Hackers Increasingly Target Shared Web Hosting Servers For Use In Mass Phishing Attacks

ASP.NET App Suspend – responsive shared .NET web hosting

Forty-seven percent of all phishing attacks recorded worldwide during the second half of 2012 involved such mass break-ins, APWG said in the latest edition of its Global Phishing Survey report published Thursday. In this type of attack, once phishers break into a shared Web hosting server, they update its configuration so that phishing pages are displayed from a particular subdirectory of every website hosted on the server, APWG said. A single shared hosting server can host dozens, hundreds or even thousands of websites at a time, the organization said. (See also “Google Chrome leads the browser pack at preventing phishing, study finds.” ) APWG is a coalition of over 2000 organizations that include security vendors, financial institutions, retailers, ISPs, telecommunication companies, defense contractors, law enforcement agencies, trade groups, government agencies and more. Hacking into shared Web hosting servers and hijacking their domains for phishing purposes is not a new technique, but this type of malicious activity reached a peak in August 2012, when APWG detected over 14,000 phishing attacks sitting on 61 servers. “Levels did decline in late 2012, but still remained troublingly high,” APWG said. Phishing jumped in late 2012 During the second half of 2012, there were at least 123,486 unique phishing attacks worldwide that involved 89,748 unique domain names, APWG said. This was a significant increase from the 93,462 phishing attacks and 64,204 associated domains observed by the organization during the first half of 2012. “Of the 89,748 phishing domains, we identified 5835 domain names that we believe were registered maliciously, by phishers,” APWG said. “The other 83,913 domains were almost all hacked or compromised on vulnerable Web hosting.” In order to break into such servers, attackers exploit vulnerabilities in Web server administration panels like cPanel or Plesk and popular Web applications like WordPress or Joomla. “These attacks highlight the vulnerability of hosting providers and software, exploit weak password management, and provide plenty of reason to worry,” the organization said. Cybercriminals break into shared hosting environments in order to use their resources in various types of attacks, not just phishing, APWG said. For example, since late 2012 a group of hackers has been compromising Web servers in order to launch DDoS (distributed denial-of-service) attacks against U.S. financial institutions. In one mass attack campaign dubbed Darkleech, attackers compromised thousands of Apache Web servers and installed SSH backdoors on them. It’s not clear how the Darkleech attackers break into these servers in the first place, but vulnerabilities in Plesk, cPanel, Webmin or WordPress have been suggested as possible entry points.
For the original version including any supplementary images or video, visit http://www.pcworld.com/article/2036452/hackers-increasingly-target-shared-web-hosting-servers-for-use-in-mass-phishing-attacks.html

In both cases, we loaded up the machine (same machine) with sites until it hit 80% memory utilization, as measured by Windows perf counters. 80% is a good base utilization number, since it allows for memory spikes while the apps are running. For Windows Server 2012, we disabled the terminate timeout, and then loaded sites, 100 at a time, until we hit 80% memory utilization. For Windows Server 2012 R2, we set the suspend timeout at 1 min, and then loaded sites every minute, 100 at time, until we hit that same memory utilization. Naturally, those sites would all suspend. We were able to load 300 sites on Windows Server 2012 and 2100 sites on Windows Server 2012 R2, with suspend enabled. Thats a 7x increase! We also conducted another experiment, where we measured startup time. We had 1000 sites registered on the machine, which were an equal number of duplicates of four different .NET site packages (ex: DotNetNuke). We then hit each one of those 1000 sites in a round-robin fashion, in order to blow disk, memory and SQL caches (realistic effect for shared hosting). We took measurements, and averaged them for each site type, for both the cold startup and suspend cases. We also had another set of sites on the machine that we were hitting at the same time to create significant load on the machine. As a result, the numbers we recorded are biased towards worst case, for both cold start and resume for suspend scenarios. In many cases, you will see better numbers than ours. You can see the density and startup improvements that we observed in our lab in the chart below, with the set of apps that we chose. We went through significant effort to create a good at load scenario to demonstrate the value of ASP.NET App Suspend, for the charts above. This will be difficult for you to do on your own machine. It will also mean that you wont see startup numbers as bad as the ones above on an idle developer machine. To that end, we created another set of numbers, just for DotNetNuke, at idle. You can see that the gap remains just as significant. For a feature that requires zero code changes to adopt, Id say thats pretty great value! Our performance tests were conducted on a machine with the following specs: Intel Xeon L5630 2.13 Ghz 4 cores 32GB RAM SSD for page file How to enable and monitor ASP.NET App Suspend It is really easy to enable ASP.NET App Suspend. Its a new setting in IIS configuration, available on each application pool. I posted a blog post on the ASP.NET team blog that explains how: Enable and monitor ASP.NET App Suspend on Windows Server 2012 R2 . If you are familiar with IIS configuration, heres the one screenshot that youll need. Usage scenarios This post focused on the shared hosting usage scenario, however, there are a few other scenarios that can benefit from ASP.NET App Suspend. Switch to shared hosting Web site owners can take advantage of low-cost shared hosting while delivering the responsive experience that they want. Hot spare for large sites Large high-traffic sites can maintain spares in suspend, ready for when one of the servers behind a load balancer goes down (planned or unplanned). Disaster recovery Large high-traffic sites can maintain spares in suspend in a backup datacenter, ready for when the main data center goes down or otherwise becomes inaccessible.
For the original version including any supplementary images or video, visit http://blogs.msdn.com/b/dotnet/archive/2013/10/09/asp-net-app-suspend-responsive-shared-net-web-hosting.aspx


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s