goal.htaccess

ThisisapreprintofanArticleacceptedforpublicationinWWW'13c2013InternationalWorldWideWebConferenceCommitteeTheRoleofWebHostingProvidersinDetectingCompromisedWebsitesDavideCanaliEURECOM,Francecanali@eurecom.
frDavideBalzarottiEURECOM,Francebalzarotti@eurecom.
frAurélienFrancillonEURECOM,Franceaurelien.
francillon@eurecom.
frABSTRACTCompromisedwebsitesareoftenusedbyattackerstodeliverma-liciouscontentortohostphishingpagesdesignedtostealprivateinformationfromtheirvictims.
Unfortunately,mostofthetargetedwebsitesaremanagedbyuserswithlittlesecuritybackground-oftenunabletodetectthiskindofthreatsortoaffordanexternalprofessionalsecurityservice.
Inthispaperwetesttheabilityofwebhostingproviderstodetectcompromisedwebsitesandreacttousercomplaints.
Wealsotestsixspecializedservicesthatprovidesecuritymonitoringofwebpagesforasmallfee.
Duringaperiodof30days,wehostedourownvulnerableweb-siteson22sharedhostingproviders,including12ofthemostpop-ularones.
Werepeatedlyranvedifferentattacksagainsteachofthem.
Ourtestsincludedabot-likeinfection,adrive-bydownload,theuploadofmaliciousles,anSQLinjectionstealingcreditcardnumbers,andaphishingkitforafamousAmericanbank.
Inad-dition,wealsogeneratedtrafcfromseeminglyvalidvictimsofphishinganddrive-bydownloadsites.
Weshowthatmostoftheseattackscouldhavebeendetectedbyfreenetworkorleanalysistools.
After25days,ifnomaliciousactivitywasdetected,westartedtoleabusecomplaintstotheproviders.
Thisallowedustostudythereactionofthewebhostingproviderstobothrealandboguscomplaints.
Thegeneralpicturewedrewfromourstudyisquitealarming.
Thevastmajorityoftheproviders,or"add-on"securitymonitoringservices,areunabletodetectthemostsimplesignsofmaliciousactivityonhostedwebsites.
CategoriesandSubjectDescriptorsK.
6.
5[SecurityandProtection]:InvasiveSoftware(e.
g.
,viruses,worms,Trojanhorses),Unauthorizedaccess(e.
g.
,hacking,phreak-ing);C.
4[PerformanceofSystems]:MeasurementtechniquesKeywordsSharedwebhosting;websecurity1.
INTRODUCTIONOwningandoperatingawebsitehasbecomeaquitecommonactivityinmanypartsoftheworld,andmillionsofwebsitesareoperated,everyday,forbothpersonalandprofessionaluse.
Peopledonotneedanymoretobecomputer"gurus"inordertobeabletoinstallandrunawebsite:awebbrowser,acreditcardwithaCopyrightisheldbytheInternationalWorldWideWebConferenceCommittee(IW3C2).
IW3C2reservestherighttoprovideahyperlinktotheauthor'ssiteiftheMaterialisusedinelectronicmedia.
WWW2013,May13–17,2013,RiodeJaneiro,Brazil.
ACM978-1-4503-2035-1/13/05.
fewdollars'balance,andsomebasiccomputerskillsareusuallyenoughtostartsuchanactivity.
Ofallthepossiblewaystohostawebsite,sharedhostingisusu-allythemosteconomicaloption.
Itconsistsinhavingawebsitehostedonawebserverwhereotherwebsitesmayresideandsharethemachine'sresources.
Thankstoitslowprice,sharedhostinghasbecomethesolutionofchoiceforhostingthemajorityofpersonalandsmallbusinesswebsitesallovertheworld.
Beingsocommon,however,sharedhostingwebsiteshavealsohighchancesofbeingtargetsofwebattacks,andbecomemeansforcriminalstospreadmalwareorhostphishingscams.
Inaddition,suchwebsitesareoftenoperatedbyuserswithlittleornosecu-ritybackground,whoareunlikelytobeabletodetectattacksortoaffordprofessionalsecuritymonitoringservices.
Ourworkfocusesonsharedwebhostingservices,andpresentsastudyonwhatsharedhostingprovidersdoinordertohelptheircus-tomersindetectingwhentheirwebsiteshavebeencompromised.
Webelievethisisanimportantcommitment,giventhefactthatsharedhostingcustomersarethemostvulnerabletowebattacks[9].
Furthermore,evenasecurity-awaresharedhostingcustomerwouldneverbeabletofullyprotectandmonitorhisorheraccountwith-outtheprovider'scooperation.
Infact,inasharedhostingcong-uration,theuserhasfewprivilegesonthemachineandsheisnotallowedtotorunorinstallanymonitoringorIDSapplication,nortocustomizethemachine'swebserver,itsrewall,orsecurityset-tings.
Thus,inordertoprotecthisorherwebsite,auserhastofullyrelyonthesecuritymeasuresemployedbythehostingprovider.
Inourstudy,wealsotestedtheproviders'reactionstoabusecomplaints,andtheattackdetectioncapabilitiesofsixspecializedservicesprovidingsecuritymonitoringofwebsitesforasmallfee.
Inarecentsurvey[4],CommtouchandtheStopBadwareorgani-zationreportedtheresultsofaquestionnaireinwhich600ownersofcompromisedwebsiteshavebeenaskedsomequestionsabouttheattacksthattargetedtheirwebsites.
Fromthisstudy,itemergedthat,amongthesurveyedusers,49%ofthemweremadeawareofthecompromisebyabrowserwarning,whileinfewercasestheywerenotiedbytheirhostingprovider(7%)orbyasecurityorgani-zation(10%).
Also,14%oftheuserswhotookthesurveysaidtheirhostingproviderremovedthemaliciouscontentfromtheirwebsiteaftertheinfection.
Attheend,only12%ofthecustomersweresatisedfromthewaytheirhostingproviderhandledthesituation,while28%ofuserswhotookthesurveywereconsideringtomovetoanewproviderbecauseofthisexperience.
InspiredbytheStopBadwarereport,wedecidedtosystemati-callyanalyze,onawiderscaleandinanautomatedway,howwebhostingcompaniesbehavewithregardtothedetectionofcom-promisedwebsites,whattheirreactionsareincaseofabusecom-ThisisapreprintofanArticleacceptedforpublicationinWWW'13c2013InternationalWorldWideWebConferenceCommitteeplaints,andhowtheyproceedtoinformacustomerabouthisweb-sitebeingcompromised.
Toourknowledge,thisistherstworkstudying,onaworldwidescale,thequalityandreliabilityofsecuritymonitoringactivitiesperformedbywebhostingproviderstodetectcompromisedcus-tomerwebsites.
Unfortunately,thegeneralpicturewedrewfromourresultsisquitealarming:thevastmajorityofprovidersand"add-on"securitymonitoringservicesareunabletodetectthemostsimplesignsofmaliciousactivityonhostedwebsites.
Itisimpor-tanttonotethatwedonotwanttoblamesuchprovidersfornotprotectingtheircustomers,sincethisserviceisoftennotpartofthecontractforwhichusersarepayingfor.
However,webelieveitwouldbeintheinterestoftheprovidersandofthegeneralpub-lictoimplementsimpledetectionmechanismstopromptlyidentifywhenawebsitehasbeencompromisedanditisusedtoperformmaliciousactivities.
Section2ofthepaperdescribesthesetupanddeploymentofthetestcasesweemployedtocarryoutourstudy;Section3re-portstheresultsofourexperiments,aswellassomeinsightsonhowhostingprovidersactwithregardtopreventingabusiveusesoftheirservicesandwebattacksagainsttheircustomers'websites.
Section4explorestherelatedworkinthiseld.
Section5,nally,summarizesthemainndingsofourwork,andconcludesthestudyprovidingideasforfutureimprovementsinthisareaofresearch.
2.
SETUPANDDEPLOYMENTForourstudy,weselectedatotalof22hostingproviders,chosenamongtheworld'stopprovidersin2011and2012(wewillrefertotheseasglobal-1toglobal-12),andamongotherregionalpro-vidersoperatingindifferentcountries(referredtoasregional-1toregional-10).
Weselectedtheglobalprovidersbypickingtheonesappearingmostfrequentlyonlistsoftopsharedhostingproviderspublishedonwebhosting-relatedwebsites,e.
g.
,tophosts.
com,webhosting.
info,andwebhostingreviews.
com.
Theregionalproviderswereinsteadchosenfromthe"Country-wiseTophosts"listpublishedbythewebhosting.
infowebsite[19],withtheaimofhavinganapproximatelyuniformgeographicaldis-tributionovereveryareaoftheworld.
Ournallistincludedpro-vidersintheUS,Europe,India,Russia,Algeria,HongKong,Ar-gentinaandIndonesia.
Forourstudy,welimitedourchoicetoprovidersthatallowedinternationalregistrations,asourhostingaccountswereregisteredusingrealpersonaldataofpeoplebelongingtoourresearchgroup.
Infact,wenoticedthatsomeproviders,probablybecauseofreg-ulationsintheircountry,limitthepossibilityofregisteringawebhostingserviceonlytonationalcustomers.
ThisisespeciallytrueforcountriessuchasChina,Brazil,andVietnam,whoseprovidersoftenrequireanationalIDcardnumberuponregistration.
Also,ourchoicewaslimitedtoprovidersofferingsharedhost-ingservicesaspartoftheirproducts,allowingtohostatleastonedomainnameperaccount,supportingthePHPprogramminglan-guage,andtheFTPtransferprotocol.
2.
1TestCasesWeconductedourstudybyregisteringvesharedhostingac-countsforeachofthe22webhostingproviders.
Eachoneoftheveaccountswastargetingaparticularclassofthreat,chosenamongthemostcommontypesofwebattacksthatcouldbeeasilydetectedbyhostingproviders.
FouroutofthevetestcaseswedeployedarebasedonastaticsnapshotofawebsiterunningOsCommercev.
2.
2.
TheapplicationwasmodiedsothatthePHPpagesalwaysreturnedastaticver-sionofthesite,withouttheneedofinstallingabackenddatabase.
Eachsnapshotwasmodiedbyhandinordertoincludethead-hoccoderequiredforourexperiments,andtodiversifythecontent,theappearance,andtheimagesshownineachpage.
Ourtestlesweredeployedinthe/oscosubdirectoryofeveryhostingaccountweregistered,whilethehomepageofeachdomainshowedonlyanemptypagewiththemessage"Comingsoon.
.
.
".
Wedidnotcreateanylinktothe/oscosubdirectory,andweex-cludedthepossibilityforwebspiderstovisitourtestcasewebsitesbydenyinganyrobotaccessusingtherobots.
txtle.
Thiswasdoneinordertoavoidexternalvisitstoourtestcasewebsites,whichcouldhaveinterferedwithourtests.
Intentionallyinstallingandexploitingvulnerablewebapplica-tionsonsharedhostingaccountsmayraisesomeethicalandlegalconcerns.
Forthisreason,wecarefullydesignedourteststoresem-blerealcompromisedwebsites-beingatthesametimecompletelyharmlessforboththeproviderandotherInternetusers.
Forexam-ple,wemodiedtheapplicationcodetomimicanexistingvulner-abilitybut,comparedtotheirrealcounterparts,ourcodewasexe-cutedonlywhenanadditionalPOSTparametercontainedapass-wordthatwehardcodedintheapplication,thusallowingonlyustoexploitthebug.
2.
1.
1SQLInjectionandDataExltration(SQLi)Thersttestcaseaimedatdetectingwhetherwebhostingpro-vidersdetectorblockSQLinjectionanddataexltrationattacksagainsttheircustomers'websites.
ThetestconsistedindeployingthestaticsnapshotofOsCommerceincludingapagethatmimicstheSQLinjectionvulnerabiltypresentedinCVE-2005-4677.
Setup-Theproduct_info.
phppagewasmodiedtorec-ognizeourSQLinjectionattemptsandrespondbyreturningalistofrandomlygeneratedcreditcardnumbersalongwithpersonalde-tailsofctiouspeople(name,address,email,andMD5passwordhash).
InordertopasstheLuhntest,fakecreditcardnumbersweregeneratedusinganonlinecreditcardtestnumbergenerator[6].
Attack-Theattackforthistestcasewasruneveryhour,andconsistedofascriptmimickingarealSQLinjectionattack:rst,thefakevulnerablepage(product_info.
php)wasvisited,thenasequenceofGETrequestsweresenttothesamepageaddingdif-ferentpayloadstotheproducts_idGETparameter.
TherstrequestsimulatedsomebodytestingforthepresenceofSQLin-jectionvulnerabilitiesbysettingproducts_id=99';then,veattackrequestswereissuedtothesamepagebysettingthefollow-ingpayloadsforthevulnerableparameter:1:99'UNIONSELECTnull,CONCAT(first_name,.
.
.
customers_password),1,CONCAT(cc_type,.
.
.
cc_expiration)FROMcustomersLIMIT1,1/2:99'UNIONALLSELECTnull,CONCAT(first_name,.
.
.
customers_password),1,CONCAT(cc_type,.
.
.
cc_expiration)FROMcustomersLIMIT2,1/3:99'UNIONS//ELECTnull,CONCAT(first_name,.
.
.
customers_password),1,CONCAT(cc_type,.
.
.
cc_expiration)FROMcustomersLIMIT3,1/4:99'UNIONS//ELECTnull,CONCAT(first_name,.
.
.
customers_password),1,CONCAT(cc_type,.
.
.
cc_expiration)FR//OMcustomersLIMIT4,1/5:99'UNIONS//ELECTnull,CO//NCAT(first_name,.
.
.
customers_password),1,CO//NCAT(cc_type,.
.
.
cc_expiration)FR//OMcustomersLI//MIT5,1/Listing1:PayloadsoffakeSQLInjectionrequestsThepurposeofthesepayloadswastodetectwhetherhostingprovidersemployanyblacklist-basedapproachtodetectSQLin-jectionattemptsontheircustomers'websites.
Requestsinlines1and2wouldfailincasetheprovidersemploysimpleblacklist-ingrules(blockinganyUNIONSELECTandUNIONALLSE-LECT)inURLs.
Thelastthreerequestswouldfailonlyifprovid-ThisisapreprintofanArticleacceptedforpublicationinWWW'13c2013InternationalWorldWideWebConferenceCommitteeersdeploymorecomplexrulesthatareabletoblacklisttypicalSQLwordsevenincasetheyarestuffedwithcomments,orifwordslikeFROM,CONCATandLIMITareblacklistedaswell.
2.
1.
2RemoteFileUpload(WebShell)andCodeIn-jectionUsingWebShell(SH)ThegoalofthistestistounderstandwhetherprovidersdetecttheuploadandusageofastandardPHPshell,automaticlemod-icationsonthecustomer'saccount,orthepresenceofmaliciouscodeonthehomepageofthewebsite.
Inthetest,afakewebshellisuploadedtothehostingaccount,andfakecommandsareissuedtoit,resultinginsomedrive-by-downloadcodebeingaddedtothehomepageofthee-commercewebapplication.
Setup-ThistestusesthebasestaticsnapshotoftheOsCom-mercev.
2.
2webapplication,andsimulatesaRemoteFileUploadvulnerabilityintheleadmin/categories.
php/login.
php,astheonedescribedin[13].
Ourfakeattackwasdesignedtoup-loadamodiedversionofthepopularc99PHPshell(oneofthemostcommonwebshellsontheweb),thathasnoharmfuleffectsotherthantheabilitytoinjectcustomcodeinthehomepageofthee-commercewebapplication.
Alsointhiscase,thecustomcodeinjectionisenabledonlywhencertainhiddenparametersarespeci-edalongwiththerequestofthec99shell,thusallowingonlyustotriggertheinjection.
ThecontenttobeinjectedinOsCommerce'sindexpageisasnippetofarealmaliciouscodelaunchingadrive-bydownloadattack,thathasbeendisabledbywrappingitintoanifstatementwithacomplexconditionthatisalwaysFalse.
WesubmittedtheindexpagewiththeinjectedcontenttotheVirusTotalonlinevirusscanningservice[1],anditwasdetectedasmaliciousby13antivirusengines.
Attack-Thetestcaseforthisattackwasruneveryhour,andconsistedinascriptperformingtheuploadofthewebshell,fol-lowedbyanumberofcommandsissuedontheshell.
Theshellle,calledc99.
phpastheoriginalshell,inordertobeeasilyiden-tiablefromthewebserverlogs,wasuploadedtothevulnerableURLbyspecifyingthesecretparameterenablingtheupload.
Iftheuploadwassuccessful,vecommandswereissuedtothec99.
php,pickedrandomlyfromalistofGETandPOSTrequestscontain-ingbothUnixcommandsandlenames,sotomaketherequestsseemliketheresultofsomeonetryingtomanuallyexplorethecon-tentsoftheserver.
Therequestssimulatedactionssuchastryingtoreadles(e.
g.
,/etc/passwd)andexecuteunixcommands(who,uptime,uname,ls,ps).
Ourintuitionwasthathostingproviderswouldprobablybealertedbyrequestscontainingsomeoftheselenamesorcommands.
Finally,thetestusedthePHPshelltoinjectaplaintextversionofthemaliciouscodeintothehomepageofOsCommerce.
2.
1.
3RemoteFileUploadofaPhishingKit(Phish)Similarlytotheprevioustest,thistestusesaleuploadvulner-abilityintheOsCommerceapplicationtouploadaphishingkittothewebserver.
ThephishingkitconsistsofanarchivecontainingastaticsnapshotofarealBankofAmericascam.
Thetestaimsatdetectingwhetherhostingprovidersareabletodetectthepresenceofaphishingkitonthecustomer'saccount.
Thephishingkitwasinstalledinsideadirectorynamed/bankofamerica.
com,thusallowingtodetectanyvisittothescampagesbysimplylookingattherequestedURLs.
Setup-ThiscopyoftheapplicationisconguredwiththesameRemoteFileUploadvulnerabilityexplainedfortheprevioustest.
However,thevulnerablepathforthistestisadmin/banner_manager.
php/login.
php.
Wheneverthisscriptisissuedanuploadrequestforalewithtarextension,ituploadsthearchiveandautomaticallyunpacksitscontentstotheuploaddirectory,thusallowingforanautomaticinstallationofthephishingkit.
ThephishingkitwedeployedisanexactcopyofarealBankofAmer-icaphishingkitfoundinthewild,modiedtoremovethebackendcode(thusmakingitunabletostoreandsendanyuserinformation).
Attack-Thisattackwassplitintwophases,whichwerefertoasattackerandvictim.
Theattackerphase,runevery6hours,consistedintriggeringtheremoteleuploadvulnerabilityandup-loadingthephishingkit.
Thevictimphaseoftheattackwasrunfourtimesperhour,andconsistedinascriptthatsimulatedavic-timfallingpreyofthescam.
Inordertolookrealistic,thevictimrequestsweredisguisedascomingfromarangeofdifferentvalidUser-AgentstringsusedbywebbrowsersonWindowsoperatingsystems.
EverysimulatedvictimvisitcomprisedasequenceofGETandPOSTrequestscontainingtheformparametersrequiredbythephishingpages.
Ateachvictimvisit,thedatasentintherequestswasrandomlypickedamongasetoffakepersonaldetailswecreatedbyhand,containingnames,addresses,passwordsandcreditcardnumbersofctitiouspeople.
2.
1.
4SuspiciousNetworkActivity:IRCBot(Bot)Thistestaimsatunderstandingwhetherprovidersemployanynetworkrulestodetectsuspiciousconnectionattemptstopossiblymaliciousservices.
Forthisstudy,weoptedtodeploytoourac-countsascriptsimulatinganIRCbot.
ThereasonforthischoiceisthatIRCbotsareprobablyoneofthemostcommonandeasilydetectablebots,becauseIRCconnectionsareveryoftenmadetothestandardIRCport(6667)usingcleartextcommunication.
Setup-ThistestusesourbasicOsCommerceinstallationwithnomodications.
TheexecutablebotclientwasdeployedtothehostingaccountviaFTP,thussimulatinganattackinwhichtheattackerhasstolenthecustomer'swebhostingcredentials.
ThelestobeuploadedaretwoIRCclientbinarieswritteninC(onecompiledfor32-bitarchitectures,andonefor64-bitones),andaPHPscriptthatexecutestherightbinarydependingontheun-derlyingOStype,andoutputsitsresults.
TheIRCclient,oncelaunched,disguisesitselfas"syslogd"andtriestoconnecttoama-chinehostedonourpremisesthatrunsafakeIRCserveronthestandardIRCport.
Iftheconnectionsucceeds,theclientandserverexchangeafewmessagesresemblingrealIRCcommands(suchasNICKxxx,USERxxx,JOIN#channel)andtheclientreportssomeinformationabouttheinfectedmachine(hostname,OStype,kernelversion);atlast,theclientclosestheconnection.
Attack-ThetestcaseforBotwasruneveryhour,andstartedwithopeningaFTPconnectionanduploadingthetwobinariesandthePHPleinanewdirectorycreatedinthewebsite'srootfolder.
Iftheuploadsucceeded,anHTTPrequestwasissuedtothePHPlelaunchingtheIRCclient.
TheoutputofthisrequestallowedustodeterminewhetherthehostingproviderwasblockingtheuseofpossiblydangerousPHPfunctions(IRCclientexecutiondenied-system()functiondisabled),blockingoutgoingconnectionstocer-tainports(binaryexecuted,butconnectionattemptfailed),oral-lowingeverything(successfulconnectiontotheserver).
InordertomaketheuploadoftheIRCbotnetlesappearevenmoresuspi-cious,theFTPuploadwasexecutedusingIPaddressesfromseveraldifferentcountries.
2.
1.
5KnownMaliciousFiles(AV)Thistestaimedatunderstandingwhetherprovidersperformanyscansoftheirdiskswithoff-the-shelfantivirussoftware.
Thetestsimplyconsistedindeploying,viaFTP,twocommonknownmali-ciouslestothecustomer'shostingaccount.
ThisisapreprintofanArticleacceptedforpublicationinWWW'13c2013InternationalWorldWideWebConferenceCommitteeTest#SQLiSHPhishBotAVBlockedbyModSecurity-baserulesetBlockedbyModSecurity-OWASPrulesetHighseverityIDSalerts52200DetectablebyantivirusesnoyesnonoyesTable1:Attacksdetectionusingfreelyavailablestate-of-the-artsecurityscanningtools.
Legend:no;inpart;yes(full);-notapplicableSetup-Websiteshostingthistestusedasimplerstructurethantheprevioustests,andconsistedinasinglestaticHTMLpagecon-tainingrandomsentencesinEnglishandafewimages.
AsintestBot,wechosetouseFTPtouploadthemaliciouslestotheac-count,tosimulateacaseinwhichtheattackerhasknowledgeofthecustomer'saccountcredentials.
Thetwomaliciousleswerec99.
php,arealc99PHPwebshell,detectedonVirusTotalwithascoreof25/43(25antivirusenginesdetectingit,outof43itwastestedagainst),andsb.
exe,acopyofthe2011Ramnitworm,de-tectedby36outof42antivirusproductsaccordingtoVirusTotal.
Inordertomakesurethemaliciousleswerenotreachablebyanywebvisitor,butonlyavailabletopeoplehavinginternalaccesstotheserver,theywereuploadedtoadirectoryprotectedbymeansof.
htaccess(denyingthelistingofitsles)and.
htpasswd(requiringapasswordtoaccessitslesfromtheweb).
Attack-Theattackitselfconsistedsimplyinconnectingtothehostingaccount'swebspaceviaFTPanduploadingeverytime(deletingandre-uploadingifalreadypresent)theprotecteddirec-toryandthetwomaliciousles.
Alsointhiscase,FTPconnectionswereissuedfromIPaddressesindifferentcountries.
2.
2AttackDetectionUsingState-of-the-ArtToolsBeforedeployingtheteststothesharedhostingaccounts,wemadesuretheycouldbedetectedusingcommonstate-of-thearttools,thatcanbeeasilyemployedbyanyhostingprovider.
Inor-dertodoso,weexecutedourtestsagainstaninstallationoftheSe-curityOnionLinuxdistribution,whichincludesapreconguredsetofopensourcetoolsformonitoringsuspiciousnetworkandsystemactivity(BroIDS,Snort,Sguil).
TheinstallationofthisdistributionwasthenequippedwiththeApache2webserverandtheModSecu-rityplugin,alongwithitsbaserecommendedruleset.
WealsoinstalledtheOWASPModSecurity"CoreRuleSet",asetofcommonsecurityrulesforApacheModSecuritythatismain-tainedbytheOWASPfoundation[14].
Thesearefreecertiedrulesetsprovidinggenericprotectionfromunknownvulnerabilitiesof-tenfoundinwebapplications.
Weinstalledversion2.
2.
5oftherulesetonourtestmachine,anddisabledsomerulesets(baserulesnumber21,23,30)forbeingtoogenericandgeneratingtoomanyfalsealarms.
WenallyraneachofthevetestcasestogglingonandofftheOWASPModSecurityrules.
Table1summarizeswhatwewereabletodetectorblockusingthissetup,duringtheexecutionofeachtest.
Fouroutoftheveat-tackswouldhavebeenblockedordetectedbyemployingfreenet-workandhostmonitoringsolutionsliketheonesmentionedabove,andtheremainingattackcouldhavebeeneasilydetectedbysettingupasimpleconnectionlteringruleintherewall.
2.
2.
1SQLiTheattacksoftestSQLi,whenrunusingthebasicinstallationofModSecurity,succeed,butgenerateaseriesofvedifferenthighseverityalertsaboutpossiblewebserverSQLinjectionattempts.
WhentheOWASPrulesetisenabled,however,alltheveSQLinjectionattemptsonwhichtheattackisbuiltfail.
2.
2.
2SHTheSHtest,executedagainstawebserverwiththebasicMod-Securityrules,successfullyuploadsthec99shellandinjectsthedrive-bycodeinindex.
php.
However,twohighseverityeventsareraisedbytheIDS,oneofwhichnotifyingaremotecodeexecu-tiononOsCommercev.
2.
2(triggeredbyourattacktouploadofthewebshell).
IftheOWASPrulesareenabled,theremoteleuploadsucceedsbutmostofthecommandsissuedtothewebshellfailandraisecriticalalertmessages,notifyingthepossibilityofawebleinjectionattack.
Theindexlemodication,nally,failsandraisesamessagenotifyingthedetectionofmultipleURLencod-ingsintherequest,asapossiblesignofprotocolevasion.
Finally,ithastobenotedthat,althoughweremovedalltheexistingfunc-tionalitiesfromtheoriginalwebshell,ourc99.
phpcontainssomeoriginalPHPcodetodisplayimagesandUIelements,plusourcustomdrive-byinjectioncode.
Assuch,itwouldstillbedetectedduringavirusscanbyapproximately17%oftheantivirusenginesonthemarket(itsVirusTotalscoreis7/42).
Theindex.
phpcontain-ingtheinjectedcontentwouldinsteadbedetectedbyalmost30%oftheantiviruses,havingaVirusTotaldetectionscoreof13/44.
2.
2.
3PhishThisattacksucceededbutraisedtwohighseverityevents:po-tentialremotecodeexecutioninOsCommercev.
2.
2,andpresenceofPHPtagsintheHTTPpost(detectedonthetarlecontain-ingthephishingkit).
Onthevictim'sside,noHTTPrequestisblockedwhenuploadingpersonalinformationtothescampages.
Apossiblesolutiontostop,oratleastraisealertsonthevictim'srequests,however,couldbedeployingasimpleIDS/IPSrulethatdetectsthesubmissionofparameterscontainingcleartextpersonaldetails,suchascreditcardnumbersandcvv2codes.
2.
2.
4BotTheBottestcasewasundetectedbythebasicandOWASPMod-Securityrulesets,asitwasrunviaFTP.
Inourtests,theconnectionsucceededandthebotandfakeIRCservercompletedtheirmessageexchange.
Anormalrewallruleblockingoutgoingconnectionstoport6667(IRC)wouldhave,however,blockedtheattack.
2.
2.
5AVThemalwareuploadtest(AV)wasundetectedbyourtestde-ployment,becausenoHTTPtrafcwasgeneratedandnonetworkantiviruswasused.
However,asexplainedinSection2.
1.
5,were-callthattheuploadedc99.
phpandsb.
exearecommonmaliciouslesdetectedbyVirusTotalwithadetectionscoresof25/42and36/42,respectively.
Therefore,thevastmajorityofoff-the-shelfantiviruseswouldhavedetectedthemduringascanofthewebsite'srootdirectory.
2.
3TestSchedulingandProviderSolicitationAllattackswererunwithoutinterruptiononeveryhostingac-countfortherst25daysoftesting.
Asexplainedintheprevioussection,eachattackwasrepeatedmultipletimesperdayinordertogeneratemorealertsandincreasetheprobabilityofbeingdetected.
Ifthehostingproviderdidnotdetectanysuspiciousactivityduringthistimeframe,thetestsenteredasecondphase,duringThisisapreprintofanArticleacceptedforpublicationinWWW'13c2013InternationalWorldWideWebConferenceCommitteewhichwesolicitedtheprovidertodetectourattacksandtakeactionagainstthem.
ThissolicitationtookplaceasanabusenoticationemailforthePhishandAVtests,inwhichwereportedthepresenceofmaliciouslesonthewebapplication.
Wealsogenerated"fake"abusenoticationstostudythereactionoftheproviderstoboguscomplains.
Thisallowedustounderstand:1)howquicklyprovidersrespondtoabusenotications,iftheyeverdo,2)iftheyactuallyverifythepresenceofmaliciouscontentoractivityontheaccountbeforetak-inganyaction,and3)whatkindofactionstheytakeinordertostoptheabuse.
Abusenoticationsweresenttoprovidersbyemail,us-ingreal(authenticated)emailaddressesregisteredon3rdpartydo-mains,tomakethemlookasrealisticnoticationsfromrandomwebusers.
2.
3.
1RealAbuseNoticationsStartingthe25thdayoftesting,westartedsendingoneabusecomplaintperdaytoeachprovideronwhichtestsPhishandAVhadnotbeenpreviouslydetected.
Westoppedthenoticationprocessandtherealattacksontheaccounteitherwhenthe30daytestingperiodelapsed,oraftertheproviderrespondedtothenotication.
Thenoticationemailexplainedthatanemailhadbeenreceived,withalinkpointingtocontenthostedontheprovider'spremises.
Thelinkpointedtothephishingkit'sindexpageforPhish,andtothesb.
exeleforAVtest.
Inaddition,theemailmentionedthattheuser'santivirusraisedanalertwhentryingtovisittheURL,andsuggestedthewebprovidertocheckthecontentsoftheaccount.
2.
3.
2FakeAbuseNoticationsApartfromrealabusenotications,wealsosentemailsinwhichwecomplainedforperfectlycleanwebsites.
Toperformthistest,wecleanedandre-usedtheaccountusedfortheSQLiandBottests.
ThewebsitecontentswerereplacedbyasinglestaticHTMLpagecontainingoneJPGpictureandalonglistofnewsextractedfromtheRSSfeedsofpopularinternationalnewswebsites.
Startingonthe25thday,wesenttoeveryprovideranemailperday,wheretheusercomplainedaboutthepresenceofoffendingormaliciouscon-tentontheseaccounts.
Sinceatthetimetheseemailsweresentthewebsiteswereabsolutelyclean,thesefakenoticationsallowedustounderstandwhetherprovidersactuallychecktheveracityofthecomplaintstheyreceivebeforetakinganyaction.
Therstcom-plaintemailwasfromauserpretendingthatthewebsite'scontentwasoffendinghisreligiousviews,andkindlyaskingtostopthewebsiteownerfromspreadingsuchdisrespectfulmessages.
Inthesecondscenario,thenoticationemailwasfromauserclaimingtohavereceivedanemailwithalinktothewebsiteinquestion.
TheuserexplainedthathisbrowserdeniedaccesstotheURL,andthatatacloserlookthewebsitelookedlikehostingaphishingscam.
Alsointhiscase,theaccounthostingthereportedwebpagewasabsolutelyclean,hostingonlythebenignstaticHTMLhomepage.
Onemayarguethat,incaseofthesefakenotications,thepro-vidercouldreactbysuspendingorshuttingdowntheuseraccountbyhavingalookatthelogsofthemachineonwhichtheaccountwassetup,andnoticingpastmaliciousactivity,eventhough,atno-ticationtime,thewebsitewasclean.
Wedidourbestinordertoavoidthisfromhappening,bydeployingourtestsforfakenotica-tionsonaccountsthathostedtheSQLiandBottests.
Thesetestscouldnotbeconsideredmalicious(nomalwarenorphishingleswereeveruploaded)butthemereevidencethatthewebsitewasun-derattack.
Moreover,attacksforthesetestscouldonlyhavebeendetectedatanetworklevel,sincenotracewasleftonthedisk.
3.
EVALUATIONDuringourexperiments,weevaluatedthesecuritymeasuresputinplacebywebhostingproviderstodetectmaliciousactivities,compromisedwebsites,andpreventabuseoftheirservices.
Wegroupourndingsinthreecategories:accountvericationuponsignup(3.
1),compromisepreventionanddetectioncapabilitiesonlivewebsites(3.
2.
2),andresponsestoabusenotications(3.
3).
3.
1Sign-upRestrictionsandSecurityMeasuresEventhoughourworkwasnotmeanttotesttheanti-abusesignuppoliciesofwebhostingproviders,wereportheresomeresultsthatmaycontributeinunderstandinghowmucheffortprovidersputinpreventingservicessubscriptionbymalicioususers.
Severalproviderstrytodiscourageabusersbyaskingtoverifytheinformationenteredduringthesignupphase,eitherbycallingthecustomersonthephone,orbyrequiringascannedcopyoftheirdocuments(suchasgovernmentissuedID,creditcardusedforthepurchase).
Someprovidersalsouse3rdpartyfraudprotectionser-vices,thatblockpurchasesbasedonasetofheuristics.
Forex-ample,weobservedseveralcasesinwhichtheproviderscorrelatedthegeographiclocationofthecustomer,thebillinginformation,andtheIPaddressusedforthepurchase.
Thesharedhostingaccountsweusedforourstudywereallreg-isteredusingrealpersonalinformationofpeopleworkinginourgroup,andthebillinginformationofourresearchinstitute.
Thesign-upprocesswascarriedoutfromseveralIPaddresses,usingeithercreditcardorPayPalpayments.
Anti-abusesignuppoliciesvarywidelybetweenhostingprovid-ers.
Topglobalhostingprovidersaremorecautiouswithregardtosignup,oftenblockingattempts-e.
g.
,blockingmultipleregistra-tionsfromthesamebillingaddressandcreditcardnumber,verify-ingthecustomer'spersonalinformationbyvericationphonecallsorIDandcreditcardchecks.
Regionalprovidersseemtobemorepermissive,probablybecausetheyhavelessincentivesinmakingtheirsignupprocessmoredifcult,whichcouldmakethemlosepotentialcustomers.
Amongthetwelveglobalproviders,sevenofthemrequiredustoverifyouraccountinformationforatleastoneoftheaccountsweregisteredwiththem.
Inordertoverifyouraccountinforma-tion,allthesecompaniesrequiredascannedversionorphotocopyofagovernmentissuedphotoidenticationcard(suchaspassportordriver'slicense)andthefrontandbackofthecreditcardusedatsignup(withoutshowingtherst12numbersandthecvv2code).
Onlyoneoutofthesesevencompaniesclaimed,onitswebsite,tomanuallyverifyeverycustomer'ssignupbeforeallowingthepur-chaseofitswebhostingservices.
Indeed,thiswastheonlyproviderthatveriedeveryaccountweregisteredwiththem.
Regionalproviders,instead,donotseemtobeascautiousduringtheaccountsignupphase.
OnlyoneoutoftenblockedanaccountcreationbecauseofamismatchbetweenourbillingaddressandthegeolocationoftheIPaddressusedforregistration.
Finally,threeoftheregionalproviderswetestedhadaverysim-plesignupprocess,whereuserscouldregisteranaccountinoneclick,byllingalltherequiredpersonalandpaymentinformationinonepage.
Theseprovidersneveraskedustoverifyourinforma-tionuponregistration,andthuscouldpossiblybeagoodchoiceforcriminalswantingtoperformabusivesubscriptions.
Signupvericationrequestsareeithersentduringregistrationorafterasuccessfulaccountregistrationandactivation.
Whilerequir-inganaccountvericationuponsignupcanbeeffectiveinprevent-ingmaliciousregistrations,itcanalsomakethehostingproviderlosepotentialgoodcustomersthatmaynothavetimeorpatienceThisisapreprintofanArticleacceptedforpublicationinWWW'13c2013InternationalWorldWideWebConferenceCommitteeProviderVericationtimeBeforeBeforeAfterpaymentactivationactivationglobal-225%-50%global-325%-25%global-433%--global-540%--global-6-33%-global-7100%--global-850%25%-regional-233%--Table2:Accountvericationtimes.
Valuesrepresenttheper-centageofvericationrequestsonthenumberofaccountsweregisteredforeachprovider.
"Beforepayment"meansdur-ingtheregistrationprocess.
"Beforeactivation"meansoncetheclient'sbillingaccountiscreated,butthehostingserviceisnotyetactive.
"Afteractivation"indicateswhenthehost-ingaccountisactiveandawebsitehaspossiblyalreadybeeninstalled.
toprovidealltherequiredinformation.
Ontheotherhand,requir-inganaccountvericationoncetheservicehasbeenpurchasedandsetuphasthedrawbackoftemporarilysuspendinganaccountonwhichawebsitehasalreadypossiblybeendeployed,thuscausingaserviceoutageforabenigncustomer.
Duringourexperimentsweencounteredbothsituations.
Table2showsthepercentageofveri-cationrequestsonthenumberofaccountsweregisteredforeachprovider,groupedbythetimeatwhichtherequestwasissued.
Onlyprovidersthatrequestedatleastoneaccountvericationarelisted.
Thetableshowsthat,ingeneral,mostoftheanti-abusesystemssendalertsandblockaregistrationattemptduringthecustomer'ssignupphase.
Thistypicallyhappenswhentheuserentershisorhercreditcarddetailsandtriestocompletethehostingpurchase.
Others,instead,lettheclientsignupfortheserviceandreceiveitsmanagementpanelcredentials,butlockthewebhostingserviceac-tivationuntilacopyofthecustomer'sdocumentisreceivedbythesupportdepartment.
Twowebhostingproviders(global-2,3)sentvericationrequestswhenthewebhostingaccountwasalreadyac-tiveandthecustomer'swebsitedeployed.
Thiscausedatemporaryservicedisruptionfortheaffectedaccounts,makingtheirwebsitesunavailableforseveralhours.
Certainproviders,nally,issuedver-icationrequestsatdifferenttimes,probablydependingonthekindofalerttheyreceivedfromtheirabusepreventionsystem(global-2,3,8).
3.
2AttackandCompromiseDetectionDuringtherstphaseofourexperiments,wedeployedourvetestsuitesoneveryhostingproviderandrecordedwhetherthehost-ingprovidertooksomeactionorcontactedustonotifythatmali-ciousactivitywasobservedonouraccount.
AsexplainedinSec-tion2.
3,ifnomaliciousactivitywasdetectedontheaccountduringtherst25days,westartedsendingabusenoticationstothehost-ingprovider,inordertostimulatearesponse.
TheresultsofthissecondphasearesummarizedinSection3.
3.
Tomakeourfakeattackslookrealistic,ourtestcaseswererunautomaticallyatcertaintimeintervals(asexplainedinSection2.
1),andtheattackswereexecutedfromdifferentIPaddressesbelong-ingtoseveraldifferentcountries.
Also,inordertoavoidhavingonly"articial"maliciousrequestsinthewebserverlogsofourac-counts,wegeneratedsomebackgroundtrafcsimulatingrealvis-itstoourwebsites.
Thiswasaccomplishedbydevelopingasimpletrafcgeneratortool,thatvisitedeveryaccountwedeployedevery10minutes,andrandomlyfollowedlinksoneverywebsiteuptoadepthof30.
Inthegeneralcase,thismeantfollowinganaverageof13linksoneverywebsite,thusgeneratingabitlessthantwothousandhitsperdayoneveryactiveaccount.
ThemachineusedfortrafcgenerationwasnotusedforotherexperimentsandusedadifferentsetofpublicIPaddressesthantheonesweusedtoruntheattacks.
3.
2.
1AttackPreventionEventhoughourstudyfocusesontheabilityoftheproviderstodetectcompromisedwebsites,duringourexperimentssomeofourattackswereblockedandwerethereforeineffective.
Insomeofthesecases,weproceededbymanuallycompromisingtheaccount.
Forexample,wheneveraproviderdeniedthepossibilityofrun-ningtestSH,wemanuallyuploadedthedrive-bydownloadcodetotheaccounttocontinuetheexperiment.
Thisallowedustotestwhethertheproviderwasabletodetectthemenacebyscanningthecustomer'saccount.
Forthephishingattack(Phish),sinceithadtobedetectedonanetworklevel,wedidnottakesuchmeasureandthusnomanualuploadwasperformedonaccountsofprovidersblockingtheremoteleupload.
Table3reports,foreachtestandprovider,whetherthewebhost-ingcompanytookanymeasuretopreventtheattack.
Suchmea-suresdependonthetestcase,andrangedfromemployingURLblackliststoblockingoutgoingconnectionsorprocessexecutions.
URLblacklisting.
SomeprovidersemployURLblacklistsinordertopreventSQLinjectionattempts(testSQLi)andremoteleuploads(SH,Phish).
However,asshownincolumnSQLiofTable3,noneofthepro-viderswetestedwereabletofullypreventourSQLinjectionat-tacks.
Thisisprobablyduetotheadoptionofsimplekeyword-basedblacklistingrules,thatcanbeeasilybypassedbyintroduc-ingSQLcommentsinthemiddleofblacklistedkeywords(suchasusing"SE/**/LECT"insteadof"SELECT",asexplainedinSec-tion2.
1.
1).
Twoproviders(global-1,regional-2)blockedtherstfourrequestsofourattacks,andotherveproviderswereabletoblockonlythersttwo.
TheremainingdidnotadoptanySQL-injectionprotectionmechanismatall.
RegardingtestsSHandPhish,someproviderswereabletopre-venttheattackbyemployingURLblacklistsprobablycontainingspecicrulesforthedetectionofcommonvulnerabilitiesonwebapplications,suchastheonesweemployedforthetestspresentedinSection2.
2,providedbytheOWASPfoundation.
RegardingSH,Table3showsthatsomeproviderswereabletoonlypartiallypreventtheattack.
Theseprovidersdidnotblocktheleuploaditself,butemployedblacklistingrulestoblocksomerequeststothewebshell(theserequestscontainedcommonlenames,e.
g.
,/etc/-passwd,orcommonparametersequencessuchas.
phpact=cmd).
ConnectionandOS-levelltering.
TheattacklesfortestBotwererstuploadedtothecustomer'saccountviaFTP,thenthefakeIRCclientwasexecutedissuingaHTTPrequesttoaPHPlelaunchinganexecutableleusingthesystem()PHPfunction.
Atotalof18providerswereabletofullystoptheattack:ofthese,50%didsobydisablingthesystem()func-tioninPHP,whiletheremaininghalfrewalledoutgoingconnec-tionstotheIRCport.
Whentheattackwasprevented,wewereexpectingsomeformofnoticationregardingthesuspiciousactivity.
Afterall,itisnotThisisapreprintofanArticleacceptedforpublicationinWWW'13c2013InternationalWorldWideWebConferenceCommitteenormalthatasharedhostinguserhasadisguisedprocessthattriestoconnecttoanIRCservereveryhourforonemonth.
Twohostingprovidersallowedtheattackonlyatcertainperi-odsintime(global-2andglobal-6).
Thismayduetotemporarymiscongurationsontheirnetworksortoautomaticaccountmi-grationsoverdifferentmachineswithdifferentcongurations(forexample,theaccountrunningtestBotonproviderglobal-6con-nectedtoourfakeIRCserverfromeightdifferenthostsduringthe25daystestingperiod).
NopreventionresultsareshownfortestAV,asthistestdidnotrunanyattackandnolteringwasdoneontheuploadofmaliciouslesviaFTP.
Asanalremark,wenoticedthat,forsometests,someprovid-ershadexactlythesamebehavior.
Thisisthecase,forexample,ofglobal-1andregional-2andglobal-8andregional-3.
Wethusbe-lievethattheseprovidersemploythesameprotectionmechanismsandwebserversecuritycongurationsfortheirsharedwebhost-ingsolutions.
Theseservicesareprobablyprovidedbythirdpartycompaniesaspartofcommonoff-the-shelfsecuritysolutions.
3.
2.
2CompromiseDetectionSadly,allbutoneoftheproviderswetesteddidnotnotifytheirclientswhentheirwebsiteswerecompromisedandwereusedtoperpetrateobviousmaliciousactivities.
Theonlyhostingproviderthatreactedtooneoftheattackswasglobal-4,butthatreactionhappened17daysafterthebeginningoftestAV.
Theproviderproperlynotiedthepresenceofamaliciousle(thec99shell)ontheuser'swebhostingaccount.
Inaddition,theproviderwarnedtheuserthataservicesuspensionwouldoc-curifnoreplytothealertwasreceivedbythecustomersupportservicewithin24hours.
However,themessagewasnotmention-ingthepresenceoftheothermaliciousleontheaccount,namely,sb.
exe.
Thissuggeststhatthealertwasanautomatedmessageresultingfromavirusscanoftheaccount,andthatnohumanoper-atoractuallycheckedthecontentsofthedirectoryinwhichthetwomaliciousleswerestored.
Wewerequitesurprisedbyourndings,aswewereexpectingtohaveatleastafewofourscenariosdetectedbythevastmajor-ityofwebhostingproviders.
Itemergesthat,onsharedhostingservers,eventhemostbasicvirusscanisnotascommonasonecouldexpect.
Fromourmeasurements,wearenotabletotellifthehostingprovidersrunantivirussystemsontheirsharedhostingservers.
However,iftheydo,theyareeitherusingoutdatedsigna-turedenitions,orthefrequencyatwhichtheyperformthescansislessthanonceamonth.
3.
3SolicitationReactionsAsexplainedindetailinSection2.
3,wheneveroneofourtestsuiteswasnotdetectedbythehostingproviderfor25consecutivedays,westartedsendingdailyabusenoticationemailstothepro-vider'sabusecontact.
Thepurposeofsendingthesemessageswastounderstandwhetherwebhostingprovidersrespondandreacttoabusenotications(e.
g.
,bysuspendingacompromisedaccountornotifyingthecustomerofhisorherwebsitebeingcompromised).
Tocompleteourtest,wealsosentfakeabusenoticationsforper-fectlycleanwebpages,withtheaimofunderstandingwhetheranyproviderstakeactionwithoutrstverifyingtheclaims.
Thiswouldposeaseriousmenace,asitwouldbeaveryeasyandeffectivewaytoconductaDenialofServiceattackagainstwebsitesofotherusers.
Thefollowingparagraphsaremeanttogivesomeinsightsanddetailsonwhatispresentedinthe"SolicitationReaction"sec-tionofTable3.
3.
3.
1AbuseNoticationsUnfortunately,50%ofboththeglobalandregionalwebhost-ingprovidersneverrepliedtoanyoftherealabusenoticationswesent.
Thispercentageisquitealarming,andmeansthatifawebsiteishostingmaliciouscontent(suchasphishingormalware),noac-tionwillbetakentostopitfromspreadingandreachingitsvictims.
Moreover,phishingattacksandmalwarelesusedindropzonesusuallyhaveashortlifetime,and,assuch,evenalateresponsetoamalwareorphishingabusenoticationwouldhavelittleornoeffectonthegeneraloutcomeoftheattack.
Sevenoutoftheelevenprovidersthatrepliedtoourcomplaintsrepliedeitherthesamedayorthedayafterthenoticationwassent.
Thisisagoodindicator,meaningthatthesecompaniesprobablycareaboutwebabusesandareabletohandletheseissuesinatimelymanner.
Theonlyproviderthatrepliedlaterthan5daysafterthenoticationwasregional-5,withanaverageresponsetimeof16days.
Aftersuchalongdelayanyactionwouldbebasicallyuseless,asthewebsitemayhavecompletelychangedinthemeantime.
Therewereavarietyofreactionstoourabusecomplaints.
Themostcommonapproachwastotemporarysuspendthecustomer'saccount,withvecompaniesperformingatleastonesuspensionasresultofamalwareorphishingabusecomplaint.
Weconsiderthisactionareasonableresponsetotheabuse,causingatemporarydisruptionoftheservicestheclientispayingfor,butblockingtheimmediatethreat.
Otherprovidersrespondedtothenoticationsbycleaninguptheaccount,removingthesuspiciousles(4providers-notethatthisactionseemstobemorecommonamongregionalproviders),orbyforwardingtheabusenoticationtothecustomer(1case).
Weconsideredsuchresponses,ingeneral,tobeappro-priatetostopthemenacesfromspreading,andatthesametimeavoidingtoimpacttoomuchtheuser'sservices.
Providerglobal-12reactedwithoutnotifyingthewebsite'sowner:inthecaseofAV,theaccountwasterminated,whileinthecaseofphishing(Phish),thedirectorycontainingthefakephishingkitwasremoved.
Alsointhecaseofproviderregional-6,actionsweretakenwithoutnotifyingtheuser,withtheexceptionthat,inthiscase,thereactionstotheabusenoticationsconsistedindeletingalltheles(includingthecleanones)oftheuser'swebsites!
Controversialresponsestoourabusenoticationswerethosefromprovidersthatsentultimatumstotheuser(markedwithU,inthetable),warninghimthatoffendingcontenthadbeenfoundonhiswebsite,andthatifnocleanupwasperformedwithinafewhours,theaccountwouldhavebeensuspended.
Thiswascontro-versialbecause,asinthecaseofproviderglobal-6,eventhoughwedidnottakeanyactiontorespondtotheproviderultimatum,thefakephishingpageswerestillpresentonouraccountafterseveraldays.
Thismeansthattheproviderdidnotkeeptoitscommitment.
Finally,afewresponseswerepartiallyorfullyunsatisfying.
Theregional-3providerrepliedtothemalwareabusecomplaintproba-blyafterscanningthecustomer'saccountusinganantivirus.
Thereplystatedthatac99PHPshellhadbeenfoundontheaccount,andaskedthenotierifhewantedthemtoremoveit.
Thema-liciousexecutablewasnotmentionedatallandnofurtheractionwastaken,thusleavingbothmaliciouslesontheaccount.
Thecaseofprovidersglobal-2,global-3andglobal-5isquiteparticular.
Whileexperimentswereinprogressonmostoftheproviders,andonceourtestsPhishandAVreachedtheir25thdayonglobal-2andglobal-5,noticationsweresenttothetwoproviders.
First,pro-viderglobal-5repliedbyterminatingtheaccount(disablingboththebillingandthehostingaccount)andgivingthecustomer15daystoreplyandtorecoverhisles.
Wereplied,askingtore-enabletheaccountforrecoveringourles,butinthemeanwhileanotherabuseresponsewasreceivedfromproviderglobal-2,ter-ThisisapreprintofanArticleacceptedforpublicationinWWW'13c2013InternationalWorldWideWebConferenceCommitteeProviderAccountAttackPrevention/Detection(days)SolicitationReactionvericationSQLiSHPhishBotAVAbuseFakeabuseAvg.
replycomplaintcomplaintdelay(days)global-1NN-global-2T--1global-3N/T---global-417)SU0global-5T--0global-6UO2global-7NN-global-8NN-global-9NN-global-10SN4global-11NN-global-12T,CO0regional-1S,CS0regional-2NN-regional-3O,CO0regional-4NN-regional-5SO16regional-6CC1regional-7NU5regional-8S,FO1regional-9NN-regional-10NP0Table3:Theresultsofourstudy.
Legend:-notapplicableno/notsatisfyinginpart/partlysatisfyingyes(full)/satisfyingNnoreplyPforcedpasswordresetSaccountsuspensionCcleanuporleremovalTaccountterminationUultimatumtotheuserFcomplaintemailforwardedOreplybutnoactionminatingouraccount.
Startingthatmoment,withinafewhours,alltheaccountswehadregisteredonprovidersglobal-2,global-3andglobal-5wereterminatedwithoutanyexplanation,evenwhenwetriedtocontactthecompaniestoaskdetailsaboutthereasonsofouraccounts'termination.
Theonlyresponsewewereabletogetwas:"Duetocertainitemscontainedintheaccountinformation,thisaccountwasaggedforfraud.
Forsecurityreasons,thisagcausedthesystemtodeleteyouraccount.
Atthistimeweaskyoutoseekoutanewhostingcompany.
"Eitherthethreecompaniesusedthesamesupportservice,pro-videdbyathirdparty,ortheysharedinformationbetweenthem.
In-deed,theterminationnoticationsforalltheaccountsonthethreeprovidersweresentbythesamesupportrepresentatives,andcon-tainedexactlythesametext(onlytheemailsignaturechanged,con-tainingtheemailandpostaladdressoftheappropriatecompany).
Forthisreason,weexpectthesupportcenterforthesecompanieswasabletolinkouraccounts'personalinformationandunderstandtheywereallregisteredbythesamegroupofindividuals.
Thus,havingreceivedcomplaintsfortwooftheaccounts,alltheotheraccountsthatcouldhavebeenreasonablylinkedtothemwereter-minatedaswell.
Whenthishappened,sometestcaseshadnotbeendeployedyetontheseproviders(SQLionglobal-3,global-5)andothershadnotyetreachedtheir25thdayofexecution(Phishonall,andSQLionglobal-2),thusnofakeabusenoticationsweresentforthem.
ThisexplainswhyTable3hasmissingdataforsuchprovidersincolumns"SQLi"and"Fakeabusecomplaint".
Thisisalsowhyinthe"Abusecomplaint"cellforproviderglobal-3,welistedN/T:noabusenoticationresponsewasreceived(N),butaterminationoccurredanyway(T)forotherreasons.
Finally,forproviderglobal-9,wewerenotabletoproperlycon-tactitsabusedepartment:outofthefourdifferentabusenotica-tionswesenttoitsabuseemailaddress,onlythelasttworeceivedanautomatedreply,sayingthatinordertoreportanabuse,itisnecessarytoclickonthehelplinkonthewebhostingprovider'shomepageandfollowaseriesofsteps(atthetimewereceivedtheseresponses,theve-daystestingperiodwasalreadyexpired).
Weaggedthiscaseas"noreply"because,althoughwetriedtosubmitthecomplaintsfollowingthecompany'sadvice,theuserin-terfaceadoptedbytheprovidermakesitverydifcult,evenforanexperienceduser,tondtherightwaytoreportawebsiteabuse.
Moreover,onceavisitorisabletoreachtherightpageforsubmit-tingawebsiteabusenotication,heorsheisrequiredtoregisteranaccountbeforebeingabletoleacomplaint.
3.
3.
2FakeAbuseNoticationsWeexpectedmostwebhostingproviderstoignoreourabusenoticationsregarding"offendingcontent"(see2.
3)andtocheckthewebsite'scontentsbuttakenoactionincaseofthefakephishingcomplaints.
InTable3,wethusmarkedas"satisfying"alsotheprovidersthatneverrepliedtoourcomplaints.
However,thisisnotalwaysagoodsign,especiallywhenthesameprovidedneverrespondedtotherealcomplaints.
Sadly,someofthereactionsweobservedwereclearlyincon-trastwithourexpectations.
Bothprovidersmarkedwith"U"be-lievedeitherourreligiouscomplaint(global-4)orourphishingThisisapreprintofanArticleacceptedforpublicationinWWW'13c2013InternationalWorldWideWebConferenceCommitteeone(regional-7),warningthewebsiteowneraboutthepossibil-ityforhisaccounttobesuspendediftheoffendingcontentwasnotremovedwithinafewdays.
However,contrarilytowhatwaspromised,thecontentofthewebsiteswasleftuntouchedandnoneoftheseproviderstookanyactiontoblocktheuser'saccountaftertheultimatumexpired.
Oneprovider,regional-1,suspendedoneofourcleanaccountsonthesamedayitwasnotiedashostingaphishingwebsite.
regional-6,instead,actedasinthecaseofrealabusecomplaints:allthepagesontheaccount'swebhostingdirectoryweredeleted,andthewebsite'shomepagewasreplacedbyan"underconstruction"page.
