cancel
Showing results for 
Search instead for 
Did you mean: 

SiteAdvisor rating Red or Yellow? Check versions of software on server

SiteAdvisor rating Red or Yellow? Check versions of software on server

This document is a work-in-progress and will need continuous updating if it's to remain relevant. If I can't continue with it I hope someone will keep an eye on it and make the necessary changes to keep it up to date.


I've put this document in the SiteAdvisor section because very often a TrustedSource rating is derived from a problem with the server hosting a website. If a server hosts many websites, they are all vulnerable to attack by outsiders if the server security is compromised; and if the server's software has a known vulnerability it can - and will - be attacked, sooner or later. The OS or WebApp should be updated as soon as a new update becomes available. It doesn't take long (perhaps as little as 24 hours) from the notification of a security flaw to malware being modified to take advantage of it. Too many web servers are running software which is months, or even years, out of date.

When an attacker manages to compromise and get access to a website, they won’t stop there. They will aim to gain full root (admin) access to the entire server. If there are more websites hosted on the server being attacked, It is likely they will attempt to compromise every single one of them ...

The most important thing an admin can do is to always keep their servers updated. If all known vulnerabilities are patched, the attackers won’t have much to work with ... (but) kernel-level patches require a restart and most admins don’t like to restart their servers often. Even a patched server that didn’t get restarted is still vulnerable.

So, one of the basic checks when a site owner wants to know why the site's rating has changed to Yellow or Red is a check on the server software. Sucuri will usually flag when the version is not the current one. If a site owner is using WordPress and has access to the dashboard then Sucuri's WordPress plug-in is highly recommended. It will check for "malware, spam, blacklisting and other security issues like .htaccess redirects and hidden eval code."

There are many sites which offer advice on securing web servers. I had to start somewhere, so I started with Sucuri. Their blogs (at blog.sucuri.net) are invaluable sources of information about server vulnerabilities.

Some links to relevant content have been added following the notes on current versions.

Edit : I didn't realise just what I was taking on when I first thought about listing these. There are far more than I anticipated. So, where possible I've provided links to Wikipedia articles (let the obsessive geeks do most of the hard work of keeping the myriad product versions updated) and just concentrated on some of the most-used products.


Web Servers - see

http://en.wikipedia.org/wiki/Comparison_of_web_server_software

http://en.wikipedia.org/wiki/Comparison_of_lightweight_web_servers


Server OS
Current version
Apache2.4.6
CentOS6.4
Debian7.1
Fedora Core19
FreeBSD9.1
LinuxSee https://www.kernel.org/
Microsoft IIS7.5 (Server 2008) / 8.0 (Server 2012)
NetBSD6.1
nginx1.5.3
OpenBSD5.3

http://www.net-security.org/malware_news.php?id=2554

In late April, a new attack on the popular Apache Web server was discovered. Dubbed CDorked, the malware was able to compromise the Web server and redirect visitors of the compromised Web server to other servers that deliver malware using the BlackHole exploit kit. The attack may also have targeted the Lighttpd and Nginx Web server platforms.

CDorked shows many similarities to 2012’s DarkLeech attack on Apache servers, but is significantly stealthier and smarter than DarkLeech was: unlike DarkLeech, CDorked didn’t load additional malicious modules on the infected server; instead it maliciously modified the existing httpd binary.

CDorked was interesting in that it did not write any information to the Web server’s hard drive: everything was kept in memory and was accessed via obfuscated GET requests sent by the attackers to the compromised server. None of those GET requests were logged.


Control Panels     (See http://en.wikipedia.org/wiki/Comparison_of_web_hosting_control_panels)

Some control panels allow shell (console) access to the underlying OS through a Java applet, requiring that the client-side computer use Java Virtual Machine software. Other control panels allow direct access using telnet or secure shell (SSH).


Control Panel
Current Version
cPanel11.38
DirectAdmin1.433
InterWorx4.11.7
H-Sphere3.6.2
Plesk11.5



Content Management Systems    (See http://en.wikipedia.org/wiki/List_of_content_management_systems)

A web content management system is a bundled or stand-alone application to create, manage, store and deploy content on Web pages.

A Web CMS usually allows client control over HTML-based content, files, documents, and web hosting plans based on the system depth and the niche it serves.


