Most Reliable Hosting Company Sites in February 2016

Rank Performance Graph OS Outage
hh:mm:ss
Failed
Req%
DNS Connect First
byte
Total
1 GoDaddy.com Inc Linux 0:00:00 0.000 0.266 0.005 0.015 0.016
2 Netcetera Linux 0:00:00 0.004 0.077 0.087 0.178 0.178
3 Lightcrest unknown 0:00:00 0.009 0.301 0.006 0.022 0.026
4 XILO Communications Ltd. Linux 0:00:00 0.009 0.235 0.075 0.143 0.143
5 Bigstep Linux 0:00:00 0.013 0.151 0.062 0.124 0.124
6 Qube Managed Services Linux 0:00:00 0.018 0.152 0.060 0.128 0.128
7 Hostname.cl Linux 0:00:00 0.018 0.485 0.203 0.422 0.422
8 Datapipe Linux 0:00:00 0.022 0.156 0.013 0.026 0.032
9 LeaseWeb Linux 0:00:00 0.022 0.368 0.026 0.054 0.054
10 Anexia Linux 0:00:00 0.022 0.194 0.086 0.177 0.177

See full table

GoDaddy had the most reliable hosting company site in February, responding to every Netcraft request. This is the ninth consecutive month that GoDaddy has featured in the top 10, and the fourth time it has reached first place in the past 12 months.

Netcetera took second place in February with just one failed request. Based in the Isle of Man, Netcetera is celebrating its 20th birthday in 2016 with a series of special promotions. Over 11 years of monitoring by Netcraft, Netcetera has maintained a 99.96% uptime record.

Third place goes to Lightcrest, appearing in the top 10 for the third time in four months. Although both Lightcrest and XILO had two failed requests each, Lightcrest had a faster average connection time. Lightcrest's customers can use its Kahu Compute Fabric platform for Lightcrest-hosted deployments and those hosted remotely.

Linux remains the dominant choice of operating system among the most reliable hosting sites. This is the eighth consecutive month without any sites powered by Windows appearing in the top 10.

Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

Information on the measurement process and current measurements is available.

February 2016 Web Server Survey

In the February 2016 survey we received responses from 933,892,520 sites and 5,796,210 web-facing computers.

Microsoft has edged closer towards Apache, with an increase of 16.1 million sites bringing its total up by 6.14% to 279 million. Apache's relatively modest growth of 0.66% has put Microsoft within 3 percentage points of Apache's leading market share of 32.8%.

In terms of web-facing computers, Apache maintains a much clearer lead with a 47.8% share of the market. Microsoft also takes second place by this metric, albeit with a share that is more than 20 percentage points behind Apache. However, both Apache and Microsoft suffered small losses in market share as nginx continues to exhibit strong growth: This month, nginx gained 21,100 computers, increasing its market share by 0.26 points to 13.96%.

nginx 1.9.11 mainline was released on 9th February. This version introduced support for dynamic modules, enabling selective loading of both third-party and some native modules at runtime. In previous versions, nginx modules had to be statically linked into an nginx binary built from source, causing the module to be loaded every time even if it was not going to be used.

The latest version of Microsoft Internet Information Services, IIS 10.0, is still very rare in the wild, as its primary deployment platform (Windows Server 2016) has yet to be released. Fewer than 5,000 websites are currently using IIS 10.0, and these are being served either from technical preview versions of Windows Server 2016, or from Windows 10 machines.

The latest technical preview version of Windows Server 2016 also supports a headless deployment option known as Nano Server. This is a stripped-down version of Windows Server, without a graphical interface and a few other features that are not essential for modern web applications. As a result, it typically requires fewer updates to be installed – and consequently, fewer reboots, too.

Despite losing a small amount of market share, Apache also showed a reasonable growth of 15,600 computers. Similar to last month, a significant proportion of this growth was due to the appearance of more Western Digital My Cloud consumer storage devices.

The total number of My Cloud devices in the survey now stands at 583,400, which is 68,400 more than last month; however, the number of devices that are exposed directly to the internet grew by only 11,100.

