The other victims of FluBot: How cybercriminals exploit WordPress to distribute malware
29th November, 2021
Netcraft has to date identified nearly 10,000 websites used in the distribution of the FluBot family of Android malware. As detailed in our previous articles on FluBot, these sites are unwittingly hosting a PHP script that acts as a proxy to a further backend server, allowing otherwise legitimate sites to deliver Android malware to victims. When visited by the intended victim, a “lure” is displayed that implores them to download and install the FluBot malware.
The most common lure themes are parcel delivery and voicemail messages, where the user is told to install the malicious app to track a parcel or listen to a voicemail message. One particularly interesting lure took advantage of FluBot’s infamy, by offering a fake “Android security update” that claimed to protect against the malware family. Users installing this “security update” would instead be infected with FluBot.
Most sites distributing FluBot malware also host legitimate content, suggesting they were compromised by the operators of this malware distribution network, without the knowledge of the site operator. While the use of unrelated domains makes the lures less convincing, as compared to domains specifically registered for fraud, it allows the malware distribution network to operate at a much larger scale.
These affected sites all have one factor in common: they run self-hosted WordPress instances. Netcraft believes the operators of this malware distribution network are actively exploiting well-known vulnerabilities in WordPress plugins and themes to upload malicious content onto insecure sites, joining a growing list of threat actors doing the same.



A collection of lures used by the FluBot distribution network
Posted by Sean Gebbett in FluBot, Netcraft Services, Security
November 2021 Web Server Survey
23rd November, 2021
In the November 2021 survey we received responses from 1,175,392,792 sites across 267,027,794 unique domains and 11,525,855 web-facing computers. This reflects a loss of 4.06 million sites, but a gain of 1.60 million domains and 137,000 computers.
nginx gained the largest number of domains (+741,000) and web-facing computers (+81,300) this month and continues to lead in both metrics with market shares of 30.1% and 37.3%.
Further down in the market, there was also a noticeable increase in the total number of web-facing computers running LiteSpeed, which went up by 11,200 to 101,000 (+12.5%), although this resulted in only a 1.44% increase in domains. These counts include sites that run on LiteSpeed Web Server and its open source variant, OpenLiteSpeed, both of which exhibit the same “LiteSpeed” server banner.
Both nginx and Apache lost nearly 4 million hostnames each, reducing their sites market shares to 34.7% and 24.4%. Meanwhile, Cloudflare gained 1.15 million sites, which has taken its total up to 58.6 million (+2.00%) and increased its sites share to 4.99%.
nginx and Apache also suffered losses amongst the top million websites, paving the way for Microsoft to increase its presence by 2,369 sites (+3.75%). Microsoft web server software is now used by 65,600 of the top million sites, but Apache is still the most commonly used web server in this sector, with 240,000 of the top million sites using it, and nginx is not far behind with 224,000.
Apache 2.4.49 vulnerability
Following last month’s news of a path traversal vulnerability in Apache 2.4.49 being actively exploited in the wild, this month’s survey shows that more than 11 million websites had server banners containing “Apache/2.4.49” before a fix was released. The only other version vulnerable to attack was Apache 2.4.50, which failed to fix the vulnerability properly – but this version was released after the survey ran and was promptly replaced with Apache 2.4.51, where the vulnerability was resolved properly.
The true number of websites that were vulnerable during the survey period is likely to have been much greater than the 11 million websites that openly reported themselves to be running Apache 2.4.49, as nearly two-thirds of all Apache-powered websites do not reveal a version number in their server banners. This configuration is often a deliberate act towards security through obscurity, although attackers can often deduce precise version numbers by carrying out additional tests. There may also have been additional vulnerable instances of Apache 2.4.49 hidden behind frontend load balancers or content delivery networks such as Cloudflare.
Conversely, some websites running on Apache 2.4.49 may not have been vulnerable if they used an appropriately configured web application firewall that prevents path traversal attacks. More generally, the true number of web servers that contain a version-specific vulnerability can also be masked by future backported security patches, which typically fix vulnerabilities without changing the apparent version number of the software. From an external perspective, a server might appear to be running a vulnerable software version but may not actually be vulnerable to the issues affecting that version.
Vendor news
- LiteSpeed Web Server 6.0.11 was released on 10 November. This is the latest version in the LSWS 6.0 stream and includes improvements in HTTP/2 and HTTP/3 throughput, new support for WebSocket proxy targets in rewrite rules, and several bugfixes.
- Microsoft has announced new Azure Bounty Program rewards of up to $60,000 to encourage and reward research into vulnerabilities that would have the highest potential impact on the security of its customers.
- nginx 1.21.4 mainline was released on 2 November. This version includes some new features and changes relating to TLS and HTTP/2.
- Lighttpd 1.4.61 was released on 28 October to address a number of bugs. Lighttpd is used by 245,000 unique domains in this month’s survey.
- njs 0.7.0 was released on 19 October to add HTTPS support for its Fetch API, along with a few other new features and bugfixes.
- Apache Tomcat 9.0.54, 10.0.12 and 10.1.0-M6 (alpha) were released on 1 October, followed by Tomcat 8.5.72 on 6 October.
- Cloudflare Pages now supports custom headers natively, without having to use Cloudflare Workers. This makes it easier for developers to add best-practice security headers and others to their JAMstack applications.
- Cloudflare for SaaS is now generally available to all, following a beta launch earlier in the year.


