Identifying Risk Factors for Webserver Compromise

  • Marie VasekEmail author
  • Tyler Moore
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8437)


We describe a case-control study to identify risk factors that are associated with higher rates of webserver compromise. We inspect a random sample of around 200 000 webservers and automatically identify attributes hypothesized to affect the susceptibility to compromise, notably content management system (CMS) and webserver type. We then cross-list this information with data on webservers hacked to serve phishing pages or redirect to unlicensed online pharmacies. We find that webservers running WordPress and Joomla are more likely to be hacked than those not running any CMS, and that servers running Apache and Nginx are more likely to be hacked than those running Microsoft IIS. Furthermore, using a series of logistic regressions, we find that a CMS’s market share is positively correlated with website compromise. Finally, we examine the link between webservers running outdated software and being compromised. Contrary to conventional wisdom, we find that servers running outdated versions of WordPress (the most popular CMS platform) are less likely to be hacked than those running more recent versions. We present evidence that this may be explained by the low install base of outdated software.


Content-management systems Webserver security  Case-control study Cybercrime Security economics 



This work was partially funded by the Department of Homeland Security (DHS) Science and Technology Directorate, Cyber Security Division (DHS S&T/CSD) Broad Agency Announcement 11.02, the Government of Australia and SPAWAR Systems Center Pacific via contract number N66001-13-C-0131. This paper represents the position of the authors and not that of the aforementioned agencies.


  1. 1.
    Leontiadis, N., Moore, T., Christin, N.: Measuring and analyzing search-redirection attacks in the illicit online prescription drug trade. In: Proceedings of USENIX Security 2011, San Francisco, CA, August 2011Google Scholar
  2. 2.
    Nikiforakis, N., Invernizzi, L., Kapravelos, A., Acker, S.V., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: You are what you include: Large-scale evaluation of remote JavaScript inclusions. In: ACM Conference on Computer and Communications Security, pp. 736–747 (2012)Google Scholar
  3. 3.
    Schlesselman, J.: Case-Control Studies: Design, Conduct, Analysis. Oxford University Press, New York (1982)Google Scholar
  4. 4.
    Doll, R., Hill, A.: Lung cancer and other cuases of death in relation to smoking; a second report on the mortality of british doctors. Br. Med. J. 2, 1071–1081 (1956)CrossRefGoogle Scholar
  5. 5.
    Verisign: The domain name industry brief, April 2013. Accessed 1 May 2013
  6. 6.
  7. 7.
    Anti-Phishing Working Group.
  8. 8.
    APWG: Global phishing survey: Trends and domain name use in 2H2012. (2013). Accessed 5 May 2013
  9. 9.
    Leontiadis, N., Moore, T., Christin, N.: Pick your poison: Pricing and inventories at unlicensed online pharmacies. In: ACM Conference on Electronic Commerce (2013)Google Scholar
  10. 10.
    W3techs: Market share trends for content management systems. Accessed 3 May 2013
  11. 11.
  12. 12.
  13. 13.
    Hoepman, J.-H., Jacobs, B.: Increased security through open source. Commun. ACM 50(1), 79–83 (2007)CrossRefGoogle Scholar
  14. 14.
    Chapman, P.: ‘New software version’ notifications for your site.
  15. 15.
  16. 16.
    Anderson, R., Moore, T.: The economics of information security. Science 314(5799), 610–613 (2006)CrossRefGoogle Scholar
  17. 17.
    Doupe, A., Cavedon, L., Kruegel, C., Vigna, G.: Enemy of the State: A State-Aware Black-Box Vulnerability Scanner. In: Proceedings of the USENIX Security Symposium, Bellevue, WA, August 2012Google Scholar
  18. 18.
    Scholte, T., Balzarotti, D., Kirda, E.: Quo vadis? A study of the evolution of input validation vulnerabilities in web applications. In: Danezis, G. (ed.) FC 2011. LNCS, vol. 7035, pp. 284–298. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  19. 19.
    Wang, D., Savage, S., Voelker, G.: Cloak and dagger: Dynamics of web search cloaking. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 477–490. ACM (2011)Google Scholar
  20. 20.
    Li, Z., Alrwais, S., Xie, Y., Yu, F., Wang, X.: Finding the linchpins of the dark web: A study on topologically dedicated hosts on malicious web infrastructures. In: 34th IEEE Symposium on Security and Privacy, (2013)Google Scholar
  21. 21.
    Lee, M.: Who’s next? identifying risks factors for subjects of targeted attacks. In: Proceedings of the Virus Bulletin Conference, pp. 301–306 (2012)Google Scholar
  22. 22.
    Pitsillidis, A., Kanich, C., Voelker, G., Levchenko, K., Savage, S.: Taster’s choice: A comparative analysis of spam feeds. In: ACM SIGCOMM Conference on Internet Measurement, pp. 427–440 (2012)Google Scholar
  23. 23.
    Ransbotham, S.: An empirical analysis of exploitation attempts based on vulnerabilities in open source software. In: Proceedings (online) of the 9th Workshop on Economics of Information Security, Cambridge, MA, June 2010Google Scholar
  24. 24.
    BlindElephant web application fingerprinter.
  25. 25.
  26. 26.
  27. 27.
    Exploit database.

Copyright information

© International Financial Cryptography Association 2014

Authors and Affiliations

  1. 1.Computer Science and Engineering DepartmentSouthern Methodist UniversityDallasUSA

Personalised recommendations