Funny and malicious server banners
31st January, 2022
Netcraft’s most recent Web Server Survey includes nearly 1.2 billion websites. Most of these sites return a server banner that shows which web server software they use, thus allowing us to determine the market shares of each server vendor since 1995.
Many of these server banners are simply short strings like “Apache”, while others may include additional details that reveal which other software – and which versions – are installed on the server. One such example is “Apache/2.2.32 (Unix) mod_ssl/2.2.32 OpenSSL/1.0.2k-fips DAV/2 PHP/5.5.38”.
Chrome’s Network Inspector showing the HTTP response headers for wordpress.com, which uses the nginx web server. It does not reveal a version number.
A web server reveals its server banner via the Server HTTP response header. This string is not ordinarily exposed to users, but most browsers allow it to be viewed in the Network Inspector panel.
Custom banners
Web server software usually allows its server banner to be modified. A common reason for changing the default value is to reduce the amount of information that would be revealed to an attacker.
For example, if a web server advertises itself as running a vulnerable version of Apache, such as “Apache/2.4.49” it could be more likely to come under attack than a server that reveals only “Apache”.
Our Web Server Survey includes a few websites that return the following Server header, which takes a deliberate swipe at the effectiveness of hiding this sort of information:
Server: REMOVED FOR PCI SCAN COMPLIANCE - SECURITY THROUGH OBSCURITY WORKS, RIGHT? - https://bit.ly/2nzfRrt
Of course, with this amount of flexibility, a cheeky or malicious administrator can configure a web server to pretend to be anything they want. Sometimes this is done in a deliberate attempt to cloak the truth or to mislead, while in others it may simply be done as a joke waiting to be found by anyone curious enough to look for the banner.
Unlikely server banners
Amongst the 1.2 billion websites, there are plenty of examples of unlikely server banners.
Bangladesh, South African and Iraqi Government sites have been found to be hosting web shells
3rd December, 2021
Netcraft recently confirmed that a Bangladesh Army site was hosting an Outlook Web Access (OWA) web shell. Additionally, an OWA web shell was found on the Department of Arts and Culture site for the South-African Kwazulu-Natal province and an Iraqi government site was found to be hosting a PHP shell. Web shells are a common tool used by attackers to maintain control of a compromised web server, providing a web interface from which arbitrary commands can be executed on the server hosting the shell. OWA provides remote access to Microsoft Exchange mailboxes; since the disclosure of the ProxyLogon vulnerabilities in March, Microsoft Exchange has become a popular target for cyberattacks.
Eswatini Government's gov.sz website is running a cryptojacker
22nd October, 2021
The Government of Eswatini’s website, www.gov.sz, is running a
cryptojacker. Cryptojackers
use website visitors' CPU power to mine cryptocurrency, most often without their knowledge or permission.
Data from archive.org suggests the JavaScript snippet was added to the site’s HTML source between
28th September and
6th October.
WebMinePool cryptojacker injection on www.gov[.]sz.
While sites that are kept open for long periods of time are often the most lucrative – the longer the victim’s browser tab is open, the more cryptocurrency can be mined — criminals are typically not fussy when deploying cryptojackers. Criminals can target large swathes of sites at once, including those using vulnerable or out-of-date software, compromised third-party JavaScript, or with easily guessable administrator credentials.
Prankster acquires Taliban Government domain amidst gov.af limbo
2nd September, 2021
The US and others may have withdrawn from Afghanistan, but many Afghan Government websites and email addresses under the .gov.af top-level domain are still very much dependent on services hosted outside of the country – mostly in the US.
By taking control of Afghanistan, the Taliban has inherited these government domains and now shares web hosting and mail servers with several other governments around the world, including the UK Government. In many cases, emails sent to .gov.af domains will be routed through US-hosted servers, presenting intelligence opportunities if the new Taliban government were to continue using them.
Afghanistan's Internet: who has control of what?
30th August, 2021
Bagram, formerly the site of the largest US military base in Afghanistan.
Over the past few weeks, the Taliban have taken control of substantially the whole of Afghanistan, with just Kabul Airport and the Panjshir Valley presently controlled by the US Military and the National Resistance Front of Afghanistan respectively.
Yet the situation with Afghanistan’s internet infrastructure is quite different to what anyone following the mainstream media might reasonably expect, as Afghanistan’s key internet resources – domains, IP addresses, routing and government communications – are controlled by a diverse set of entities subject to Western jurisdictions.
Who is in control of the .af domain?
Presently, .af’s DNS is run using Anycast DNS
services
from Packet Clearing House, a San Francisco based
not-for-profit organisation, and Gransy, a Czech
registrar and registry services provider. Packet Clearing House provides free
Anycast DNS services to
“developing-country ccTLD registries”, and Gransy provides free Anycast DNS
services to ccTLDs with fewer than
10,000 domains – .af has around 6K domains and is well within Gransy’s
criteria for a free service.
3.6 million websites taken offline after fire at OVH datacenters
10th March, 2021
Around 3.6 million websites across 464,000 distinct domains were taken offline after the major fire at an OVHcloud datacenter site in Strasbourg overnight.
More than 18% of the IP addresses attributed to OVH in Netcraft’s most recent Web Server Survey — which took place two weeks ago — were no longer responding at 06:00-07:15 UTC this morning.
A load monitoring graph of a server that was running at one of OVH’s Strasbourg datacenters.
It was last updated at 01:13 UTC today, indicating when it became inaccessible during the fire.
Thankfully, everybody is safe; but OVH said the fire in its SBG2 datacenter was not controllable and no data is likely to be recoverable. Part of its SBG1 datacenter has also been destroyed. Firefighters were protecting SBG3 throughout the night, and although there was no direct fire impact on SBG4, it was also unavailable due to the whole site being isolated. Consequently, all services in SGB1-4 have been offline.
Websites that went offline during the fire included online banks, webmail services, news sites, online shops selling PPE to protect against coronavirus, and several countries' government websites.
Examples of the latter included websites used by the Polish Financial Ombudsman; the Ivorian DGE; the French Plate-forme des achats de l’Etat; the Welsh Government’s Export Hub; and the UK Government’s Vehicle Certification Agency website, which got a new SSL certificate by 10am and is now back online with a UK hosting company.
Banking websites have also been hit by the fire.
Unsurprisingly for a French hosting company, the most affected country code top-level domain (ccTLD) is .fr, which had 184,000 knocked-out websites spread across 59,600 distinct domain names – these account for 1.9% of all .fr domains in the world. In comparison, there were only 24,100 .uk websites hosted in the affected datacenters, across just 8,700 unique domains. Most of the affected websites use the generic .com top-level domain, amounting to 880,000 websites across 180,000 domains.