Western Digital is using Amazon AWS to host the servers that proxy requests to My Cloud devices in Relay mode. Most of these relay servers have been configured to serve a few thousand devices each, and so the 331,000 devices that are currently using Relay mode contribute fewer than 200 computers towards Apache's total.

Interestingly, while most web-facing My Cloud devices are hosted in the US, more than half of the *.wd2go.com hostnames used by the relay servers are hosted in Amazon's EU regions.

Total number of websites

Web server market share

DeveloperJanuary 2016PercentFebruary 2016PercentChange
Apache304,271,06133.56%306,292,55732.80%-0.76
Microsoft262,471,88628.95%278,593,04129.83%0.88
nginx141,443,63015.60%137,459,39114.72%-0.88
Google20,799,0872.29%20,640,0582.21%-0.08
Continue reading

eBay scripting flaws being actively exploited by fraudsters

Fraudsters are actively exploiting scripting flaws in eBay's auction platform to carry out a spate of highly convincing scams. The latest attacks steal money and credentials, and are still taking place today, despite a recent partial fix that attempted to stop these flaws being exploited.

Victims stand to lose thousands of pounds in these attacks.

Victims stand to lose thousands of pounds in these clever phishing attacks, which are launched directly from eBay's own website.

eBay had originally declined to fix the vulnerability at all, resulting in widespread criticism from security experts, which perhaps influenced its subsequent decision to implement a partial fix. eBay later said that it took the issue very seriously, and that it did not find any fraudulent activity stemming from this incident.

However, this week, Netcraft has seen several fraudulent eBay listings that actively exploit these flaws. Not only does this demonstrate that the underlying issue has not been adequately fixed, but it shows that it is also being exploited by fraudsters.

Despite the partial fix, fraudsters are still able to include malicious JavaScript in eBay listing descriptions, and these scripts are being used to great effect. Merely viewing a fraudster's auction will cause a user to be automatically diverted away from the genuine eBay website and onto a phishing site.

These latest incidents rank amongst the most impressive phishing attacks, as they are so incredibly convincing. They are launched from the genuine eBay website, which will have already gained the victim's trust, and no untoward user interaction is required. Because the phishing site looks so similar to the genuine eBay website, it is likely that most victims would never realise they have ended up on a fraudulent website, especially as they did not click on any links pointing to external sites.

This week's attacks appeared to be posted from compromised eBay accounts, some of which had been created several years ago. This makes it difficult for victims to identify the listings as fraudulent, as they are ostensibly posted by users who have been members for several years and have 100% positive feedback.

A real attack in detail

Motor vehicles are a magnet for fraudulent activity on eBay due to the high values of such items. Fraudsters will often copy the contents of a previous, legitimate listing and use it to create their own listing at a temptingly low price.

Three months ago, the following motorhome was sold on eBay for £19,295. This was a genuine listing for a genuine vehicle, so some details have been redacted to protect the innocent:

A legitimate eBay auction that ended three months ago. The details of this motorhome auction were reused in one of this week's fraudulent listings.

A legitimate eBay auction that ended three months ago. The details of this motorhome auction were reused in one of this week's fraudulent listings.

This week, a fraudster copied the contents of this auction and used it to create his own fraudulent listing. This would likely be found by anyone searching for similar motorhomes:

The fraudulent listing, as it appeared in eBay's search results.

The fraudulent listing, as it appeared in eBay's search results.

The fraudulent listing was posted from an eBay account created in April 2010. The user has 100% positive feedback accrued from previous, legitimate purchases, which suggests that the account had been compromised by the fraudster. The fraudulent listing has since been removed from eBay, but the legitimate account remains.

The compromised account that was used to post the fraudulent listing had 100% positive feedback.

The compromised account that was used to post the fraudulent listing had 100% positive feedback.

When a victim views the fraudulent listing, he is immediately redirected to the fraudster's phishing site on btnet.info. Other than the domain name, this looks practically identical to the genuine eBay website, and also features the same username and feedback score from the compromised seller's account:

The victim is automatically redirected to this phishing site when he views the fraudulent listing on eBay. This site was reported to Netcraft and blocked.

