Joomla 3.9.25 is now available. This is a security release for the 3.x series of Joomla which addresses 9 security vulnerabilities and contains more than 40 bug fixes and improvements.

Once again the Joomla Project is pleased to announce the availability of the Joomla 4.0 Beta 7 release, and Joomla 3.10 Alpha 5.

Joomla 3.9.24 is now available. This is a security release for the 3.x series of Joomla which addresses 3 security vulnerabilities and contains more than 35 bug fixes and improvements.

Once again the Joomla Project is pleased to announce the availability of the Joomla 4.0 Beta 6 release, and Joomla 3.10 Alpha 4.

Open Source Matters Inc, the organisation behind Joomla!, and ScalaHosting are pleased to announce their strategic partnership.

Joomla 3.9.23 is now available. This is a security release for the 3.x series of Joomla which addresses 7 security vulnerabilities and contains more than 35 bug fixes and improvements.

Joomla, one of the world’s most popular Content Management Systems (CMS), announced today the CVE Program authorizes the project as a CVE Numbering Authority.

Joomla 3.9.25 is now available. This is a security release for the 3.x series of Joomla which addresses 9 security vulnerabilities and contains more than 40 bug fixes and improvements.

Once again the Joomla Project is pleased to announce the availability of the Joomla 4.0 Beta 7 release, and Joomla 3.10 Alpha 5.

Joomla 3.9.24 is now available. This is a security release for the 3.x series of Joomla which addresses 3 security vulnerabilities and contains more than 35 bug fixes and improvements.

Once again the Joomla Project is pleased to announce the availability of the Joomla 4.0 Beta 6 release, and Joomla 3.10 Alpha 4.

Open Source Matters Inc, the organisation behind Joomla!, and ScalaHosting are pleased to announce their strategic partnership.

Joomla 3.9.23 is now available. This is a security release for the 3.x series of Joomla which addresses 7 security vulnerabilities and contains more than 35 bug fixes and improvements.

Joomla, one of the world’s most popular Content Management Systems (CMS), announced today the CVE Program authorizes the project as a CVE Numbering Authority.

Your YouTube Channel directly in your website TUBEFLIX for Joomla! is a module that displays the content (playlists & videos) of a Youtube channel to your visitors. TUBEFLIX for Joomla! was developed with the intention that your visitors do not have to leave your site to see your Youtube videos. Fully dynamic and "Mobile First-developed", TUBEFLIX is your professional solution to embed your Youtube channel on your Joomla! site. Incredibly fast TUBEFLIX automatically loads the latest videos from the corresponding channel, thanks to caching in the database the videos are available in a blink of an eye (okey maybe 2 or 3 while caching is active) - no matter if your channel contains 100 or 10'000 videos. The cache is automatically generated by your visitors. You define in the backend in which interval the content should be updated. If a visitor opens TUBEFLIX after the cache duration has expired, the cache is automatically updated for the next visitor. This saves time, resources and your API quota. Privacy First TUBEFLIX has an (optional) integrated disclaimer. Title & texts can be freely defined in the backend. Content is only loaded when the disclaimer has been accepted. Additionally, it is possible to link an article with further privacy information. Mobile friendly TUBEFLIX was developed for display on mobile devices. Thanks to the integration of great frameworks, TUBEFLIX is not only fast but also user-friendly - whether on mobile or on PC.