CMSCurrent version
Drupal7.23
Joomla3.1.5 (but see HERE)
WordPress3.7

An amazing number of WordPress sites are running on outdated versions of this CMS, leaving them exposed to attacks that exploit known vulnerabilities in the software which the latest versions have patched. See

http://www.wpwhitesecurity.com/wordpress-news/statistics-70-percent-wordpress-installations-vulnerab...

The below statistics are are based on 42,106 WordPress websites found in Alexa’s top 1 million websites.

  • 74 different versions of WordPress were identified.
  • 11 of these versions are invalid. For example version 6.6.6.
  • 18 websites had an invalid non existing versions of WordPress.
  • 769 websites (1.82%) are still running a subversion of WordPress 2.0.
  • Only 7,814 websites (18.55%) upgraded to WordPress 3.6.1.
  • 1,785 websites upgraded to version 3.6.1 between the 12th and the 15th of September.
  • 13,034 websites (30.95%) are still running a vulnerable version of WordPress 3.6.

Top 10 Most Popular Installed WordPress Versions

As explained in the above section, we have identified 74 different versions of WordPress running in Alexa’s top 1 million websites, and 1.82% of these are still running a sub version of WordPress 2.0. We could not list all the versions, so below are the top 10 most popular WordPress versions found in 42,106 WordPress installations:

WordPress versions.PNG

From the table above we can determine that at least 30,823 WordPress websites out of 42,106 are vulnerable to exploitable vulnerabilities. Note that the above is just from the top 10 most popular WordPress versions installed.

This means that 73.2% of the most popular WordPress installations are vulnerable to vulnerabilities which can be detected using free automated tools.

Sophos have a slightly-sceptical take on this research, but allow that a figure of about 70% isn't too wide of the mark.

http://nakedsecurity.sophos.com/2013/09/27/how-to-avoid-being-one-of-the-73-of-wordpress-sites-vulne...

If you are running a website that uses WordPress here are 10 suggestions to help you avoid ending up in the 70% (or whatever large number it is) of vulnerable sites.

  • Always run the very latest version of WordPress
  • Always run the very latest versions of your plugins and themes
  • Be conservative in your selection of plugins and themes
  • Delete the admin user and remove unused plugins, themes and users
  • Make sure every user has their own strong password
  • Enable two factor authentication for all your users
  • Force both logins and admin access to use HTTPS
  • Generate complex secret keys for your wp-config.php file
  • Consider hosting with a dedicated WordPress hosting company
  • Put a Web Application Firewall in front of your website

With the introduction of WordPress 3.7 version updates will be delivered automatically unless a site administrator chooses to disable that feature.

According to Graham Cluley about half of all WordPress sites are still running 3.5 or even older versions.

http://grahamcluley.com/2013/10/wordpress-3-7-released-complete-automatic-security-updates

Wordpress versions (paceCluley).PNG

Hacking a server explained - from the Sucuri blogs.

blog.sucuri.net/2013/05/from-a-site-compromise-to-full-root-access-symlinks-to-root-part-i.html

blog.sucuri.net/2013/05/from-a-site-compromise-to-full-root-access-local-root-exploits-part-ii.html

blog.sucuri.net/2013/07/from-a-site-compromise-to-full-root-access-bad-server-management-part-iii.ht...


Brute-force attacks against WordPress

blog.sucuri.net/2012/03/brute-force-attacks-against-wordpress-sites.html

blog.sucuri.net/2013/07/dissecting-a-wordpress-brute-force-attack.html

http://blog.trendmicro.com/trendlabs-security-intelligence/joomla-and-wordpress-sites-under-constant...


StealRAT : yet another attack against server Content Management Systems

http://blog.trendmicro.com/trendlabs-security-intelligence/how-to-check-if-your-website-is-part-of-t...

http://www.trendmicro.co.uk/media/wp/stealrat-whitepaper-en.pdf

We have continuously monitored its operations and identified about 195,000 domains and IPs that have been compromised. The common denominator among these compromised sites is that they are running vulnerable CMS software such as WordPress, Joomla and Drupal.

Comments
Hayton

You're welcome to add a comment if anything in the lists is showing an outdated version.

Version history
Revision #:
1 of 1
Last update:
‎08-01-2013 07:10 AM
Updated by: