Having trouble reading this email? Read online, Follow us on Twitter & Facebook, or Subscribe via RSS

Web shells are an overlooked aspect of cyber crime and do not attract the level of attention of either phishing or malware. Nevertheless, Netcraft found more than 6,000 web shells during April 2017, which works out at around 1 new shell installation every 5 minutes. When web shells first appeared, the limit of their functionality was to transfer files and execute arbitrary shell commands. However, the best engineered web shells now provide well presented, sophisticated toolkits for diverse crimes, with facilities for password cracking, privilege elevation, network reconnaissance, phishing, spamming and DDoS, not solely available through a web based user interface but also accepting commands as part of a botnet.

An example of the WSO shell

An example of the hugely popular and feature-rich WSO (Web Shell by Orb) shell.

A number of shells offer the creation of a botnet in as little as a click, launching standalone processes that either connect to a command and control server or listen for commands over an insecure TCP connection. Some allow performing port scans to find potentially exploitable services. Others enable fraudsters to schedule denial of service attacks. There are shells dedicated to sending bulk spam emails, testing stolen credentials against popular websites (such as PayPal or Amazon), cracking passwords, and automatically defacing websites. With such a wide array of powerful features, it is unsurprising how popular web shells are with cyber criminals.

The WSO shell offers both bind shell and back connect options. Selecting one of these options will launch a standalone process that will connect to or listen for a connection from a remote command and control server - an easy method for the creation of a botnet.

WSO offers both bind shell and back connect options. Selecting one of these options will launch a standalone process that will connect to or listen for a connection from a remote command and control server - an easy method for the creation of a botnet.

The prevalence of these backdoors allows easy—and potentially persistent—access to thousands of compromised machines. If the web shell is missed during the webmaster's cleanup after an attack, removing the original phishing or malware content will be in vain, as the fraudster can use the web shell to upload new malicious material, or re-purpose the machine as an accessory to alternative forms of cyber crime.

Port scanner options from a web shell

This shell allows a fraudster to port scan arbitrary hosts anonymously.

A web shell for sending spam

A web shell dedicated to sending spam emails in bulk.

Shell Detection Statistics

Phishing sites and web shells often go hand-in-hand. During April 2017, we detected that approximately 10% of IP addresses hosting phishing attacks were also home to web shells. This pairing is unsurprising, as many web shells give fraudsters an easy to use, all-in-one solution to deploy and spread their attacks. Some brands commonly targeted by phishing sites have significantly higher exposure to web shells than average, such as:

OrganisationPhishing Sites
with Web Shells
SunTrust Bank41%
OurTime39%
Navy Federal Credit Union38%
USAA35%
NetEase33%
Alibaba31%
DHL31%
Bank of America30%
British Telecom30%
NatWest30%
Capital One29%
Bank of Montreal28%
Wells Fargo27%
Yahoo25%
Chase Bank25%
Average (Large Brands)18%

The variation in web shell usage according to the targeted organisation highlights the diversity of fraudsters and their preferred targets and methods. Netcraft has seen a number of web shells bundled as part of phishing kits, meaning that certain phishing campaigns will automatically include a web shell hidden alongside the phishing content. These organisations with the highest exposure to web shells should be particularly worried, as any anti-phishing efforts could be rendered ineffectual by persistent reinfections enabled by web shells.

Geographically, the number of web shells tends to follow the size of the web hosting market in any given country. Looking at all the web shells found by Netcraft in April, 49% of infected servers were located in the USA, putting it firmly into first place. Trailing behind at a distant second is Germany, responsible for just under 5% of affected IP addresses.