Joomla! has a long history of being the perfect CMS (Content Management System). It is powering millions of websites around the globe. ochSubscriptions extends Joomla with the possibility to convert your website into a subscription based and community enabled business website. Whether you focus on B2B or B2C, ochSubscriptions has got you covered! ochSubscriptions is a fork of the renowned (but abandoned) rd-subs extension that was and still is used to power the subscription business for a lot of (Joomla) extension developers. Time to convert your Joomla website into a Subscription based and Community enabled business website! ochSubscription is based on and fully integrated with Joomla, it gives you the following benefits: Joomla ACL: all subscription assigned access rights are handled by Core Joomla ACL (Access View levels), you set which Joomla user groups are assigned to the customer when subscribing and can set a (different) set of user groups that the user will be removed from when the subscription expires: maximum flexibility. Joomla Security: all access and authorisation is handled by Core Joomla EU VAT: Fully configurable to comply to your business / country EU VAT rules including validation of the VAT number of B2B Customers (integrated VIES check) (EU) VAT Rates: Support for standard and reduced vat rates (per EU country configurable) and even support for products that are exempt of VAT. Updating of the VAT rates can be done manually or automatic as part of an active subscription. Flexible Renewals: renewal discount can be set globally or per product giving you the perfect offering to entice your existing customer in keep doing business with you. (Expiry) discounts: flexible discounts can be configured globally or per product where you can set an (unlimited) amount of rules specifying expiry time and discount percentage. Your customers will be emailed a coupon code to get the discount resulting in sustainable subscriptions and business! Coupon Codes: create coupon codes with fixed amounts or as a percentage, on the complete order or for a specific product or user. All coupons can have an optional start and end date making it easy to run campaigns! File distribution: Comes out of the box with file / download functionality Extension distribution: fully integrated with Joomla One Click updater when using the ochSubscription provided download ID for the customer Multilingual Template system: create templates for the emails that are send via the system and invoices created. Use a sophisticated Content Construction logic to customize the these templates to hold all relevant information for your customers RD-Subscriptions import and RD-Subscriptions updater / download 'catcher': guaranteeing a smooth and hassle free transition for extension developers > old rd-subs updater URL keep working as they are replaced on the fly by ochSubscriptions! Joomla One Click Updater: distribute your Joomla extensions to your customers via their website's One Click updater! Watchful Integration: ochSubscription can provide your customer with a Watchful download key allowing them to update your extension via Watchful Customer pages: ochSubscriptions gives your customers direct insight into their active and inactive subscriptions, their invoices and their available downloads Billing information: Billing information needed for invoicing is integrated with the default Joomla User Edit view, just like Joomla Custom Fields are! Offline Payment: ochSubscription comes out-of -the-box with the PayLater payment plugin, this gives your customer the possibility to buy a subscription, get an invoice and once they paid the invoice you can process their order and activate their subscription. Online Payment provider: The new PayPal checkout buttons and Mollie (dutch payment provider) payment plugins are available as separate downloads (require additional subscription). and more to come....

Whatsapp Support module can be used as LIVE SUPPORT via WHATSAPP as it allows your website visitors to send messages directly to you or your agent's Whatsapp.

Randomizer is an awesome module that can help you load different other selected modules in a particular module position randomly upon reloading the page.

JoomSMS is the best SMS Joomla extension that let you send follow-up campaigns, auto-responders, newsletters, promotions, deals, automated messages... via SMS/Text messages. Main Features Send SMS/Text Messages Schedule SMS to be sent in the future Handle delivery reports to get statistics about your SMS Send Birthday SMS Send follow up SMS Include personal information in your SMS (user name for example) Filter your receivers to create targeted SMS campaigns Send automatic SMS (when an order is confirmed, when an order is created...) Manage SMS answers and execute automatic actions based on the received answer E-commerce integrations: send an SMS to your buyer when the status of his order changes Support +50 SMS providers And more ... Users Management Features Import/Export JoomSMS users Manage a black list of SMS numbers Sell credits to your users Manage your users from the Front-end Create user groups Messages Management Features Send SMS in mass Schedule your SMS to be sent in the future Follow-up/Birthday SMS Send an SMS when an order is confirmed or created Send SMS based on events Include user information in your message with our tag system Filtering system to deliver your SMS to a sub-part of your users Send MMS to your users (Gateway specific feature) Manage your conversation with a single user Answers Management Features Receive SMS answers Execute automatically an action based on the content of the received SMS Statistics Features How many messages were sent / how many failed Detailed error if the message has not been sent How many messages were received Handle delivery reports Sending Process Features Queue management system to not lose a single SMS Automatic send process Cron Job service Integrations with Joomla 3rd party extensions Social Networking: Community Builder, JomSocial E-commerce: HikaShop, RedShop, VirtueMart Jobs & Recruitment: Easy Jobs Manager Supported SMS Providers OVH Nexmo LOX24 OneWaySMS SmsBroadcast and more ...

