of the most compelling ways of selling the initially highly priced Itanium systems. Hewlett Packard's whitepaper extolling the SSL performance of HP-UX and the Zeus Web server is likely be the start of a feeding frenzy of Intel-based vendors hungry for upgrade revenue from their own userbase, and conversions of Solaris-based e-commerce sites.

Ashok Kumar of Piper Jaffray argues that "Sun will be a big loser [with]... a significant loss of share within two to three years to Itanium supporters such as HP, IBM and Compaq".

Broadly speaking, unless Sun produces something exceptional, the advent of the Itanium is likely to amplify the trends of the last two years, with Solaris slowly but steadily losing share to Intel Architecture systems running both Linux and Microsoft operating systems. The real skill is in picking the winners amongst the different Intel aligned hardware and software vendors.


Brian McWilliams of Newsbytes reports finding that WebTV runs Solaris 8 on several servers. Conversely Link Exchange, which ran FreeBSD for a long time after their acquisition by Microsoft, now runs Windows 2000. ®

Netcraft does commercial internet research projects. These include custom cuts on the Web Server Survey data, hosting industry analysis, corporate use of internet technology and bespoke projects. All of the data is gathered through network exploration, not teleresearch.

Netcraft also provides a weekly network security test of customer networks
The service is described at http://www.netcraft.com/security/scheduled.html

Also, we perform audits of e-commerce sites which involve code reviews of the web applications. Details at http://www.netcraft.com/security/ecommerce.html

Secure remote control for conventional and virtual desktops

More from The Register

next story
6 Obvious Reasons Why Facebook Will Ban This Article (Thank God)
Clampdown on clickbait ... and El Reg is OK with this
Banking apps: Handy, can grab all your money... and RIDDLED with coding flaws
Yep, that one place you'd hoped you wouldn't find 'em
No, thank you. I will not code for the Caliphate
Some assignments, even the Bongster decline must
Caught red-handed: UK cops, PCSOs, specials behaving badly… on social media
No Mr Fuzz, don't ask a crime victim to be your pal on Facebook
Barnes & Noble: Swallow a Samsung Nook tablet, please ... pretty please
Novelslab finally on sale with ($199 - $20) price tag
Ballmer leaves Microsoft board to spend more time with his b-balls
From Clippy to Clippers: Hi, I see you're running an NBA team now ...
Video of US journalist 'beheading' pulled from social media
Yanked footage featured British-accented attacker and US journo James Foley
Call of Duty daddy considers launching own movie studio
Activision Blizzard might like quality control of a CoD film
Primetime precrime? Minority Report TV series 'being developed'
I have to know. I have to find out what happened to my life
prev story


A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.