Website owners should be wary of using hosting companies with web shell infestations on their networks. With web shells being used to send spam and participate in DoS attacks, service quality can be affected as shared infrastructure has to handle the additional load. Compromised servers distributing malware and spam can lead to IP addresses being blacklisted, preventing legitimate emails from being delivered even after the malicious activity has been stopped. Netcraft looked at the hosting companies most responsible for hosting web shells, by counting the number of unique IP addresses with at least one web shell detection in April as a percentage of the total infected IP addresses seen – the top 10 are listed in the table below:

RankHosting CompanyProportion of All
Web Shell IPs
1Endurance International Group6.50%
2GoDaddy6.09%
3OVH3.96%
4Hostinger3.12%
5Hetzner Online2.09%
6Amazon1.86%
7Athenix1.52%
8DigitalOcean1.37%
9InMotion Hosting1.33%
10=Host Europe Group1.18%
10=LiquidWeb1.18%
Protecting Shells

The criminal must defend his web shell against both the webmaster and other fraudsters seeking to usurp his position on the compromised machine. To this end, many shells offer password protection. Passwords are usually hardcoded within the script, and are used without an accompanying username or email identifier.

The reality of this threat is evident when considering the existence of web shells offering ‘shell finders’ – these perform automated scans of websites, probing a long list of potential web shell file paths. The list of paths covers common shell names and directories, as well as paths used by commonly exploited web applications and plugins. Some shells perform this scan against a remote host, while others augment a search of the local filesystem with an overwrite option – allowing a fraudster to lock out others by overwriting their shells with a copy of their own.

The shell finding feature of the R57 Shell

The R57 Shell offers tools to probe the compromised server for other web shell installations, with the option to remove or overwrite them.

Unbeknownst to some fraudsters, these web shells sometimes contain backdoors of their own. Some allow bypass of access controls on the web interface, regardless of changes to the password. Others will automatically attempt to "phone home", notifying the original shell authors of new installations which are then absorbed into larger bot nets. With the trend of remixing (or “recoding”) and rebranding web shells, there are many opportunities for web shell authors to introduce their own backdoors into entire families of related scripts.

Avoiding Detection

Web shell authors try a variety of tricks to avoid detection by other fraudsters, the webmaster himself, and by security companies like Netcraft. A particularly common ploy is that of fake error pages, used by some variants of the C99 web shell. These shells attempt to recreate the default Apache error pages, usually 404 Not Found or 403 Forbidden.

When viewed in a web browser, these fake pages can easily be mistaken for legitimate error messages. However, when compared side-by-side, discrepancies can be found by looking for incorrect or omitted version numbers, hostnames, URLs, and HTML titles. These fake error pages also contain hidden password fields, which provide access to the web shell: some variants simply set the background and border colours to match the page background, while others add JavaScript that reveals the password form when the port number is clicked.

A fake Apache 404 page

Some shells disguise themselves as default Apache error pages. In this example, there is a password input centered on the page, made invisible by CSS. Typing characters into the input reveals its location.

Another notable method for avoiding detection is prefixing the web shell scripts with small excerpts of image file headers – most commonly those from the GIF89a specification. When processed by the PHP interpreter, these bytes are ignored and passed through to the web browser, displaying the text “GIF89a”. Automated tools such as the open-source utility file use these magic bytes as a fingerprint to identify the file type, mistaking the malicious PHP script for an image.

An excerpt of web shell source code prefixed with a GIF image file header

The source code of this web shell is prefixed with GIF image file headers, to mask its identity. The file utility mistakenly identifies the script as a GIF image. With purported dimensions of 16,129 by 16,129 pixels, this image would require 250GB of memory to open!

Fraudsters also attempt to disguise web shell scripts in directory listings by using filenames that could easily be mistaken for legitimate files. For example, Netcraft found a large number of shells masquerading as a WordPress configuration file, wp-config.php. Some shells use this filename verbatim, whilst others will make minor alterations (e.g. wp-configs.php) and hide themselves amongst legitimate WordPress files. By naming shells in this way, it is easy for webmasters to miss these files when examining their servers after compromise.

These countermeasures could mean that phishing or malware attacks may soon resurface, thus it is vital that organisations looking to remove such fraudulent content also seek to remove the web shells that enable it, and fix whatever vulnerabilities allowed the shells to be there in the first place.

How to Protect Yourself?

The onus is on hosting providers, system administrators, and webmasters to ensure that their servers are secured against vulnerabilities that may allow attackers to upload shells to their systems. They should also be on the lookout for unexpected modifications to their web root, paying close attention to popular software packages such as WordPress , where shell scripts are easily disguised amongst benign files.

