As reported elsewhere, we regularly check our web directory for broken links, while also removing parked domains, websites with inappropriate content (a rarity), and websites that seem to be hosting malicious software or code.
Malicious code inserted into websites has become a more prevalent problem over the last year or two. Somehow we get alerted before the page can get loaded into our browser, by a service provided by Google (Safe Browsing - Advisory provided by Google).
It is not clear to us if everybody gets this service, we would surmise that in that case anybody managing a website would rather quickly notice that his or her website has been infected.
The vast majority of website we discover to be infected, are not run by malicious management. Instead, third parties somehow managed to insert code into the websites (or script files associated with the site). So the problem seem to rest with the hosting services. That is somehow third parties get access to the servers hosting the sites.
There is a possibility here that web hosting services are directly responsible, that is, they are aware of the problem. More likely is that the hosting servers are accessed without permissions of their owners, and in that case it clearly is a case of poor supervision, and inadequate protection of the server content.
Clearly the main problem is that people with malicious intent seem to be able to access servers. When we checked further into this problem, we found that most websites hosting malicious software or code, used web hosting companies based in Thailand. We have no way of knowing how many sites listed in our directory use servers abroad or in Thailand. Nor do we actually know whether it is better to host Thai websites abroad or in the country, possibly it depends on where most visitors to the individual website come from (maybe it is better to host in Thailand, if most visitors are Thai).
In any case, we assume many Thai websites are hosted in the United States and Europe.
Below is an example of the information that we can get (as provided by Google for a particular site) . It applies to webhosting services provided by CSLoxinfo.
Diagnostic page for AS4750 (CSLOXINFO)
What happened when Google visited sites hosted on this network?
Of the 11006 site(s) we tested on this network over the past 90 days, 1778 site(s), including, for example, obec.go.th/, chon2.go.th/, suratthani.m-society.go.th/, served content that resulted in malicious software being downloaded and installed without user consent.
The last time Google tested a site on this network was on 2009-07-15, and the last time suspicious content was found was on 2009-07-15.
Has this network hosted sites acting as intermediaries for further malware distribution?
Over the past 90 days, we found 53 site(s) on this network, including, for example, obec.go.th/, school.obec.go.th/tambol/, chon2.go.th/, that appeared to function as intermediaries for the infection of 427 other site(s) including, for example, phetchabun2.net/, skz2.go.th/, tkc.go.th/.
Has this network hosted sites that have distributed malware?
Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 66 site(s), including, for example, obec.go.th/, odmina.ru/, school.obec.go.th/tambol/, that infected 703 other site(s), including, for example, huakhaoschool.co.nr/, luktungmohlum.com/, skz2.go.th/.
|
You can see that no less than 1778 out of 11006 sites hosted contain malicious software, which is startling. This page was copied on 16 July 2009, and probably will be outdated soon.
We discovered that websites hosting malicious software, often are 'corrected' a few weeks later. However, we do not have the time or inclination to follow up on this issue. When we find an infected website, we remove it from our directory.
As we said, this seems to be a problem associated with Thai hosting companies. Other web hosting companies that host infected websites include (not exclusive) : ISSP, Worldnet, WIN, INET, ProEnnet.
We may add that we actually have more personal experience with this issue. One of our smaller websites was infected not long ago. The site was also hosted with a Thai hosting company. We found that a JavaScript file had some code added to it. We removed the file and replaced it with a backup and the problem was solved immediately.
Clearly, this is an issue that should be addressed. Somehow data on Thai web servers are not properly protected.
|
