The ISC Website ( was recently compromised and was found to be serving malware.

Sten Carlsen stenc at
Tue Dec 30 00:29:57 UTC 2014

Hi, Thanks for info.

While I think I have not been in danger, the one info I did not see is:
- when was the incident happening?

I would really suggest to give earliest and latest estimate, this might help determine if one is in danger.

Just a comment/wish.

Thanks again for openness.

Best regards

Sten Carlsen

No improvements come from shouting:


> On 30 Dec 2014, at 00:57, Michael McNally <mcnally at> wrote:
> Last week ISC received a report from security firm Cyphort Labs
> informing us that our website,, was delivering malware
> content to visitors.  Here is a summary of what we know and what
> we believe to be true about this incident.
> What we know to a high degree of confidence:
>  +  Security on was compromised and the site
>     was serving malware known as the Angler Exploit to
>     visitors.  Angler Exploit primarily targets Flash,
>     Silverlight, and Microsoft Internet Explorer.
>     Diagnosis and removal instructions for Angler Exploit
>     malware are available on the web and existing resources
>     do a better job of explaining than we could within the
>     scope of this message.  Please consult with them or with
>     your chosen security vendor to find out what steps you
>     need to take.
>  +  Only the main ISC website was compromised.  There is no
>     evidence that other ISC information services or critical
>     ISC infrastructure (such as the F-root nameservers) were
>     affected at all.  While the main ISC web site has been
>     replaced with a static page until it can be secured,
>     other ISC information resources such as our Knowledge Base
>     (, FTP service (, and GIT repository
>     ( were not compromised and continue to
>     operate normally.
>  +  Although many visitors discover the links by visiting
>, ISC software products such as DHCP and BIND
>     are actually delivered via the ISC ftp server (
>     which was not affected.  For additional security, all
>     official ISC software releases are cryptographically
>     signed using the ISC code signing key (codesign at
>     and their integrity can be verified using PGP or GPG
>     in conjunction with the codesign at public key.
> What we strongly suspect:
>  +  The intrusion is believed to have been accomplished
>     by exploiting a vulnerability in one of the plug-ins
>     used by our Wordpress content management system.
>  +  We have no reason to believe that ISC was specifically
>     targeted; we believe we were simply a convenient target
>     because we used a vulnerable Wordpress component.
>     According to security researchers at,
>     on the order of 100,000 Wordpress sites may have been
>     compromised by this or similar attacks.
> What are we doing to prevent this from happening again?
>  +  ISC took down the affected site and replaced it with a
>     static page which will remain until we are confident
>     that the site has been secured.
>  +  In the immediate short term, a new site is being built
>     on a freshly-installed VM with more stringent security
>     restrictions on Wordpress.  All of the content on the
>     site is being scrutinized by an engineer to make sure
>     that the restored site does not contain any content
>     introduced during the intrusion.  Going forward, ISC will
>     re-assess whether Wordpress is an appropriate choice for
>     the foundation of our public website.
>  +  New policies will be adopted to track staff edits
>     which, in conjunction with software tools which track
>     changes in site content, will allow site admins to
>     quickly identify any unexpected changes to the site
>     in the future and respond accordingly.
> ISC is deeply sorry for any inconvenience or risk caused to people
> who visited the site and we pledge to do our best to
> ensure that this situation does not reoccur.
> Michael McNally
> (writing for ISC Security Officer)
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at

More information about the dhcp-users mailing list