Thiswasalreadybadwhenassociatedtoarealmaliciouscontent,butincaseofaboguscomplaintitisreallyanunacceptablebehavior.
Onelastprovider,then,respondedtothefakephishingabusenoticationbysendingthewebsiteowneranemailstatingthathiswebsitehasbeenattacked,andassuchapasswordresethadbeenforcedontheaccount.
Furthermore,themaliciouslesweredisabled(bymeansofchangingtheiraccesspermissions)andtheirlistwassenttotheuser:thelistcontainedthebenignweb-sitehomepageandthejpegpictureincludedinit.
WewerenotabletogureouthowthewebhostingproviderassumedthestaticHTMLhomepageandthepicturecouldcontainmaliciouscode.
Onlyfourwebhostingprovidersrepliedtoourfakeabusenoti-cationswithmessagesthatcompletelysatisedourexpectations.
Inthesecases,markedwith"O"inthetable,thesupportrepresenta-tiveinformedthenotierthatuponmanualinspection,thewebsiteseemedtobeclean,and,incasesomecontentseemstobeoffend-ingsomebody'sculturalviews,theissuehastoberesolvedinper-sonbycontactingtheownerofthewebsite.
Fromthisanalysisitseemsthatregionalprovidersareslightlymorelikelytoperformamanualcontentinspectiononthewebsitestheyhost(atleast30%oftheoneswetested),comparedtoglobalproviders(onlytwooutoftwelve).
3.
4Re-ActivationPoliciesWheneveranhostingaccountwassuspended,providersoftenprovidethecustomerwiththestepstofollowinordertohavetheaccountre-activated.
Thesestepsusuallyimplychangingeverypasswordoftheaccount(billing,FTP,databasepasswords,etc.
),writingaletteroranemailstatingtheagreementtotheprovider'sTermsofService,andremovingthemaliciouslesorre-installingacleancopyofthewebsite.
Amongthecompaniesthatsuspendedouraccounts,globalhostingprovidersseemtosticktostrictlegalrequirementsbeforeallowingcustomerstohavetheiraccountsre-activatedafteraviolationofthetermsofservice.
Thetwohostingprovidersthatsuspendedatleastoneofouraccountsrequiredustosendanemail(global-4)orascannedletterorfax(global-10)totheirsupportdepartment,statingthatwehavefollowedallthenecessarystepstocleanupouraccountandresetourlogincre-dentials,andthatinfuturewewillabidebythetermsofserviceofthecompany.
Regionalprovidersappeartobemore"informal"withregardtothis,asoftenasimpleemailreplyingtotheincidentnotication,explainingthatwewererunningavulnerablewebap-plicationorusingaweakFTPpassword,wassufcienttohaveouraccountre-activated.
Alsoregionalproviders,however,intheirin-cidentnotications,advisedtheusertofollowbasicstepstosecurehisaccount(passwordchange,websitecleanup)beforerequestingaservicere-activation.
Duringourtestsonregional-1,inonecase,ascannedversionofthecustomer'sidenticationcardwasrequiredinordertore-activateasuspendedaccount.
Finally,inthecaseofserviceterminations,theprovidersjustwantedtheusertoleavetheircompany,replyingtoservicere-activationrequestswithemailsstatinginthat,giventhekindofactivityencounteredontheaccount,thecompanywasnotwillinganymoretoprovidetheirservicetosuchcustomers.
3.
5SecurityAdd-onServicesInourstudy,wealsoevaluatedtheabilityofthirdparty"add-onsecurityproviders"todetectattacksorabusesonawebsite.
Theseservicescanbepurchasedseparatelyfromwebhostingaccounts,andassociatedwithadomainorwebsitetomonitor.
Insomecases,thesubscriberhaseventheoptiontogivehisFTP/SFTPaccesscre-dentialstothesecurityservice,toallowanin-depthscanofallthelesonhisorheraccount(alsothosethatmaynotbereachablefromtheweb).
Forourstudy,weselectedfourcompaniesoffer-ingsuchsecurityservices,chosenamongthemostcommonandadvertisedontheweb.
Welimitedourchoicetoservicesthatareaffordableforapersonalorsmallbusinessuse($30/monthmaxsubscriptionprice).
Wedidsoinordertotestservicesthatareinlinewiththelevelofwebhostingweweretesting.
Indeed,itwouldnotbereasonabletopayhundredsofdollarspermonth,ormore,toprotecta$10/monthhostingplan.
Someoftheadd-oncompaniesweevaluatedareproposingsev-erallevelofservice,atdifferentpricing.
Wethusregisteredeveryprotectionlevelavailable,uptothe$30/monththresholdwehadxed,endingupregisteringatotalofsixsecurityadd-onservices(twoeachfromthecompaniesofferingmultiplelevelsofprotec-tion).
Sixadditionalhostingaccountswerepurchased,fromdiffer-entcompanies,inordertoaccommodateourtestsforthesesecurityservices.
Inthefollowing,werefertothemassec-1throughsec-4.
Thetwovariantsforcompaniesofferingdifferentlevelsofprotec-tionarelabeledwitha-basicor-prosufx,todistinguish,respec-tively,thecheapestversionoftheservicefromthemoreexpensiveone.
Servicesinthe-proversion,forbothproviderssec-1andsec-2,allowtoscan,daily,allthelesonthecustomer'sFTPhostingaccount,iftheyareprovidedwithhisorheraccesscredentials.
Weconguredbothservicestoenablethiskindofscans.
Theotherfoursecurityservices,contrarily,performonlyscansonpubliclyacces-siblepagesofthewebsitestheyareconguredtomonitor.
Suchscansinclude,inmostofthecases,checkingformalware,mali-ciouslinks,blacklistedpages,andperformingreputationchecksonboththewebsiteandtheproviderhostingitscontents.
3.
5.
1EvaluationoftheSecurityServicesThesecurityservices'evaluationschedulewastighterthanthenormaltestevaluationschedule,asweexpectedsecurityadd-onservicestoreactfastertoattacksandsuspiciousaccountactivities,beingspeciallydesignedfordetectingsecurityissues.
Thus,thetestsonaccountshostingthesecurityadd-onserviceswererunforatotaldurationof50days,10daysforeachtest,fromSHtoAV.
TheSQLinjectiontestwasnotrunonsuchwebhostingaccounts,becauseitsattackdoesnotgenerateanysideeffectonthehost-ingaccountandthuscouldnotbedetectedbythirdpartyexternalsecurityservices.
Wenoticedthattwoofthecompaniesprovidingtheadd-onsecu-rityservicesarelistedamongthepartnersofknownURLblacklist-ingservices.
Wethereforeusedthelast10daysoftestingtostudyreactionstothenoticationofsuspiciousURLstosuchblacklists.
Forthis,wescheduledalasttestconsistinginanewdeploymentofSH,alongwiththesubmissionofitsdrive-bydownloadpagetoafewmaliciousURLreportingandblacklistingservices.
TheAlthoughtheseservicescanbepurchasedseparately,severalwebhostingprovidersoffersecurityservicesfromthirdpartycompa-niesatadiscountedprice,ifpurchasedinconjunctionwithawebhostingplan.
ThisisapreprintofanArticleacceptedforpublicationinWWW'13c2013InternationalWorldWideWebConferenceCommitteeProviderAttackDetectionSHPhishBotAVSH-BLsec-1-basicsec-1-prosec-2-basicsec-2-prosec-3sec-4Table4:Resultsofourevaluationofthirdpartysecurityser-vices.
SymbolsandtheirmeaningsarethesameasinTable3.
URLblacklistingrequestsweresentonthesamedaythetestsweredeployed.
Werefertothistestas"SH-BL".
ResultsareshowninTable4.
Onecanseethatdetectionca-pabilitiesforadd-onservicesarecomparabletothoseofproviders.
However,inthiscase,customerspayforaservicewhoseonlycom-mitmentshouldbemonitoringawebsiteinsearchofpotentialvul-nerabilitiesormaliciouscontent.
Almostalltheserviceswetestedinthispartofourstudyseemtocompletelyfailthisobjective.
Alltheserviceswereconguredtosendnoticationstotheuserwheneverasecurityissuewasdetectedonthemonitoredwebsite.
Noneoftheadd-onsecurityservicesdetectedanythinganomalousduringourtestsSH,Phish,Bot(attackswereallsuccessfulandneverblockedbythehostingprovider).
TestAVwasnotdetectedeither,butthesec-1-proserviceraisedawarningforhavingde-tectedthec99webshellonourhostingaccount.
However,thisalertwasvisibleonlywhenloggedonthesecurityservice'swebman-agementpanel,wherethec99.
phplewaslistedassuspicious.
Nocriticalalertswereissued,noranyemailwassenttotheuserasno-ticationforthisevent.
Finally,theonlysuccessfuldetectionwasperformedbythesec-1-proservice,detectingourdrive-bydown-loadpagethedayfollowingourblacklistingrequestforitsURL.
Asthesec-1securitycompanywaslistedasoneofthepartnersoftheblacklistingservice,weexpectthatourURLblacklistingrequestwasforwardedtothesecurityservicerightafteroursubmission,thusallowingatimelydetection.
4.
RELATEDWORKSeveralworkshavestudiedthethreatsthataffectwebsitesallaroundtheworldaswellasusersvisitinginfectedpages[15–17].
Researchhasbeenfocusingalsoonthewaysinwhichcriminalsexploitsearchenginesinordertoreachtheirvictims,bypoisoningsearchresultsforpopularqueries[7].
