The ISC Website (www.isc.org) was recently compromised and was found to be serving malware.

Michael McNally mcnally at isc.org
Mon Dec 29 23:57:32 UTC 2014 

Last week ISC received a report from security firm Cyphort Labs
informing us that our website, www.isc.org, was delivering malware
content to visitors.  Here is a summary of what we know and what
we believe to be true about this incident.

 What we know to a high degree of confidence:

  +  Security on www.isc.org was compromised and the site
     was serving malware known as the Angler Exploit to
     visitors.  Angler Exploit primarily targets Flash,
     Silverlight, and Microsoft Internet Explorer.
     Diagnosis and removal instructions for Angler Exploit
     malware are available on the web and existing resources
     do a better job of explaining than we could within the
     scope of this message.  Please consult with them or with
     your chosen security vendor to find out what steps you
     need to take.

  +  Only the main ISC website was compromised.  There is no
     evidence that other ISC information services or critical
     ISC infrastructure (such as the F-root nameservers) were
     affected at all.  While the main ISC web site has been
     replaced with a static page until it can be secured,
     other ISC information resources such as our Knowledge Base
     (kb.isc.org), FTP service (ftp.isc.org), and GIT repository
     (source.isc.org) were not compromised and continue to
     operate normally.

  +  Although many visitors discover the links by visiting
     www.isc.org, ISC software products such as DHCP and BIND
     are actually delivered via the ISC ftp server (ftp.isc.org)
     which was not affected.  For additional security, all
     official ISC software releases are cryptographically
     signed using the ISC code signing key (codesign at isc.org)
     and their integrity can be verified using PGP or GPG
     in conjunction with the codesign at isc.org public key.


 What we strongly suspect:

  +  The intrusion is believed to have been accomplished
     by exploiting a vulnerability in one of the plug-ins
     used by our Wordpress content management system.

  +  We have no reason to believe that ISC was specifically
     targeted; we believe we were simply a convenient target
     because we used a vulnerable Wordpress component.
     According to security researchers at Sucuri.net,
     on the order of 100,000 Wordpress sites may have been
     compromised by this or similar attacks.

 What are we doing to prevent this from happening again?

  +  ISC took down the affected site and replaced it with a
     static page which will remain until we are confident
     that the site has been secured.

  +  In the immediate short term, a new site is being built
     on a freshly-installed VM with more stringent security
     restrictions on Wordpress.  All of the content on the
     site is being scrutinized by an engineer to make sure
     that the restored site does not contain any content
     introduced during the intrusion.  Going forward, ISC will
     re-assess whether Wordpress is an appropriate choice for
     the foundation of our public website.

  +  New policies will be adopted to track staff edits
     which, in conjunction with software tools which track
     changes in site content, will allow site admins to
     quickly identify any unexpected changes to the site
     in the future and respond accordingly.

ISC is deeply sorry for any inconvenience or risk caused to people
who visited the www.isc.org site and we pledge to do our best to
ensure that this situation does not reoccur.


Michael McNally
(writing for ISC Security Officer)

More information about the dhcp-users mailing list