The article "Ensuring website safety" is provided by Sophos Plc and SophosLabs.

December 2007

Usually antivirus acts as the last line of defence in case of attack. Web servers (especially the ones that use dynamically generated content) should check the files at request. As shown in the following diagram, no server is protected from malware. Regardless of your confidence in the security of the web server there is always a chance of successful attack. Checking files at request significantly reduces the likelihood of running malicious code in the system. The check can be carried out both “when reading”and “when writing” which lets you notify the administrator about an attempt to place malicious code on the server.

Although the file check may affect server performance, its benefits for security exceed any reduction of the server bandwidth. Some parts of the system (for example, the directory with the HTTP server log files) can be excluded from the check, which reduces the impact on the system.

Server attacks fall into two categories: local and global.

  • Local attacks are usually aimed at stealing information or capturing the server.

  • Global attacks usually aimed at multiple sites and aim at infecting all visitors.

Despite the fact that in some circles, Linux and BSD systems are considered safer than Windows, the use of these operating systems is not a guarantee of protection from organized crime. You can (and should) install antivirus software on them. Even if a malicious program can't be started on the server protected by antivirus software, it can still be passed to the site visitors as ordinary content. Hackers often uploaded such software using PHP or ASP, which doesn't require infecting the web server operating system.

Servers can also be infected through the local network. For example, the worm family Fujacks can infect HTML, PHP and ASP files located on network drives.