Hosting providers can receive an alerting service from Netcraft which will notify them whenever phishing, malware, or web shells are detected on their infrastructure. Organisations targeted by high volume phishing administered via web shells may trial Netcraft's Countermeasures service.

Posted by George Field on 18th May, 2017 in Around the Net, Netcraft Services, Security

The number of phishing sites making use of HTTPS has increased noticeably since January, coinciding with the introduction of a new feature in the Mozilla Firefox and Google Chrome web browsers.

Both Firefox and Chrome now display warnings when an unencrypted (HTTP) webpage contains a password field. This behaviour is intended to protect users from man-in-the-middle attacks, and also encourages the affected websites to start using secure HTTPS connections when handling sensitive data.

This German PayPal phishing site uses the unencrypted HTTP protocol, causing the latest version of Firefox to display an unmissable warning message when the user interacts with the login form.

This German PayPal phishing site uses the unencrypted HTTP protocol, causing the latest version of Firefox to display an unmissable warning message when the user interacts with the login form.

These warning messages could scupper many phishing sites: Most are served over unencrypted HTTP connections, and so another positive consequence of the new browser behaviour is that potential victims are less likely to fall for phishing attacks.

However, fraudsters may have quickly realised this, as there has been a dramatic increase in the number of phishing sites making use of HTTPS. If the new browser behaviour has driven this change — and the timing suggests it might have — then it may have also had the unintended side effect of increasing the efficacy of some phishing sites. Phishing sites that now use HTTPS and valid third-party certificates can appear more legitimate, and therefore increase the likelihood of snaring a victim.

Firefox 51 and Chrome 56 were the first stable browsers to flag HTTP websites as insecure if they contained password fields. Their release dates appear to coincide with the increase in HTTPS phishing sites.

Firefox 51 and Chrome 56 were the first stable browsers to flag websites as insecure if they contained password fields. Their release dates appear to coincide with the increase in HTTPS phishing sites.

Another plausible hypothesis is that many legitimate websites have migrated to HTTPS in response to the new behaviour in Firefox and Chrome. Phishing sites are often hosted on compromised websites, and so this would naturally cause the number of HTTPS phishing sites to increase accordingly; or it could be that some fraudsters are now targeting HTTPS websites in preference to HTTP sites.

While the majority of today's phishing sites still use the unencrypted HTTP protocol, a threefold increase in HTTPS phishing sites over just a few months is quite significant. Regardless of what caused this change, phishing sites that use the unencrypted HTTP protocol could still prove effective against some victims, as not all browsers share the behaviour implemented in Firefox and Chrome. In particular, Microsoft's Internet Explorer and Edge browsers do not yet display any warnings when users interact with insecure forms.

Posted by Paul Mutton on 17th May, 2017 in Security

According to tradition, the country of Panama was named after a former indigenous fishing village and its nearby beach called Panamá, meaning "an abundance of fish"; but today, it looks like Panama has an abundance of phish!

Netcraft has blocked nearly 5,000 phishing sites in Panama over the past three months, which is an astounding amount considering Panama hosts fewer than 13,000 active websites in total.

Nearly 4,000 phishing sites are still blocked, making Panama the phishiest country in the world at the present moment. To give these figures some perspective, only 0.007% of the world's active sites are hosted in Panama, yet it hosts 1.0% of all phishing sites that are currently blocked.

An Apple ID phishing site currently hosted by Offshore Racks in Panama.

An Apple ID phishing site currently hosted by Offshore Racks in Panama.

Around 1.9 million people are estimated to use the internet in Panama, but most of the phishing sites hosted there are clearly aimed at foreigners, as the majority are not written in Panama's official language of Spanish. In fact, most of the currently blocked phishing sites target customers of Italian banks, and a large proportion of new phishing sites found in Panama over the past month were written in English and targeted Apple customers.

Most of the Apple phishing attacks make use of domain names that have been registered specifically to carry out these attacks, with many containing obvious references to Apple, Apple ID, or iCloud.

A handful of the domains used by Apple phishing attacks last month.

A few examples of the domains used by Apple phishing attacks last month.

