Most hacked environment – Interesting survey results

I came across a piece of data that is most interesting. LAMP based websites seem to be the most hacked. While it is not surprising, given the popularity of the LAMP stack, it is deeply concerning.

Linux was the OS 76% of the time, Apache was the web server 81% of the time, MySQL was the database 81% and PHP 82%. LAMP stands for Linux Apache Mysql Php and is very popular with tons of websites hosted on this stack. But a recent survey released by the Anti-Phishing Working Group points to the fact while they are the most hacked, they are actually being used as launching pads for other bigger attacks. 84% of victims stated that the hackers placed phishing pages/scripts on their sites.

Breaking into a server and placing pages, such as the login page, on a popular and recognized server makes it easier for the attackers to get people to enter their credentials. If the user looks at the URL bar and sees that the page is hosted on a reputed site, then they may be more inclined to enter credentials. Once the hackers get the credentials of these users, they just have to use them on the real site to get in and steal data.

This data is very significant in that there are thousands of blogs that are self-hosted that run on LAMP. Most of these blog owners do not have security expertise. One of the things that the survey shows is that some sites are repeatedly hacked. A lot of victims were not even aware that they had been hacked until external parties informed them. Almost 25% of victims did not know how long ago their systems had been breached, meaning it could have been days or weeks between attack and discovery.


Only 6% of victims discovered the attack because they reviewed logs. This indicates that either they are not reviewing logs (most likely in my experience) or they are not doing a good job.

Other than removing the phishing pages and changing the passwords, most do not seem to be doing much. The vast majority of victims (88%) have stated that they did not have default passwords or configurations at the time of attack. Even after the attack, only 34% of the victims monitored the log files.

Regularly monitoring log files for anomalies and suspicious activity (eg. requests for files that are not supposed to to be there) may be one of the more important things that website owners should be doing.

Download the full report:
APWG Web_Vulnerabilities Survey June 2011