JoomCompany is the most powerful office and invoicing Joomla extension for freelancers, small and medium-sized enterprises. Create invoices, bills, offers, manage master data of your clients, observe products trends, record working times, coordinate projects and much more. Main Features Invoices, Quotes and Documents Customer Management Warehouse Project Management Stock Markets and Portfolio Manager Messages & small CRM Accounting Reports Businesses Management Ability to manage multiple businesses (add, edit, delete) Set default business Set business details: name, address, logo and slogan Define pre-settings that will be proposed in the documents (currency, rate of taxes, tax and note) on business add/edit Define which categories should be shown in the menu bar for a faster access on business add/edit Define which documents folders represent revenue and which the expenditure on business add/edit Store additional information in data fields and make them visible in your template for PDF, Email, Print etc.. on business add/edit Manage the permission settings for the user groups on business add/edit Locations Management Ability to manage multiple locations (add, edit, delete, batch processing ...) Set location details: name, category, currency, area (offices, warehouses, venues), status, document, description, street, postcode, location and country Store additional information in data fields on location add/edit Manage the permission settings for the user groups on location add/edit Manage location categories Reports Features Documents report Contacts report Products report Filter by period and date range and more ... Documents (Quotes, Invoices and Reminders) Management Ability to manage multiple documents (add, edit, delete, batch processing ...) Predefined document categories (Invoices, quotes, reminders) Ability to search, sort and filter documents by date range, currencies, offices ... Set details like date, number, title, hint, status on document add/edit Set contact details like name, address, location, email and phone on document add/edit Attach an existing contact on document add/edit Manage products (quantity, unit, title, price, tax rate, discount) on document add/edit Set payment information like status, deadline, paid amount on document add/edit Ability to attach file to document Ability to set document template and email template Ability to preview / download pdf of document Store additional information in data fields on document add/edit Set product usage (selling/purchasing) on document add/edit Ability to generate recurring copies of document Set accounting details (debit/credits) on document add/edit Manage the permission settings for the user groups on document add/edit Manage documents categories (documents folders) Contacts Management Ability to manage multiple contacts (add, edit, delete, batch processing ...) Predefined contacts categories (Customers, Employees, Suppliers) Ability to search, sort and filter contacts Display contacts on google map Ability to import Joomla users as contacts Manage contacts categories (contacts groups) Set contact details like title, first name, name, address, email, phone, contact id, status, since date Ability to attach file to contact Ability to set contact template Ability to attach Joomla user to contact and synchronize data between them Create document from contact add/edit for easy workflow Store additional information in data fields on contact add/edit Manage contact connections on contact add/edit Ability to view all documents related to contact on add/edit Manage the permission settings for the user groups on contact add/edit Products Management Ability to manage multiple products (add, edit, delete, buy, sell, batch processing ...) Ability to search, sort and filter products Ability to view products stats (cost price, total bought quantity, total purchase, value of goods ...) Set product details like title, number, information, tax, unit, template, warehouse, min & max inventory, input (cost price, suppliers), output (sales price), category Ability to view all documents related to product on add/edit Ability to attach file to product Store additional information in data fields on product add/edit Manage the permission settings for the user groups on product add/edit Manage products categories Events Management Ability to manage multiple events (add, edit, delete) Ability to view events timeline Set event details like title, category, status, start / end date, venue, description Ability to generate recurring copies of events Ability to attach file to event Ability to attach documents (quote, invoice, reminder..) to event Ability to manage event attendee Store additional information in data fields on event add/edit Manage the permission settings for the user groups on event add/edit Projects and Tasks Management Ability to manage multiple projects & tasks (add, edit, delete) Ability to view projects and tasks timeline Set project details like title, category, status, start / end date, location, description Set task details like title, project, parent task, planned time, progress, status, start / end date, description Ability to generate recurring copies of projects/tasks Ability to attach file to project Ability to attach documents (quote, invoice, reminder..) to project Ability to manage project/task team Store additional information in data fields on project/task add/edit Manage the permission settings for the user groups on project/task add/edit Occupancy Locations Management Ability to manage multiple occupancy locations (add, edit, delete) Ability to view occupancy locations timeline Set occupancy location details like title, venue, category, status, start / end date, location, description Ability to attach file to occupancy location Ability to manage occupancy location contacts Store additional information in data fields on occupancy add/edit Manage the permission settings for the user groups on occupancy add/edit Talks Management Ability to manage multiple talks (add, edit, delete, batch processing) Set talk details like title, description, correspondence, template, priority Attach contact to talk on add/edit Ability to attach file to talk on add/edit Ability to preview talk messages Ability to share talk public link and switch to live chat Store additional information in data fields on talk add/edit Newsletters Management Ability to manage newsletters and newsletter lists (add, edit, delete, batch processing) Set newsletter list: title, note, parent category, status and contacts Set newsletter template: title, category, area, status, business, language, format, css, html code .... Store additional information in data fields on newsletter add/edit Manage the permission settings for the user groups on newsletter add/edit Accounting Management Ability to manage bookings, accounts, and accounts chart (add, edit, delete, batch processing) Set accounting record: title, debit & credits values. Ability to attach document (invoice, quote..) to accounting record Ability to attach file to accounting record Store additional information in data fields on accounting record add/edit Set account business year, budget, chart Store additional information in data fields on account add/edit Set account chart name, number, description, type and parent Markets Management Manage Watchlists Ability to view markets report (cost price, price, book value, volume...) More Features Templates management Data fields management Status management Units management Currencies management Translations management Uploads management Import & Export Theme style (red, blue, dark, light) Customize number format Send notification for users with limited rights Extra caching mode Ability to show/hide google maps in contact and locations Enable activity recording Enable / disable live chat mode and more ...

Listing your content smartly will be a great means of communication to inspire your audience. No matter if you’re a professional content administrator or not, JA Content Listing helps you easily maintain your content consistently. Simply build your content blocks by loading content from one or multiple categories. With many options for layout and filtering content your ways, this module is all you need to organize your articles. Core features: 9 layouts support 4 article styles support 16 Heading styles Display content from one or multiple categories Flexible settings to sort and filter content Featured (highlighted) item style settings Work in any templat, framework Display your content in flexible layouts fast and easy The Joomla extension makes the content listing for your Joomla site is easier than never. Check out the 2-minute video to see how easy to create a article listing module for your Joomla website. **Easy to set up and configuration: ** Multiple layouts support From list view to grid view, JA Content Listing module offers you up to 9 article listing layouts, giving you the diversity of choice set to display your content most effectively. Depending on what your audience’s reading behavior, you can easily choose the way you want. Multiple articles styles support This extension also offers you multiple styles for three different article types: video, gallery, and normal article that helps you appealingly tell your story. Attract your readers to the last words simply with a clean and beautiful layout for your content. 16 Heading styles A great heading will directly draw your audience’s attention. And we make it to 16 options for your best customization. Express your idea in just a second beautifully with our heading styles. Display content from one or multiple categories Not only function, the design of the filter page in frontend is sleek. Style is customized for all the supported extensions. Flexible settings, easy to sort and filter content It’s all about the best reading experience for your readers. Help them find their favorite articles with an effective sort & filter tool. JA Content Listing also supports you with a flexible option for setting your filter. Featured (highlighted) item With some basic settings, you can highlight any top articles from your blog to attract your readers. Provided with multiple layouts, your blog will have a stunning view in just a few minutes. Work in any template, framework Easy to set up and easy to use, our extension also works effectively in any template and framework. All makes Content Listing module the most powerful content listing module for your Joomla blog website. Responsive design The module displays articles beautifully in all supported responsive layouts: Desktop, tablet and mobile. Changelog: JoomlArt's Joomla Content Listing extension: v1.0.1 - 24 Mar 2021 - Joomla Fresh: All Layout setting working incorrectly - T3 Framework - Layout 03: items display error on tablet screen - Gavern Framework- Layout 06: Items display incorrectly - Vertex Framework - Layout All Layout 05, 06, 07, 08 display error on frontend - Gantry Framework: Layout 02, 04, 05, 06, 07, 08 display error on the frontend - Gavern Framework: Layout 02 display error on the frontend - Vertex Framework: Image display error on the frontend - Zengrid Framework - Layout 05, 06, 07, 08 is break display error on the frontend - Joomla Fresh: Items on frontend display incorrectly - Gavern Framework- Layout 01: Items display agglutinate - Vertex Framework - Layout 04: Columns setting working incorrectly - T3 Framework: Layout 04 display error on the frontend - T3 Framework - Layout 06: Missing items on Tablet screen - Vertex Framework: Header style 01, 03, 05, 07, 09, 11, 13, 15 not working on the frontend ###More info:

Rank Performance Graph OS Outagehh:mm:ss FailedReq% DNS Connect Firstbyte Total 1 GoDaddy.com Inc Linux 0:00:00 0.000 0.348 0.006 0.031 0.033 2 Rackspace Linux 0:00:00 0.000 0.421 0.007 0.017 0.017 3 CWCS Managed Hosting Linux 0:00:00 0.000 0.285 0.081 0.161 0.161 4 Swishmail Linux 0:00:00 0.006 0.212 0.094 0.188 0.188 5 New York Internet (NYI) FreeBSD 0:00:00 0.011 0.519 0.055 0.110 0.110 6 Hyve Managed Hosting Linux 0:00:00 0.011 0.124 0.076 0.151 0.151 7 ServerStack Linux 0:00:00 0.011 0.205 0.094 0.188 0.188 8 Pair Networks Linux 0:00:00 0.017 0.336 0.110 0.219 0.219 9 Multacom Linux 0:00:00 0.017 0.381 0.124 0.250 0.250 10 www.flexential.com Linux 0:00:00 0.023 0.230 0.099 0.199 0.199 See full table In March 2021 GoDaddy had the most reliable hosting company site, with no failed requests and the fastest average connection time amongst the top 10 of 6ms. GoDaddy provides services that allow customers to build their own web presence, which include hosting solutions, domain registration, and a website builder focused on ease of use. In February, GoDaddy acquired Poynt to accelerate its strategy to provide a complete suite of commerce and payment services. The top three sites each had no failed requests and were separated by average connection time. Rackspace came in second place with an average connection time of 7ms, just 1ms slower than GoDaddy. Rackspace provides a wide variety of cloud services from its global network of over 50 locations in five continents. CWCS Managed Hosting wraps up the podium places, in third. CWCS supplies a wide range of hosting services from their ISO 27001, ISO 9001 accredited and Cyber Essentials certified UK data centres, powered by 100% renewable energy.

In the March 2021 survey we received responses from 1,187,527,949 sites across 263,355,616 unique domains and 10,847,682 web-facing computers. This reflects a loss of 16,724,462 sites, but a gain of 313,561 domains and 81,076 computers. nginx gained 3.7 million sites this month and holds 35.3% of the market with a total of 419.6 million sites. By contrast, Apache lost 8.5 million sites and accounts for just over a quarter of all sites with 308.5 million. Microsoft lost 9.6% (-7.5M) of its sites this month and ceded third place to OpenResty which in turn gained 1.2 million (+1.6%). OpenResty is a web platform based on nginx which integrates Lua-based modules and has been the third-largest server by domains for several months. Despite this, it trails the competition in terms of web-facing computers, with only 105,800 computers compared to Microsoft’s 1.4 million. nginx, Google, OpenResty, and LiteSpeed all acquired significant numbers of domains this month. nginx gained just over a million domains (+1.3%), while Google, OpenResty, and LiteSpeed gained 250,000 (+11.0%), 212,000 (+0.6%), and 68,600 (+1.3%). nginx’s domain growth came primarily from Freenom with 1.3 million domains using the server, while OpenResty’s growth came from its increased use on Google Cloud. Meanwhile, Apache and Microsoft lost -540,000 (-0.8%) and -585,000 (-3.7%) domains. nginx and Apache both gained web-facing computers this month with nginx gaining a substantial 74,000 additional computers and a gain of 0.4 percentage points of market share and Apache gaining 3,300 - though losing 0.2 percentage points of market share due to nginx’s comparative higher growth. Other vendors also saw market share losses, with Microsoft losing 24,200 computers (-0.3 pp) and OpenResty losing just over 200 computers (-0.01 pp) despite its gains in sites and domains. Looking at which web servers power the million busiest sites, only Cloudflare saw its count increase this month with a gain of 3,200 sites (+0.3 pp). Cloudflare’s growth came at the expense of nginx which lost the most with 1,570 fewer sites (-0.2 pp), along with Apache and Microsoft which both lost around 250 sites. The top spot remains hotly contested between Apache and nginx - Apache leads, but less than 2.5 percentage points separate the two. Other vendor and hosting news A major fire at OVH’s Strasbourg datacenters resulted in around 3.6 million websites across 464,000 domains being taken offline at the start of March. While this was not captured by this month’s Web Server Survey, additional investigation by Netcraft found that nearly 20% of the IP addresses attributed to OVH stopped responding during the incident. One of the four data centers at the site, SBG2, was completely destroyed, and OVH is now provisioning thousands of new servers to replace those lost. Windows Server 2022 is now in preview and will be made generally available later in 2021. The features added in this release focus on adding new layers of security, integrating more tightly with Microsoft’s Azure platform, and improving Windows Containers. The current major release, Windows Server 2019, was made generally available nearly two and a half years ago in October 2018. nginx version 1.19.8 and njs version 0.5.2 were released on the 9th March. Both updates add minor new features and bug fixes. OpenLiteSpeed, the open-source variant of LiteSpeed Enterprise, received several updates through February and March, with versions 1.5.12, 1.6.20, and 1.7.9 containing primarily security updates and bug fixes. Apache Tomcat was updated to versions 9.0.44 and 10.0.4. Both updates include a variety of fixes, including improvements to asynchronous error handling. DeveloperFebruary 2021PercentMarch 2021PercentChange nginx415,900,47934.54%419,637,92335.34%0.80 Apache316,992,63826.32%308,509,04225.98%-0.34 OpenResty76,623,4406.36%77,819,4906.55%0.19 Microsoft78,331,3796.50%70,826,3425.96%-0.54

Over 100,000 Outlook Web Access servers have been rebooted since Microsoft released security updates for the ProxyLogon remote code execution vulnerability. The subsequent flurry of reboot activity is likely indicative of many Microsoft Exchange servers being restarted after having security updates applied. Last reboot dates of Outlook Web Access servers as at 14 March 2021. Around half of all servers running Outlook Web Access (a service included with Microsoft Exchange Server) were rebooted in the five days after the emergency patch was released. Some of these have since been rebooted again, so will appear later in the above graph. Rebooted machines are likely to have been updated, but the absence of a reboot after 2 March does not necessarily indicate vulnerability. Anecdotally, most servers have requested a reboot after being updated, but some may only require services to be restarted – although administrators may have opted to reboot the servers anyway. Microsoft’s original fixes can only be applied to servers that already have the latest cumulative updates of Exchange Server already installed; however, amidst mass exploitation of the vulnerabilities, Microsoft also released a set of security updates that can be applied to older and unsupported Exchange servers that do not—or cannot—have the latest cumulative updates installed. The alternative security update path is intended as a temporary measure to protect vulnerable machines. Crucially, installing a later cumulative update that does not include the March 2021 security fixes will make the server vulnerable again, and any machine that uses the alternative security update path must be rebooted even if not prompted. In these cases, the servers will certainly not be protected until after the reboot. Some of the more recent reboots may have been prompted by Microsoft’s 9 March “Patch Tuesday” collection of software updates, which also includes fixes for the remote code execution vulnerabilities in Microsoft Exchange. On 6 March, four days after the original security updates were released, Netcraft found more than 99,000 Outlook Web Access servers were still running versions flagged as definitely vulnerable by Kevin Beaumont. However, applying Microsoft’s updates even in a timely fashion could have been like shutting the barn door after the horse had bolted, as more than 10% of all visited Outlook Web Access installations were already compromised with attackers’ web shells installed. These provide the criminal with continued administrative access to the compromised servers after the security updates had been applied.

Around 3.6 million websites across 464,000 distinct domains were taken offline after the major fire at an OVHcloud datacenter site in Strasbourg overnight. More than 18% of the IP addresses attributed to OVH in Netcraft’s most recent Web Server Survey — which took place two weeks ago — were no longer responding at 06:00-07:15 UTC this morning. A load monitoring graph of a server that was running at one of OVH’s Strasbourg datacenters.It was last updated at 01:13 UTC today, indicating when it became inaccessible during the fire. Thankfully, everybody is safe; but OVH said the fire in its SBG2 datacenter was not controllable and no data is likely to be recoverable. Part of its SBG1 datacenter has also been destroyed. Firefighters were protecting SBG3 throughout the night, and although there was no direct fire impact on SBG4, it was also unavailable due to the whole site being isolated. Consequently, all services in SGB1-4 have been offline. Websites that went offline during the fire included online banks, webmail services, news sites, online shops selling PPE to protect against coronavirus, and several countries’ government websites. Examples of the latter included websites used by the Polish Financial Ombudsman; the Ivorian DGE; the French Plate-forme des achats de l’Etat; the Welsh Government’s Export Hub; and the UK Government’s Vehicle Certification Agency website, which got a new SSL certificate by 10am and is now back online with a UK hosting company. Banking websites have also been hit by the fire. Unsurprisingly for a French hosting company, the most affected country code top-level domain (ccTLD) is .fr, which had 184,000 knocked-out websites spread across 59,600 distinct domain names – these account for 1.9% of all .fr domains in the world. In comparison, there were only 24,100 .uk websites hosted in the affected datacenters, across just 8,700 unique domains. Most of the affected websites use the generic .com top-level domain, amounting to 880,000 websites across 180,000 domains.

This weekend, several days after Tuesday 2nd March when Microsoft released fixes for the ProxyLogon vulnerability, Netcraft found more than 99,000 unpatched Outlook Web Access servers accessible on the internet — of which several thousand have clear evidence of one or more web shells installed. Outlook Web Access (OWA) provides remote access to on-premises Microsoft Exchange mailboxes. While a treasure trove of corporate email is a tempting enough target itself, it can also act as a jumping-off point for deeper network access. Vulnerable versions allow unfettered remote access to the mail server. Originally attributed to the Hafnium group, the variety of different web shells and file naming conventions found by Netcraft suggest that the shells belong to multiple groups who have been spurred into action since Microsoft’s announcement by the scale of the opportunity. Vulnerable OWA installations as at 6 March 2021, based on passive observation of version numbers. Source: Netcraft survey. Netcraft has established that at least 10% of all visited OWA installations are now infested with web shell backdoors that do not use randomised filenames, and so could plausibly be guessed by anybody. These implants allow continued administrative access to the server, long after the underlying vulnerability has been patched. One of the backdoor scripts, disguised as an innocuous variable dump in a file named supp0rt.aspx. The active component of the backdoor is ‘hidden’ near the middle of the file. All of the backdoors hide in plain sight on the web server’s file system but are disguised as benign scripts or information dumps in order to avoid detection. There are several different variants of the backdoor script, but all have the same common feature in that they pass the hacker’s commands to the JScript Eval command, allowing arbitrary code to be executed directly on the web server. Most of the backdoor scripts accept the criminals’ arbitrary commands via a specially named GET or POST parameter, while others require the commands to be Base64 encoded first, and some only accept them via a POST parameter. Some variants of the backdoor script generate a runtime error if the secret variable name does not appear in the request. This makes it possible to detect their presence regardless. Netcraft has also seen several different variants of these backdoor scripts being uploaded to individual websites, likely in an attempt to preserve unauthorised access to the compromised web server. Unless all of the backdoor scripts are found and removed, the hackers will still be able to get in and create more. The web shell when viewed in a browser. There is no obvious indication of its malicious functionality. While some of the backdoor variants are wildly different in appearance, they all function in a similar way and require the user to know a secret variable name before any commands can be executed on the server. The variable name effectively acts as a password and provides the only security mechanism to ensure that the backdoor can only be used by the person or persons responsible for uploading it. However, some of the shells use easily guessable variable names like “o” and “orange”, which could plausibly allow them to be misused by other hackers if they can find the scripts and guess the correct variable names. This presents an even more dangerous situation where other fraudsters could then upload their own web shells to secure a foothold on the server. Such a situation could escalate quickly… new battlegrounds could erupt where rival fraudsters try to delete each others’ web shells and upload more of their own in a race to secure access and decide how best to monetize their exploits, all long after the initial OWA vulnerabilities have been resolved.

