SiteAdvisor rating Red or Yellow? Check versions of software on server

Version 13

     

    This document is a work-in-progress and will need continuous updating if it's to remain relevant. If I can't continue with it I hope someone will keep an eye on it and make the necessary changes to keep it up to date.


    I've put this document in the SiteAdvisor section because very often a TrustedSource rating is derived from a problem with the server hosting a website. If a server hosts many websites, they are all vulnerable to attack by outsiders if the server security is compromised; and if the server's software has a known vulnerability it can - and will - be attacked, sooner or later. The OS or WebApp should be updated as soon as a new update becomes available. It doesn't take long (perhaps as little as 24 hours) from the notification of a security flaw to malware being modified to take advantage of it. Too many web servers are running software which is months, or even years, out of date.

     

    When an attacker manages to compromise and get access to a website, they won’t stop there. They will aim to gain full root (admin) access to the entire server. If there are more websites hosted on the server being attacked, It is likely they will attempt to compromise every single one of them ...

     

    The most important thing an admin can do is to always keep their servers updated. If all known vulnerabilities are patched, the attackers won’t have much to work with ... (but) kernel-level patches require a restart and most admins don’t like to restart their servers often. Even a patched server that didn’t get restarted is still vulnerable.

     

    So, one of the basic checks when a site owner wants to know why the site's rating has changed to Yellow or Red is a check on the server software. Sucuri will usually flag when the version is not the current one. If a site owner is using WordPress and has access to the dashboard then Sucuri's WordPress plug-in is highly recommended. It will check for "malware, spam, blacklisting and other security issues like .htaccess redirects and hidden eval code."

     

     

    There are many sites which offer advice on securing web servers. I had to start somewhere, so I started with Sucuri. Their blogs (at blog.sucuri.net) are invaluable sources of information about server vulnerabilities.

     

    Some links to relevant content have been added following the notes on current versions.

     

    Edit : I didn't realise just what I was taking on when I first thought about listing these. There are far more than I anticipated. So, where possible I've provided links to Wikipedia articles (let the obsessive geeks do most of the hard work of keeping the myriad product versions updated) and just concentrated on some of the most-used products.

     


    Web Servers - see

    http://en.wikipedia.org/wiki/Comparison_of_web_server_software

    http://en.wikipedia.org/wiki/Comparison_of_lightweight_web_servers


     

    Server OS
    Current version
    Apache2.4.6
    CentOS6.4
    Debian7.1
    Fedora Core19
    FreeBSD9.1
    LinuxSee https://www.kernel.org/
    Microsoft IIS7.5 (Server 2008) / 8.0 (Server 2012)
    NetBSD6.1
    nginx1.5.3
    OpenBSD5.3

     

     

    http://www.net-security.org/malware_news.php?id=2554

    In late April, a new attack on the popular Apache Web server was discovered. Dubbed CDorked, the malware was able to compromise the Web server and redirect visitors of the compromised Web server to other servers that deliver malware using the BlackHole exploit kit. The attack may also have targeted the Lighttpd and Nginx Web server platforms.

     

    CDorked shows many similarities to 2012’s DarkLeech attack on Apache servers, but is significantly stealthier and smarter than DarkLeech was: unlike DarkLeech, CDorked didn’t load additional malicious modules on the infected server; instead it maliciously modified the existing httpd binary.

     

    CDorked was interesting in that it did not write any information to the Web server’s hard drive: everything was kept in memory and was accessed via obfuscated GET requests sent by the attackers to the compromised server. None of those GET requests were logged.

     

     


    Control Panels     (See http://en.wikipedia.org/wiki/Comparison_of_web_hosting_control_panels)

    Some control panels allow shell (console) access to the underlying OS through a Java applet, requiring that the client-side computer use Java Virtual Machine software. Other control panels allow direct access using telnet or secure shell (SSH).


     

    Control Panel
    Current Version
    cPanel11.38
    DirectAdmin1.433
    InterWorx4.11.7
    H-Sphere3.6.2
    Plesk11.5

     


     


    Content Management Systems    (See http://en.wikipedia.org/wiki/List_of_content_management_systems)

     

    A web content management system is a bundled or stand-alone application to create, manage, store and deploy content on Web pages.

     

    A Web CMS usually allows client control over HTML-based content, files, documents, and web hosting plans based on the system depth and the niche it serves.