The victim is automatically redirected to this phishing site when he views the fraudulent listing on eBay. This site was reported to Netcraft and blocked.

The significantly discounted "Buy it now" price of £6,300 would be extremely alluring to a prospective buyer, considering that the real thing sold for nearly £20,000 in a legitimate auction three months ago.

The redirection to the phishing site is carried out automatically as soon as the victim views the fraudulent listing on the eBay website. The item's description is copied from the legitimate listing we saw three months ago, but a malicious block of JavaScript has been added.

The malicious script appended to the description of the motorhome. Some of this has been blurred to prevent copycat attacks until eBay properly fixes the vulnerability.

The malicious script appended to the description of the motorhome. We have blurred the salient parts of this code to prevent copycat attacks until eBay properly fixes the vulnerability.

The malicious script has been specially constructed in order to bypass the cross-site scripting filters that eBay has implemented.

eBay disallows certain strings in the item description when a listing is created, but this week's attacks demonstrate that this security measure is insufficient.

eBay disallows certain strings in the item description when a listing is created, but this week's attacks demonstrate that this security measure is still insufficient.

When the external script is executed by the victim's browser, it redirects the victim to a URL redirection service, TinyURL, which in turn redirects him to the fraudster's phishing site.

The externally hosted JavaScript, which is executed by the fraudulent eBay listing. This site uses a .space domain that was registered on 6 February.

The externally hosted JavaScript, which is executed by the fraudulent eBay listing. This file is served from a .space domain that was registered on 6 February.

After the above JavaScript has redirected the victim to the phishing site, a server-side PHP script named php.php uses a random number generator to create a new PHP script, such as 54388632.php. The victim is then redirected to the newly-created script, which displays the fraudulent content. The randomly-named file is then deleted from the web server. If the victim were to notice that he was on a phishing site, it would be difficult to report it to anyone, as the URL in the victim's address bar would lead to a 404 Not Found error page on any subsequent visit.

The phishing site uses a domain name that was registered through Launchpad.com less than two weeks ago, and there is no content on the site's homepage. This indicates that the domain was probably registered specifically for use in these fraudulent eBay listings. Both this site btnet.info and the malicious JavaScript file on opengames.space are hosted by HostGator.

If the victim attempts to ask the seller a question, he will be taken to an enquiry form that is hosted on the fraudster's phishing site. Any questions asked here are sent directly to the fraudster.

Any questions asked about the item are sent directly to the fraudster.

Any questions asked about the item are sent directly to the fraudster.

If the victim tries to make a Best Offer for the vehicle, he is prompted to enter an email address. This address is later used by the fraudster to solicit payment directly from the victim, often via bank transfer.

After making an offer, the victim can soon expect to hear from the fraudster.

After making an offer, the victim can soon expect to hear from the fraudster.

This particular phishing attack demonstrates some interesting evolutions in the fraudsters' methodologies. Not only is it rather cleverly launched from the legitimate eBay site, and uses randomly-named files that are deleted to evade detection, but it also tries to avoid leaving any evidence in eBay's server logs: While all of the pictures used on the spoof auction page are stolen from the earlier legitimate auction, they are either encoded as inline Base64-encoded images, or are served from the fraudster's own website. This means that no Referer headers will be transmitted to eBay's web servers, which would otherwise give away the location of the phishing site.

This phishing attack is unusual in that it does not attempt to steal the victim's eBay password or any other account credentials. This subtlety could contribute to its effectiveness, as some victims might more readily identify a scam that does ask for a password.

The victim's offer and email address is all the fraudster needs in order to solicit payment. To instil further trust in the victim, these payment requests usually claim to use a third-party escrow service to accept the money. A genuine escrow service would release the money to the seller only if the customer receives the goods they paid for, but unsurprisingly, these eBay vehicle scams do not use a real escrow service. When the victim transfers his money to the specified account, it goes straight to the fraudster.

A fake escrow email from a fraudulent car seller. This one purportedly related to the sale of a Volkswagen T5 Transporter.

A fake escrow email from a fraudulent car seller. This one purportedly related to the sale of a Volkswagen T5 Transporter.

