The ISC Website (www.isc.org) was recently compromised and was found to be serving malware.
mcnally at isc.org
Mon Dec 29 23:55:54 UTC 2014
Last week ISC received a report from security firm Cyphort Labs
informing us that our website, www.isc.org, was delivering malware
content to visitors. Here is a summary of what we know and what
we believe to be true about this incident.
What we know to a high degree of confidence:
+ Security on www.isc.org was compromised and the site
was serving malware known as the Angler Exploit to
visitors. Angler Exploit primarily targets Flash,
Silverlight, and Microsoft Internet Explorer.
Diagnosis and removal instructions for Angler Exploit
malware are available on the web and existing resources
do a better job of explaining than we could within the
scope of this message. Please consult with them or with
your chosen security vendor to find out what steps you
need to take.
+ Only the main ISC website was compromised. There is no
evidence that other ISC information services or critical
ISC infrastructure (such as the F-root nameservers) were
affected at all. While the main ISC web site has been
replaced with a static page until it can be secured,
other ISC information resources such as our Knowledge Base
(kb.isc.org), FTP service (ftp.isc.org), and GIT repository
(source.isc.org) were not compromised and continue to
+ Although many visitors discover the links by visiting
www.isc.org, ISC software products such as DHCP and BIND
are actually delivered via the ISC ftp server (ftp.isc.org)
which was not affected. For additional security, all
official ISC software releases are cryptographically
signed using the ISC code signing key (codesign at isc.org)
and their integrity can be verified using PGP or GPG
in conjunction with the codesign at isc.org public key.
What we strongly suspect:
+ The intrusion is believed to have been accomplished
by exploiting a vulnerability in one of the plug-ins
used by our Wordpress content management system.
+ We have no reason to believe that ISC was specifically
targeted; we believe we were simply a convenient target
because we used a vulnerable Wordpress component.
According to security researchers at Sucuri.net,
on the order of 100,000 Wordpress sites may have been
compromised by this or similar attacks.
What are we doing to prevent this from happening again?
+ ISC took down the affected site and replaced it with a
static page which will remain until we are confident
that the site has been secured.
+ In the immediate short term, a new site is being built
on a freshly-installed VM with more stringent security
restrictions on Wordpress. All of the content on the
site is being scrutinized by an engineer to make sure
that the restored site does not contain any content
introduced during the intrusion. Going forward, ISC will
re-assess whether Wordpress is an appropriate choice for
the foundation of our public website.
+ New policies will be adopted to track staff edits
which, in conjunction with software tools which track
changes in site content, will allow site admins to
quickly identify any unexpected changes to the site
in the future and respond accordingly.
ISC is deeply sorry for any inconvenience or risk caused to people
who visited the www.isc.org site and we pledge to do our best to
ensure that this situation does not reoccur.
(writing for ISC Security Officer)
More information about the bind-users