Replication data for: Identifying Risk Factors for Webserver Compromise

We describe a case-control study to identify risk factors that are associated with higher rates of webserver compromise. We inspect a random sample of around 200,000 webservers and automatically identify attributes hypothesized to affect the susceptibility to compromise, notably content management system (CMS) and webserver type. We then cross-list this information with data on webservers hacked to serve phishing pages or redirect to unlicensed online pharmacies. We find that webservers running WordPress and Joomla are more likely to be hacked than those not running any CMS, and that servers running Apache and Nginx are more likely to be hacked than those running Microsoft IIS. Furthermore, using a series of logistic regressions, we find that a CMS's market share is positively correlated with website compromise. Finally, we examine the link between webservers running outdated software and being compromised. Contrary to conventional wisdom, we find that servers running outdated versions of WordPress (the most popular CMS platform) are less likely to be hacked than those running more recent versions. We present evidence that this may be explained by the low install base of outdated software.

本研究开展了一项病例对照研究，旨在识别与Web服务器被攻陷风险升高相关的各类危险因素。我们选取约20万台Web服务器的随机抽样样本，自动识别被推测会影响服务器被攻陷易感性的各项属性，其中尤为关键的是内容管理系统（content management system，CMS）与Web服务器类型。随后，我们将该信息与被攻陷后用于投放钓鱼页面或跳转至无许可在线药房的Web服务器相关数据进行交叉比对。我们发现，搭载WordPress与Joomla的Web服务器相较于未搭载任何CMS的服务器，更易被攻陷；而搭载Apache与Nginx的服务器相较于搭载Microsoft IIS的服务器，被攻陷风险同样更高。此外，通过一系列逻辑回归分析，我们发现CMS的市场份额与网站被攻陷风险呈正相关关系。最后，我们探究了搭载过时软件的Web服务器与被攻陷之间的关联。与传统认知相悖的是，我们发现作为当前最流行的CMS平台的WordPress，其过时版本的服务器相较于更新版本服务器，被攻陷的概率更低。我们提出相关证据表明，这一现象可通过过时软件的低安装基数得到解释。