Otherpapershaveexploredhowsimilartechniquesareusedinordertondvulnerableweb-sites[12]andwebservers[8].
Researchershavealsostudiedhowalltheseactivitiesarecombinedbycriminalsinordertobeabletoconductattackcampaignsinwhichtensofthousandsofhostsareinfected[18].
Canalietal.
[3]studiedthebehaviorofactualattackersontheweb,byinstallingvulnerablewebapplicationsinacontrolledenvironment.
Bauetal.
[2]evaluatedcurrentcommercialtoolsfordetectingvulnerabilitiesinwebapplications.
Suchtoolsmainlyrelyonblack-boxapproaches,andarenotabletondallpossiblevulnerabilities.
Recently,awebhostingprovider[5]anouncedanimprovementofhishostingofferbyaddingfreeautomatedwebsitevulnerabilityscanning,xingandrecovery.
Suchserviceispremsumablyrun-ningaswhite-boxapproachonthenetworkandserverside.
Thisserviceisrelatedtowhat,inourwork,werefertoas"add-on"se-curityservices.
Unfortunately,thisservicewasannouncedwhenourexperimentswerealreadycompleted,anditwasthereforenotpossibletointegrateitintoourresults.
Commtouch[4]surveyed600compromisedwebsitesownersand,amongotherthings,reportedontheprocessbywhichthewebsitesownersbecameawareofthecompromise.
However,thiswasdonewithapubliclyadvertisedpoolondetectedcompromisedwebsitesandmaytherforebebiased.
Finally,somepastworkbasbeenfocusingonstudyingthetake-downprocessemployedinthecaseofphishingwebsites[10,11].
ThisisrelatedtosomeofthendingswereportedinSection3.
3,butisaimedatstudyingthephenomenonataISPandhostingpro-viderlevel,ratherthananalyzingtheproviders'responsesonebyoneandprovidedetailsonhowtheyreacttoabusenotications.
Toourknowledge,thispaperistherstattempttosystematicallystudy,onaworldwidescale,howwebhostingprovidersactwithregardtothesecurityoftheircustomersandoftheirowninfras-tructure-focusinginparticularonthedetectionofcompromisedaccounts,ratherthanthepresenceofvulnerabilities.
5.
LESSONSLEARNED,CONCLUSIONSWecansummarizethemainndingsofourexperimentsaroundthefollowingvepoints:Registration-Topprovidersinvestaconsiderableefforttocol-lectinformationabouttheuserswhoregisterwiththem.
Thispro-cedurecanbeaneffectivetechniquetopreventcriminalsfromhost-ingtheirmaliciouspagesonthoseproviders.
Prevention-About40%oftheprovidersdeployedsomekindofsecuritymechanismtoblocksimpleattacks,rangingfromSQLin-jectionstoexploitationofcommonwebapplicationvulnerabilities.
Detection-Oncethecustomerisregistered,mostoftheprovid-ersdonothingtodetectmaliciousactivitiesorcompromisedweb-sites-thereforeprovidingverylittlehelptotheircustomers.
Weweresurprisedtodiscoverthat21outofthe22testedprovidersdidnotevenrunanantivirusoncepermonth(ortheyrunthemwitholdorinsufcientsignaturesets)onthehostedwebsites.
More-over,noneofthemconsideredsuspicioushavingmultipleoutgoingconnectionattemptstowardsanIRCserver.
AbuseNotication-Only36%oftheprovidersreactedtoourabusenotications.
Whentheypromptlyreplied,mostofthetimetheirreactionwasinappropriateorexcessive.
Noneoftheglobalprovidersandonlyoneoftheregionaloneswereabletoproperlymanageboththerealandthefakecomplaintsinatimelymanner.
SecurityServices-Theuseofinexpensivesecurityadd-onser-vicesdidnotprovideanyadditionallayerofsecurityinourexper-iments.
AlsotheservicesthatwereconguredtoscanthecontentofoursitesviaFTPfailedtodiscoverthemaliciousles.
Themaindifferencesbetweenglobalandregionalprovidersap-pearedtobeintermsofregistrationverication(infavorofglobalproviders)andreactiontorealcomplaints(infavorofregionalones).
Aswealreadymentionedintheintroductionofthispaper,webhostingprovidersareinthepositiontoplayakeyroleinthesecu-rityoftheWeb.
Infact,theyhostmillionsofwebsitesthatareoftenpoorlymanagedbyunexperiencedusers,andthatarelikelytobecompromisedtospreadmalwareandhostphishingkits.
Unfortu-nately,allthesharedwebhostingproviderswetestedinourstudymissedthisopportunity.
6.
ACKNOWLEDGEMENTSTheresearchleadingtotheseresultshasreceivedfundingfromtheEuropeanUnionSeventhFrameworkProgramme(FP7/2007-2013)undergrantagreementn257007.
ThisisapreprintofanArticleacceptedforpublicationinWWW'13c2013InternationalWorldWideWebConferenceCommittee7.
REFERENCES[1]VirusTotal-FreeOnlineVirus,MalwareandURLScanner.
https://www.
virustotal.
com/.
[2]J.
Bau,E.
Bursztein,D.
Gupta,andJ.
Mitchell.
Stateoftheart:Automatedblack-boxwebapplicationvulnerabilitytesting.
InSecurityandPrivacy(SP),2010IEEESymposiumon,pages332–345.
IEEE,2010.
[3]D.
CanaliandD.
Balzarotti.
Behindthescenesofonlineattacks:ananalysisofexploitationbehaviorsontheweb.
InProceedingsofthe20thAnnualNetworkandDistributedSystemSecuritySymposium,NDSS'13,Feb.
2013.
[4]CommtouchandStopBadware.
CompromisedWebsites-AnOwner'sPerspective.
http://stopbadware.
org/pdfs/compromised-websites-an-owners-perspective.
pdf,February2012.
[5]W.
deVries.
Hostingproviderantagonistautomaticallyxesvulnerabilitiesincustomers'websites.
https://www.
antagonist.
nl/blog/2012/11/hosting-provider-antagonist-automatically-fixes-vulnerabilities-in-customers-websites,November2012.
[6]fyicenter.
com.
Creditcardnumbergenerator-testdatageneration.
http://sqa.
fyicenter.
com/Online_Test_Tools/Test_Credit_Card_Number_Generator.
php,2010.
[7]J.
P.
John,F.
Yu,Y.
Xie,A.
Krishnamurthy,andM.
Abadi.
deseo:combatingsearch-resultpoisoning.
InProceedingsofthe20thUSENIXconferenceonSecurity,SEC'11,pages20–20,Berkeley,CA,USA,2011.
USENIXAssociation.
[8]J.
P.
John,F.
Yu,Y.
Xie,A.
Krishnamurthy,andM.
Abadi.
Heat-seekinghoneypots:designandexperience.
InProceedingsofthe20thinternationalconferenceonWorldwideweb,WWW'11,pages207–216,NewYork,NY,USA,2011.
ACM.
[9]LarryUllman.
Understandyourhosting,vecriticale-commercesecuritytipsinvedays.
PeachpitBlog,2011.
http://www.
peachpit.
com/blogs/blog.
aspxuk=Understand-Your-Hosting-Five-Critical-E-Commerce-Security-Tips-in-Five-Days.
[10]T.
MooreandR.
Clayton.
Examiningtheimpactofwebsitetake-downonphishing.
InProceedingsoftheanti-phishingworkinggroups2ndannualeCrimeresearcherssummit,eCrime'07,pages1–13,NewYork,NY,USA,2007.
ACM.
[11]T.
MooreandR.
Clayton.
Theconsequenceofnon-cooperationintheghtagainstphishing.
IneCrimeResearchersSummit,2008,pages1–14,oct.
2008.
[12]T.
MooreandR.
Clayton.
Financialcryptographyanddatasecurity.
chapterEvilSearching:CompromiseandRecompromiseofInternetHostsforPhishing,pages256–272.
Springer-Verlag,Berlin,Heidelberg,2009.
[13]Number7.
osCommerce'categories.
php'ArbitraryFileUploadVulnerability,November2010.
http://www.
securityfocus.
com/bid/44995/info.
[14]OWASPfoundationandTrustWaveSpiderLabs.
Owaspmodsecuritycorerulesetproject.
https://www.
owasp.
org/index.
php/Category:OWASP_ModSecurity_Core_Rule_Set_Project,2012.
[15]N.
Provos,P.
Mavrommatis,M.
A.
Rajab,andF.
Monrose.
Allyouriframespointtous.
InProceedingsofthe17thconferenceonSecuritysymposium,SS'08,pages1–15,Berkeley,CA,USA,2008.
USENIXAssociation.
[16]N.
Provos,D.
McNamee,P.
Mavrommatis,K.
Wang,andN.
Modadugu.
Theghostinthebrowseranalysisofweb-basedmalware.
InProceedingsoftherstconferenceonFirstWorkshoponHotTopicsinUnderstandingBotnets,HotBots'07,pages4–4,Berkeley,CA,USA,2007.
USENIXAssociation.
[17]N.
Provos,M.
A.
Rajab,andP.
Mavrommatis.
Cybercrime2.
0:Whenthecloudturnsdark.
Queue,7(2):46–47,Feb.
2009.
[18]B.
Stone-Gross,M.
Cova,C.
Kruegel,andG.
Vigna.
Peeringthroughtheiframe.
InINFOCOM,2011ProceedingsIEEE,pages411–415,april2011.
[19]webhosting.
info.
Country-wisetophosts.
http://www.
webhosting.
info/webhosts/tophosts/Country/,2012.