The majority of these phishing sites are hosted by Offshore Racks, a Panamanian hosting company that offers "high privacy" anonymous hosting and accepts payment in Bitcoins – ideal for fraudsters who do not want to be traced easily.

As the phishing sites make use of domain names that have been registered specifically for phishing, this suggests the fraudsters have purposely sought their own hosting arrangements, rather than adopting the more common method of deploying phishing kits on compromised web servers. While this eliminates the risk of the phishing content being deleted by the disgruntled owner of a compromised site, the obvious disadvantage for the fraudster is that he may have to pay for both domain registrations and hosting.

Offshore Racks' Acceptable Use Policy has said nothing more than "In development" since 2010

Offshore Racks' Acceptable Use Policy has said nothing more than "In development..." since 2010.

While it is clear that the company responsible for hosting most of these phishing sites could be doing more to prevent the attacks, domain name registrars and domain registries are also well positioned to nip this activity in the bud. Netcraft's Deceptive Domain Score service can be used to analyse the likelihood of a domain name being used for fraudulent activities, giving an opportunity to prevent the registration, flag for human inspection, or immediately suspend fraudulent domains, before malicious content can be uploaded. Domains that have already been registered can be suspended by TLD operators as soon as phishing activity is detected.

Consumers can boost their browsers' standard security features by installing the Netcraft anti-phishing extension. As well as blocking access to known phishing sites, it will display the hosting location, Risk Rating and other information that can help establish the authenticity of every site visited.

Posted by Paul Mutton on 11th May, 2017 in Security
Rank Performance Graph OS Outage
hh:mm:ss
Failed
Req%
DNS Connect First
byte
Total
1 One.com Linux 0:00:00 0.004 0.185 0.040 0.116 0.116
2 Swishmail FreeBSD 0:00:00 0.004 0.132 0.060 0.120 0.164
3 Hyve Managed Hosting Linux 0:00:00 0.004 0.075 0.062 0.127 0.127
4 Webair Linux 0:00:00 0.009 0.144 0.054 0.109 0.110
5 XILO Communications Ltd. Linux 0:00:00 0.009 0.210 0.067 0.134 0.134
6 CWCS Linux 0:00:00 0.009 0.194 0.077 0.176 0.176
7 GoDaddy.com Inc Linux 0:00:00 0.013 0.219 0.012 0.031 0.032
8 Bigstep Linux 0:00:00 0.013 0.129 0.063 0.128 0.128
9 Qube Managed Services Linux 0:00:00 0.013 0.131 0.064 0.129 0.129
10 www.viawest.com Linux 0:00:00 0.017 0.265 0.005 0.194 0.194

See full table

One.com comes in first place in April, up from seventh place in March. One.com responded to all but one of Netcraft's requests, with an average TCP connection time of 40 milliseconds. The company was founded in 2002 and is based in Denmark, with staff also based in Dubai and India.

Swishmail and Hyve follow in second and third places respectively. These hosting company sites also responded successfully to all but one request, but had marginally slower average connection times than One.com's site. Swishmail is based in the United States and provides business email and web hosting services, whilst Hyve is based in the United Kingdom and provides a variety of cloud and dedicated server hosting services. Hyve reached the finals of the 2017 European IT and Software Excellence Awards under both the Managed Service Solution of the Year and Service Provider of the Year categories.

Xilo has consistently featured in the top 10 so far in 2017. Xilo provides a variety of services, ranging from shared hosting up to managed and self-managed dedicated servers, as well as domain name services and SSL certificates.

Of the top 10 hosting providers for April, all but one of their websites are running on Linux, with the exception being Swishmail's, which runs on FreeBSD.

Netcraft measures and makes available the response times of around thirty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

Information on the measurement process and current measurements is available.

Posted by Netcraft on 3rd May, 2017 in Hosting, Performance

In the April 2017 survey we received responses from 1,816,416,499 sites and 6,320,910 web-facing computers. This reflects a gain of 56 million sites and 49,800 computers.

Microsoft had a noticeable gain of 108 million sites (+15.4%), recouping last month's loss and expanding its market share by nearly 5 percentage points to 44.7%. Microsoft is 10 million sites down from the start of the year, but its share is now nearly twice as large as Apache's. The only major vendor to suffer a loss of hostnames in April was nginx, which lost 1.4 million sites – this took its market share down by 0.41 points to 19.2%, leaving it slightly further behind Apache's share of 22.7%.