Rank Performance Graph OS Outagehh:mm:ss FailedReq% DNS Connect Firstbyte Total 1 www.choopa.com Linux 0:00:00 0.000 0.242 0.005 0.027 0.027 2 Rackspace Linux 0:00:00 0.000 0.433 0.011 0.024 0.024 3 Webair Linux 0:00:00 0.000 0.299 0.069 0.139 0.139 4 Hyve Managed Hosting Linux 0:00:00 0.000 0.151 0.076 0.151 0.151 5 CWCS Managed Hosting Linux 0:00:00 0.000 0.320 0.083 0.167 0.167 6 GoDaddy.com Inc Linux 0:00:00 0.005 0.371 0.008 0.038 0.040 7 New York Internet (NYI) FreeBSD 0:00:00 0.005 0.509 0.061 0.123 0.123 8 Bigstep Linux 0:00:00 0.005 0.212 0.082 0.163 0.163 9 ServerStack Linux 0:00:00 0.005 0.223 0.082 0.164 0.164 10 Swishmail Linux 0:00:00 0.011 0.222 0.082 0.163 0.163 See full table Choopa.com took the top spot as the most reliable hosting company site in February. The top five hosting company sites all had no failed requests during the month, with the ranking decided by fastest average connection time. Choopa.com had the fastest connection time out of all of the top 10 hosting company websites, at just 5ms. In the past 12 months Choopa.com appeared in the top 10 nine times. Choopa.com offers a range of services including cloud hosting, dedicated hosting and colocation in its own primary facility in Piscataway, New Jersey as well as other facilities in Los Angeles, Amsterdam, and Tokyo. Spots two and three in February go to Rackspace and Webair. Rackspace provide a wide variety of cloud services from its global network of over 50 locations in five continents, and Webair offer managed and private cloud services, storage and backup solutions from its eight facilities in New York, Chicago, Los Angeles, Montreal, London, Paris, Amsterdam and Singapore.

In the February 2021 survey we received responses from 1,204,252,411 sites across 263,042,054 unique domains and 10,766,606 web-facing computers. This reflects a gain of 6,270,052 sites, 92,829 domains, and 116,789 computers. nginx is top of the charts when it comes to total count of sites as well as number of unique domains and web-facing computers. 34.5% of all sites run on nginx, 30.4% of domains, and 35.0% of web-facing computers. Apache comes in at seconds place in these metrics, with a 26.3% market share of sites, a similar 26.4% share of domains, and 32.7% of web-facing computers. In terms of domains, OpenResty and Cloudflare come in at third and fourth place to make up an additional 14.4% and 7.1% of the market respectively. OpenResty is a web application server that is built upon the technology of nginx, but, strictly speaking, is not an nginx fork. Cloudflare historically based their server stack around nginx, but transitioned towards using more in-house developed technologies over time. As of this month, these web server vendors are tracked individually in the monthly Web Server Survey charts. Although nginx leads the wider market, Apache still has a small lead when it comes to the top one million busiest sites, with a 25.6% market share – 2.4pp ahead of nginx. Apache increased its share of the top million by 0.54pp in February. Although OpenResty takes a sizable chunk of the wider market, it is not nearly as common amongst the top million, taking only a 1.6% share. This disparity can be explained through GoDaddy’s extensive use of OpenResty for domain parking. Apache also holds a more significant lead in terms of Netcraft’s active sites metric, which favours sites with unique content. Apache serves 25.5% of active sites, whereas nginx serves 19.8%. Google accounts for a reasonably large 9.9% share of active sites, owing to its popular Blogger service. Microsoft’s server software market share remains in decline. Microsoft’s figures took a significant drop in 2020 in favour of OpenResty, and Microsoft now only has 6.5% (-1.0pp) of the site market and 6.0% (-0.3pp) of domains as of February 2021. OpenResty also looks set to overtake Microsoft as the third largest vendor in terms of sites and active sites. Other vendor and hosting news Nginx has pushed out its first product updates for 2021 – nginx version 1.19.7 and NGINX Unit 1.22.0. Lighttpd also released version 1.4.59 of its web server, which now enables HTTP version 2 by default. DeveloperJanuary 2021PercentFebruary 2021PercentChange nginx399,330,92733.33%415,900,47934.54%1.20 Apache316,046,14926.38%316,992,63826.32%-0.06 Microsoft89,781,1367.49%78,331,3796.50%-0.99 OpenResty74,385,4876.21%76,623,4406.36%0.15