Developer | October 2021 | Percent | November 2021 | Percent | Change |
---|---|---|---|---|---|
nginx | 412,222,221 | 34.95% | 408,226,319 | 34.73% | -0.22 |
Apache | 290,462,410 | 24.63% | 286,494,600 | 24.37% | -0.25 |
OpenResty | 76,038,576 | 6.45% | 76,480,927 | 6.51% | 0.06 |
Cloudflare | 57,482,103 | 4.87% | 58,629,365 | 4.99% | 0.11 |
Posted in Web Server Survey
Eswatini Government's gov.sz website is running a cryptojacker
22nd October, 2021
The Government of Eswatini’s website, www.gov.sz
, is running a
cryptojacker. Cryptojackers
use website visitors' CPU power to mine cryptocurrency, most often without their knowledge or permission.
Data from archive.org suggests the JavaScript snippet was added to the site’s HTML source between
28th September and
6th October.

WebMinePool cryptojacker injection on www.gov[.]sz
.
While sites that are kept open for long periods of time are often the most lucrative – the longer the victim’s browser tab is open, the more cryptocurrency can be mined — criminals are typically not fussy when deploying cryptojackers. Criminals can target large swathes of sites at once, including those using vulnerable or out-of-date software, compromised third-party JavaScript, or with easily guessable administrator credentials.
Posted by Hubert Kaluzny in Around the Net, Security
October 2021 Web Server Survey
15th October, 2021
In the October 2021 survey we received responses from 1,179,448,021 sites across 265,426,928 unique domains and 11,388,826 web-facing computers. This reflects a loss of 8.59 million sites, but a gain of 1.07 million domains and 20,800 computers.
The number of unique domains powered by the nginx web server grew by 789,000 this month, which has increased its total to 79.5 million domains and its leading market share to 29.9%. Conversely, Apache lost 753,000 domains and saw its second-place share fall to 24.7%. Meanwhile, Cloudflare gained 746,000 domains – almost as many as nginx – but it stays in fourth place with an 8.15% share while OpenResty's shrank slightly to 14.5%.
Cloudflare also made strong progress amongst the top million websites, where it increased its share by 0.24 percentage points to 18.2%. nginx is in second place with a 22.5% (+0.12pp) share but has closed the gap on Apache which still leads with 24.0% after losing 0.21pp.
Apache also continues to lead in terms of active sites, where it has a total of 48.0 million. However, it was the only major vendor to suffer a drop in this metric, with a loss of 277,000 active sites reducing its share down to 23.9% (-0.29pp). In terms of all sites, nginx lost the most (-9.99 million) but remains far in the lead with a total of 412 million.
Apache vulnerability being actively exploited in the wild
Apache 2.4.51 was released on 7 October. This is the latest release in the 2.4.x stable branch, which the developers consider to be the best available version of the Apache HTTP Server; but more importantly, this release fixes a path traversal vulnerability present in Apache 2.4.49 and 2.4.50. Apache 2.4.50 was itself released a day earlier in an attempt to fix the vulnerability present in 2.4.49, but the fix was found to be insufficient.
The vulnerability is being actively exploited in the wild, so anyone still running an unpatched Apache 2.4.49 or 2.4.50 installation should upgrade immediately. In some cases, the path traversal vulnerability could facilitate remote code execution on the web server.
Due to the nature of this vulnerability, some otherwise vulnerable installations may be immune to attack if a web application firewall (WAF) is in place, or if a frontend proxy or load balancer modifies malicious requests in a way that makes them safe. For instance, all vulnerable Apache installations served via the Cloudflare content delivery network would have been protected from the outset if Normalize URLS to origin were enabled, and the Cloudflare WAF has rules that would have stopped many exploit attempts.
Other vendor and hosting news
- During September, Microsoft released fixes for three elevation of privilege and one remote code execution vulnerabilities in the Open Management Infrastructure (OMI) framework, which is used by several Azure Virtual Machine management extensions. The remote code execution vulnerability can only affect customers using a Linux management solution with remote OMI enabled. A full list of the vulnerable extensions and update availability is being maintained on the Microsoft Security Response Center blog.
- Microsoft announced the general availability its Azure Purview data governance solution on 28 September.
- On 5 October, Microsoft removed the waiting list for its Azure NetApp Files bare-metal cloud file storage and data management service.
- lighttpd 1.4.60 was released on 3 October. This version includes a large number of changes, including several bugfixes and improved handling of HTTP/2 connections.
- LiteSpeed Web Server 6.0.9 was released on 20 September to address several bugs and add a new log rotation feature. OpenLiteSpeed 1.7.14 – the open source edition of LiteSpeed Web Server Enterprise – was released on 7 September.