To discourage the victim from visiting their bank, who might warn him that it is a scam, the email adds: "You can pay using your online baking [sic], because it saves a considerable amount of time. Online Banking saves you the trouble of going to a bank and wasting your valuable time (payments can also be made on the weekends)."

Old habits die hard

Netcraft highlighted the risks posed by allowing JavaScript in eBay listings almost two years ago, when a series of similar attacks took place. eBay's only apparent protection against these attacks was a policy that we demonstrated can be easily ignored by fraudsters.

As eBay's latest fix is only a "partial" one, it suggests that eBay still might not have any intention of completely fixing these vulnerabilities. eBay previously explained that allowing active content in legitimate listings is worth the security risk, as the benefits outweigh the likelihood of being attacked.

A plea for help: This fraud victim claims to have been scammed on eBay after sending a bank transfer to pay for a caravan.

A plea for help: This fraud victim claims to have been scammed on eBay this week after sending a bank transfer to pay for a caravan.

These attacks have continued throughout the week. The following example was found earlier today – victims were redirected to this phishing site after viewing yet another specially crafted listing on the real eBay website.

CAPTION

Another eBay phishing site, which victims are automatically redirected to after viewing a specially crafted listing on the real eBay website.

It is likely that both examples have been orchestrated by the same fraudster, as both domain names were registered through the same company two weeks ago. However, today's example also attempts to steal the victim's eBay username and password when the victim clicks the Buy it now button.

The latest example also tries to steal the victim's eBay username and password.

The latest example also tries to steal the victim's eBay username and password.

The fraudster can use these stolen credentials to create additional fraudulent listings on his victims' own eBay accounts, which in turn can be used to steal more accounts and more money. This is a cycle of fraud that will be difficult to stop if eBay does not fully resolve this vulnerability.

AlphaBay darknet phishing attack impersonates .onion domain

Fraudsters operating on the AlphaBay darknet market are using phishing attacks to steal login credentials from other criminals. In this particular attack, the phishing site mimics the address of one of AlphaBay's Tor hidden services.

Dark Wars: A phishing site impersonating the AlphaBay Market

Dark Wars: A phishing site impersonating the AlphaBay Market

AlphaBay describes itself as a darknet market that specialises in all kinds of illegal goods, and so its users are reminded to access the site directly through the Tor anonymity network, rather than via a WWW to .onion gateway. However, this is not the only thing that users need to worry about: some of the criminals on AlphaBay also try to steal other users' credentials by sending messages to trick them into visiting phishing sites.

AlphaBay was originally founded by members of Russian carding forums, but the range of illegal goods being sold on the anonymous marketplace now includes drugs and weapons as well as credit card details. AlphaBay uses a .onion address which allows the website to run as a hidden service on the Tor network – this means that the physical location of the website remains anonymous, as well as the locations of Tor users who access it.

The genuine AlphaBay hidden service uses the address pwoah7foa6au2pul.onion. A hidden service's address is derived from the public key used to authenticate the connection, so it is difficult to convincingly impersonate the site without having access to the owner's key pair. However, the fraudster could easily have computed a partial match using tools such as scallion; for example, Netcraft generated the lookalike address pwoah7f5ivq74fmp.onion within minutes.

However, in the case of this phishing attack, the fraudster has simply created a lookalike domain on the public internet, using the address pwoah7foa6au2pul.me.pn.

The genuine AlphaBay Market login form, accessed via its .onion address on a Tor-enabled browser.

The genuine AlphaBay Market login form, accessed via its .onion address using the Tor Browser Bundle.

The address used by the phishing site will look familiar to regular users of the AlphaBay darknet market, but rather than pointing to an anonymous hidden service, it points to a phishing site hosted by AttractSoft GmbH in Germany.

The phishing site used in this attack was discovered on Thursday and is still operating at the time of writing. It mimics the genuine AlphaBay Market login page, and prompts the victim to enter his username and password. A client-side check forces the victim to also complete the security code CAPTCHA field, although the phishing site does not care whether the correct value was entered.

The stolen credentials are then submitted to a PHP script, which immediately redirects the victim to the genuine AlphaBay hidden service.