     

    CMSCurrent version
    Drupal7.23
    Joomla3.1.5 (but see HERE)
    WordPress3.7

     

     

     

    An amazing number of WordPress sites are running on outdated versions of this CMS, leaving them exposed to attacks that exploit known vulnerabilities in the software which the latest versions have patched. See

    http://www.wpwhitesecurity.com/wordpress-news/statistics-70-percent-wordpress-in stallations-vulnerable

     

     

    The below statistics are are based on 42,106 WordPress websites found in Alexa’s top 1 million websites.

    • 74 different versions of WordPress were identified.
    • 11 of these versions are invalid. For example version 6.6.6.
    • 18 websites had an invalid non existing versions of WordPress.
    • 769 websites (1.82%) are still running a subversion of WordPress 2.0.
    • Only 7,814 websites (18.55%) upgraded to WordPress 3.6.1.
    • 1,785 websites upgraded to version 3.6.1 between the 12th and the 15th of September.
    • 13,034 websites (30.95%) are still running a vulnerable version of WordPress 3.6.

    Top 10 Most Popular Installed WordPress Versions

    As explained in the above section, we have identified 74 different versions of WordPress running in Alexa’s top 1 million websites, and 1.82% of these are still running a sub version of WordPress 2.0. We could not list all the versions, so below are the top 10 most popular WordPress versions found in 42,106 WordPress installations:

     

    WordPress versions.PNG

     

    From the table above we can determine that at least 30,823 WordPress websites out of 42,106 are vulnerable to exploitable vulnerabilities. Note that the above is just from the top 10 most popular WordPress versions installed.

     

    This means that 73.2% of the most popular WordPress installations are vulnerable to vulnerabilities which can be detected using free automated tools.

     

    Sophos have a slightly-sceptical take on this research, but allow that a figure of about 70% isn't too wide of the mark.

     

    http://nakedsecurity.sophos.com/2013/09/27/how-to-avoid-being-one-of-the-73-of-w ordpress-sites-vulnerable-to-attack

    If you are running a website that uses WordPress here are 10 suggestions to help you avoid ending up in the 70% (or whatever large number it is) of vulnerable sites.

    • Always run the very latest version of WordPress
    • Always run the very latest versions of your plugins and themes
    • Be conservative in your selection of plugins and themes
    • Delete the admin user and remove unused plugins, themes and users
    • Make sure every user has their own strong password
    • Enable two factor authentication for all your users
    • Force both logins and admin access to use HTTPS
    • Generate complex secret keys for your wp-config.php file
    • Consider hosting with a dedicated WordPress hosting company
    • Put a Web Application Firewall in front of your website

     

    With the introduction of WordPress 3.7 version updates will be delivered automatically unless a site administrator chooses to disable that feature.

     

    According to Graham Cluley about half of all WordPress sites are still running 3.5 or even older versions.

    http://grahamcluley.com/2013/10/wordpress-3-7-released-complete-automatic-securi ty-updates

     

    Wordpress versions (paceCluley).PNG

     

     

    Hacking a server explained - from the Sucuri blogs.

    blog.sucuri.net/2013/05/from-a-site-compromise-to-full-root-access-symlinks-to-r oot-part-i.html

    blog.sucuri.net/2013/05/from-a-site-compromise-to-full-root-access-local-root-ex ploits-part-ii.html

    blog.sucuri.net/2013/07/from-a-site-compromise-to-full-root-access-bad-server-ma nagement-part-iii.html

     


    Brute-force attacks against WordPress

    blog.sucuri.net/2012/03/brute-force-attacks-against-wordpress-sites.html

    blog.sucuri.net/2013/07/dissecting-a-wordpress-brute-force-attack.html

    http://blog.trendmicro.com/trendlabs-security-intelligence/joomla-and-wordpress- sites-under-constant-attack-from-botnets/

     

     

     


    StealRAT : yet another attack against server Content Management Systems

    http://blog.trendmicro.com/trendlabs-security-intelligence/how-to-check-if-your- website-is-part-of-the-stealrat-botnet/

    http://www.trendmicro.co.uk/media/wp/stealrat-whitepaper-en.pdf

     

     

    We have continuously monitored its operations and identified about 195,000 domains and IPs that have been compromised. The common denominator among these compromised sites is that they are running vulnerable CMS software such as WordPress, Joomla and Drupal.