The ISC Website (www.isc.org) was recently compromised and was found to be serving malware.
stenc at s-carlsen.dk
Tue Dec 30 00:29:57 UTC 2014
Hi, Thanks for info.
While I think I have not been in danger, the one info I did not see is:
- when was the incident happening?
I would really suggest to give earliest and latest estimate, this might help determine if one is in danger.
Just a comment/wish.
Thanks again for openness.
No improvements come from shouting:
"MALE BOVINE MANURE!!!"
> On 30 Dec 2014, at 00:57, Michael McNally <mcnally at isc.org> wrote:
> Last week ISC received a report from security firm Cyphort Labs
> informing us that our website, www.isc.org, was delivering malware
> content to visitors. Here is a summary of what we know and what
> we believe to be true about this incident.
> What we know to a high degree of confidence:
> + Security on www.isc.org was compromised and the site
> was serving malware known as the Angler Exploit to
> visitors. Angler Exploit primarily targets Flash,
> Silverlight, and Microsoft Internet Explorer.
> Diagnosis and removal instructions for Angler Exploit
> malware are available on the web and existing resources
> do a better job of explaining than we could within the
> scope of this message. Please consult with them or with
> your chosen security vendor to find out what steps you
> need to take.
> + Only the main ISC website was compromised. There is no
> evidence that other ISC information services or critical
> ISC infrastructure (such as the F-root nameservers) were
> affected at all. While the main ISC web site has been
> replaced with a static page until it can be secured,
> other ISC information resources such as our Knowledge Base
> (kb.isc.org), FTP service (ftp.isc.org), and GIT repository
> (source.isc.org) were not compromised and continue to
> operate normally.
> + Although many visitors discover the links by visiting
> www.isc.org, ISC software products such as DHCP and BIND
> are actually delivered via the ISC ftp server (ftp.isc.org)
> which was not affected. For additional security, all
> official ISC software releases are cryptographically
> signed using the ISC code signing key (codesign at isc.org)
> and their integrity can be verified using PGP or GPG
> in conjunction with the codesign at isc.org public key.
> What we strongly suspect:
> + The intrusion is believed to have been accomplished
> by exploiting a vulnerability in one of the plug-ins
> used by our Wordpress content management system.
> + We have no reason to believe that ISC was specifically
> targeted; we believe we were simply a convenient target
> because we used a vulnerable Wordpress component.
> According to security researchers at Sucuri.net,
> on the order of 100,000 Wordpress sites may have been
> compromised by this or similar attacks.
> What are we doing to prevent this from happening again?
> + ISC took down the affected site and replaced it with a
> static page which will remain until we are confident
> that the site has been secured.
> + In the immediate short term, a new site is being built
> on a freshly-installed VM with more stringent security
> restrictions on Wordpress. All of the content on the
> site is being scrutinized by an engineer to make sure
> that the restored site does not contain any content
> introduced during the intrusion. Going forward, ISC will
> re-assess whether Wordpress is an appropriate choice for
> the foundation of our public website.
> + New policies will be adopted to track staff edits
> which, in conjunction with software tools which track
> changes in site content, will allow site admins to
> quickly identify any unexpected changes to the site
> in the future and respond accordingly.
> ISC is deeply sorry for any inconvenience or risk caused to people
> who visited the www.isc.org site and we pledge to do our best to
> ensure that this situation does not reoccur.
> Michael McNally
> (writing for ISC Security Officer)
> dhcp-users mailing list
> dhcp-users at lists.isc.org
More information about the dhcp-users