This phishing attack makes use of a me.pn domain, which was likely chosen because addresses under this domain can be registered for free, and the ".me.pn" string bears a (somewhat tenuous) similarity to the .onion TLD, at least in terms of its length.

Ironically, some of the services that can be bought and sold on the AlphaBay Market include spam sending services, "bank drops" (for receiving fraudulent bank transfers), account details, and other services useful to fraudsters engaged in phishing. This attack could therefore be viewed as yet another example of fraudsters defrauding fraudsters.

In a further show of there being no honour amongst thieves, the HTML source of the phishing site appears to have been copied from a previous lookalike site using the onion-market.co domain name. This domain name has since been repossessed by its registrar, GoDaddy, which is typical of domains that have been paid for with fraudulent funds or subjected to chargebacks.

The content of the phishing site was mirrored from another site that has since been suspended.

The content of the phishing site was mirrored from another site that has since been suspended.

AlphaBay has been operating since the end of 2014, when it helped fill the void left after the demise of Silk Road and Silk Road 2.0. It has since become one of the largest darknet markets, gaining wide publicity after it was used to sell compromised Uber accounts and data stolen from the TalkTalk breach in 2015.

Most Reliable Hosting Company Sites in January 2016

Rank Performance Graph OS Outage
hh:mm:ss
Failed
Req%
DNS Connect First
byte
Total
1 Datapipe Linux 0:00:00 0.004 0.151 0.012 0.025 0.031
2 XILO Communications Ltd. Linux 0:00:00 0.008 0.228 0.069 0.137 0.137
3 Netcetera Linux 0:00:00 0.008 0.073 0.085 0.173 0.173
4 GoDaddy.com Inc Linux 0:00:00 0.013 0.284 0.007 0.017 0.018
5 Qube Managed Services Linux 0:00:00 0.013 0.151 0.059 0.120 0.120
6 EveryCity SmartOS 0:00:00 0.013 0.090 0.065 0.130 0.130
7 Memset Linux 0:00:00 0.017 0.158 0.066 0.168 0.269
8 Swishmail FreeBSD 0:00:00 0.021 0.151 0.063 0.125 0.167
9 ServerStack Linux 0:00:00 0.021 0.133 0.066 0.132 0.132
10 INetU Linux 0:00:00 0.021 0.145 0.068 0.134 0.134

See full table

With just a single failed request, Datapipe had the most reliable hosting company site in January. It featured in the top ten for all but one month in 2015 and last topped the table in July.

In second place in January was XILO Communications Ltd with just two failed requests. XILO’s website has maintained 100% uptime over the past year, and 99.990% since October 2011. XILO’s servers are located in Maidenhead, just outside London, and use XILO’s own network hardware.

Netcetera came in third place, also with just two failed requests, albeit with a slightly longer average connection time. Netcetera is based on the Isle of Man and has recently expanded its Dataport data centre where it offers carbon neutral shared, dedicated, and cloud hosting, as well as co-location options.

GoDaddy reached fourth place in January, marking its eighth consecutive appearance in the top ten. Since June, GoDaddy has maintained an impressive average connection time of just under eight milliseconds, with no single month's average being more than nine milliseconds.

As it did through the entirety of 2015, Linux has once again dominated as the most commonly used operating system amongst the top ten hosting company websites. The only two companies in January’s table not using Linux to host their websites are Swishmail (FreeBSD) and EveryCity (SmartOS).

Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

Information on the measurement process and current measurements is available.

January 2016 Web Server Survey

In the January 2016 survey we received responses from 906,616,188 sites and 5,753,264 web-facing computers, reflecting a modest increase of less than six million sites, but a significant gain of 174,000 computers.

Microsoft gained 22.5m sites (+9.40%), which has taken its market share up by 2.32 points. Meanwhile, Apache lost 16.4m sites, and nginx fell by 15.6m. Apache's market share is now less than 5 points ahead of Microsoft; this difference was more than twice as large just two months ago.

The web-facing computers metric is typically much more stable, but this month's overall gain of 174,000 computers is unusually large as a result of a 7.6% increase in the number of web-facing computers running Apache.