Despite nginx's loss of sites, it was once again the only major vendor to increase its presence within the top million sites, increasing its count by 2,164 sites, while Apache lost 1,962; but Apache stays in the lead with a 40.9% share, while nginx's increased to 28.7%.

nginx's growth is also reflected well in the web-facing computers market, where it had the largest increase of 29,900 computers (+2.44%). This took its share up by 0.32 points to 19.9%, while Apache's leading share fell by 0.27 points to 43.5%. Microsoft is still in second place with 24.2% of the web-facing computer market, but this position looks set to be taken by nginx within the next year if the trend of nginx's gains and Microsoft's losses continue.

Apache continues to reign supreme in terms of active sites, where it increased its market share slightly to 46.3%, putting it further ahead of nginx, which has a share of 19.6%; however, the long term trend over the past several years has seen the two vendors getting closer, with nginx slowly gaining market share while Apache has slowly declined. Microsoft's share of active sites is only 8.28%, but this is enough to keep it in third place, ahead of Google.

A new mainline version of nginx (1.11.13) was released on 4 April. This release included several bugfixes and formed the basis of the current stable version, nginx 1.12.0, which was later released on 12 April. As a consequence of including all bug fixes and new features from the entire 1.11.x branch, nginx 1.12.0 includes support for configuring multiple SSL certificates of different types, better support for dynamic modules, and several other new features.

Earlier this month, Netcraft examined the success of ICANN's New gTLD program, as well as the impact it has had on brand owners such as LEGO. The .loan gTLD saw the largest domain growth of any type of TLD this month, gaining 287,000 unique domains, yet losing more than 10 million websites. Only 3% of all .loan domains are considered active by Netcraft, indicating that large numbers share near-identical content, such as monetized domain holding pages.

From the TLD operator's perspective, the rise in .loan domains is much more significant than the large reduction in sites, as each unique domain will correspond to a domain registration, which invariably involves some type of transaction. The cost of registering a single .loan domain can vary between $20-$40 per year (including ICANN fees), depending which registrar is used, although some registrars – such as Namecheap – offer low introductory prices of $0.88 for the first year only. The prevalence of domain holding pages suggests that many of these domains may have been bought at introductory prices, so the estimated revenue from the 980,000 unique .loan domains currently in use on the web is likely to be much closer to $1m than $40m.

Total number of websites

Web server market share

DeveloperMarch 2017PercentApril 2017PercentChange
Microsoft704,000,53039.99%812,157,80844.71%4.73
Apache383,707,11221.79%412,130,52622.69%0.90
nginx350,540,37219.91%349,092,97519.22%-0.69
Google18,849,1711.07%19,121,6841.05%-0.02
Web server market share for active sites

DeveloperMarch 2017PercentApril 2017PercentChange
Apache79,942,44545.82%78,489,47246.28%0.46
nginx34,317,97219.67%33,176,49019.56%-0.11
Microsoft15,611,2568.95%14,033,7798.28%-0.67
Google11,684,6776.70%12,048,0897.10%0.41

For more information see Active Sites

Web server market share for top million busiest sites

DeveloperMarch 2017PercentApril 2017PercentChange
Apache410,61641.06%408,65440.87%-0.20
nginx285,00128.50%287,16528.72%0.22
Microsoft101,16310.12%100,59410.06%-0.06
Google17,5381.75%17,2441.72%-0.03
Web server market share for computers

DeveloperMarch 2017PercentApril 2017PercentChange
Apache2,746,52843.80%2,751,54943.53%-0.27
Microsoft1,533,65824.46%1,532,15824.24%-0.22
nginx1,225,84219.55%1,255,76319.87%0.32
Posted by Netcraft on 21st April, 2017 in Web Server Survey

Subscription Details

To Subscribe: Go to http://www.netcraft.com/about-netcraft/email-subscription/
To Unsubscribe: Go to http://www.netcraft.com/cgi-bin/unsubscription