Developer | September 2021 | Percent | October 2021 | Percent | Change |
---|---|---|---|---|---|
nginx | 422,211,703 | 35.54% | 412,222,221 | 34.95% | -0.59 |
Apache | 295,667,361 | 24.89% | 290,462,410 | 24.63% | -0.26 |
OpenResty | 77,052,370 | 6.49% | 76,038,576 | 6.45% | -0.04 |
Cloudflare | 56,362,363 | 4.74% | 57,482,103 | 4.87% | 0.13 |
Posted in Web Server Survey
September 2021 Web Server Survey
29th September, 2021
In the September 2021 survey we received responses from 1,188,038,392 sites across 264,360,621 unique domains and 11,368,033 web-facing computers. This reflects a loss of 23.4 million sites, but a gain of 627,000 domains and 40,300 computers.
The largest increase in both unique domains and active sites was seen by LiteSpeed this month, with gains of 571,000 (+9.3%) domains and 458,000 (+6.0%) active sites. Much of this increase was concentrated at a single hosting provider, NameCheap, where there were corresponding drops in the numbers of domains and active sites using Apache. As a result, LiteSpeed’s market share in the domains metric increased by 0.21 percentage points to 2.6%.
Cloudflare also saw strong growth in domains, with an increase of 519,000 resulting in a small increase in its market share to 7.90%. Amongst the million busiest websites Cloudflare had substantially the biggest increase in use, leaving it with an 18.0% market share. It is now just 44,000 sites or 4.4 percentage points of market share behind nginx in second position.
Other server vendors to see increases in terms of unique domains include OpenResty which grew by 314,000 domains, and market leader nginx which grew by 195,000. Despite having only the fourth largest growth this month, nginx maintained its 29.8% market share.
The number of web-facing computers using nginx has increased once again, whilst both Apache and Microsoft lost both in absolute numbers and market share. This month nginx saw an increase of 40,800 raising its market share to 37.2%. Apache and Microsoft each lost 0.24 percentage points of market share to leave them with 30.8% and 11.9% shares. LiteSpeed gained 4,660 computers (+5.9%).


Developer | August 2021 | Percent | September 2021 | Percent | Change |
---|---|---|---|---|---|
nginx | 441,930,791 | 36.48% | 422,211,703 | 35.54% | -0.94 |
Apache | 305,180,858 | 25.19% | 295,667,361 | 24.89% | -0.30 |
OpenResty | 75,516,218 | 6.23% | 77,052,370 | 6.49% | 0.25 |
Cloudflare | 55,830,630 | 4.61% | 56,362,363 | 4.74% | 0.14 |
Posted in Web Server Survey
Prankster acquires Taliban Government domain amidst gov.af limbo
2nd September, 2021
The US and others may have withdrawn from Afghanistan, but many Afghan Government websites and email addresses under the .gov.af top-level domain are still very much dependent on services hosted outside of the country – mostly in the US.
By taking control of Afghanistan, the Taliban has inherited these government domains and now shares web hosting and mail servers with several other governments around the world, including the UK Government. In many cases, emails sent to .gov.af domains will be routed through US-hosted servers, presenting intelligence opportunities if the new Taliban government were to continue using them.