This large gain comprised of nearly 195,000 Apache computers, and the majority of these are Western Digital My Cloud personal storage devices. These consumer devices run web servers and can be accessed using public hostnames with a format similar to device1000000-a1b2c3d4.wd2go.com. Consumers can remotely access their files via the My Cloud web application, a mobile app, or via third-party applications that make use of the relatively new My Cloud OS 3 platform.

Consumers can remotely access their files via the My Cloud web application (shown), or via a mobile app.

Consumers can remotely access their files via the My Cloud web application (shown), a mobile app, or third-party tools.

More than 240,000 of these wd2go.com hostnames point directly to a variety of consumer broadband connections, which is where the My Cloud devices are physically located.

Network Attached Storage (NAS) devices are rarely exposed to the internet on such a large scale, and so this provides some otherwise invisible insights into the usage of these particular devices. Although consumers do not have to enable the Cloud Access feature, the 240,000+ devices that are directly exposed to the internet are likely to be a fairly representative sample of all similar Western Digital devices.

Nearly half of the My Cloud devices that are exposed directly to the internet are located in the US, while the UK has the next largest share of 13%, and France follows with 6%. This suggests that nearly two-thirds of Western Digital's consumer NAS sales take place in these three countries alone.

As well as the My Cloud devices that are exposed directly to the internet, a further 273,000 wd2go.com hostnames resolve to fewer than 200 IP addresses hosted by Amazon AWS. These hostnames likely represent additional My Cloud devices that have been cloud-enabled using Relay mode. In this mode, requests bound for the device are relayed via the Amazon-hosted web service, which makes it possible for a consumer to gain remote access even when they are not able to set up port forwarding on their router.

However, whilst certainly convenient, exposing a My Cloud device to the internet (either directly or in relay mode) could undermine a consumer's security by revealing the device's internal IP address to the whole world. Each of the 500,000+ My Cloud devices that can be accessed via hostnames like device1070698-xxxxxxxx.wd2go.com also have corresponding DNS entries that reveal their local IP addresses:

$ host device1070698-xxxxxxxx.wd2go.com
device1070698-xxxxxxxx.wd2go.com has address 78.72.xx.x
$ host device1070698-xxxxxxx-local.wd2go.com
device1070698-xxxxxxxx-local.wd2go.com has address 192.168.1.65

These "-local" DNS entries allow a remote attacker to discover the local IP address of a consumer's My Cloud device (in this case, 192.168.1.65), which would make it easier to carry out CSRF attacks against it. Even if the consumer has taken the precaution of changing the device's name so that his browser cannot reach it via the default local address (http://wdmycloud), it could still be reached by browsing directly to its local IP address. Devices that have not been updated recently might still be vulnerable to remote code execution via CSRF attacks.

The local IP address of the My Cloud device can also be used to infer the address of the consumer's broadband router, which may well be vulnerable to similar types of attack. Knowing some likely IP addresses of the router makes CSRF attacks much more feasible – for example, if the My Cloud device has an IP address of 10.10.0.31, the attacker could deduce that the router's IP address might be 10.10.0.1 or 10.10.0.255, rather than any of the other 17+ million IANA-reserved private network addresses. A successful exploit against a vulnerable router could give an attacker full control over the router's settings, which could ultimately lead to data theft or financial losses through pharming attacks.

While the influx of these My Cloud devices has resulted in strong growth for Apache, nginx continued its steady progress by gaining a further 23,300 (+3.0%) web-facing computers. Apache's market share in terms of computers now stands at 47.9% (+2.0), while Microsoft lost 20,600 computers, contributing to its share falling to 27.1%. Despite maintaining the consistent growth it has demonstrated for several years, nginx also suffered a minor loss in share by virtue of Apache's exceptional growth.

Total number of websites

Web server market share

DeveloperDecember 2015PercentJanuary 2016PercentChange
Apache320,676,75935.59%304,271,06133.56%-2.03
Microsoft239,927,01326.63%262,471,88628.95%2.32
nginx157,001,01817.43%141,443,63015.60%-1.82
Google20,362,6782.26%20,799,0872.29%0.03
Continue reading