DNS/NEWS/2015-01-01 - moin.dnsq.info

NEWS/2015-01-01について、ここに記述してください。

http://www.cyphort.com/isc-org-infected/

https://lists.isc.org/pipermail/bind-users/2014-December/094337.html

The ISC Website (www.isc.org) was recently compromised and was found to be serving malware.

Michael McNally mcnally at isc.org Mon Dec 29 23:55:54 UTC 2014

Last week ISC received a report from security firm Cyphort Labs informing us that our website, www.isc.org, was delivering malware content to visitors. Here is a summary of what we know and what we believe to be true about this incident.

What we know to a high degree of confidence:

+ Security on www.isc.org was compromised and the site
- was serving malware known as the Angler Exploit to visitors. Angler Exploit primarily targets Flash, Silverlight, and Microsoft Internet Explorer. Diagnosis and removal instructions for Angler Exploit malware are available on the web and existing resources do a better job of explaining than we could within the scope of this message. Please consult with them or with your chosen security vendor to find out what steps you need to take.
+ Only the main ISC website was compromised. There is no
- evidence that other ISC information services or critical ISC infrastructure (such as the F-root nameservers) were affected at all. While the main ISC web site has been replaced with a static page until it can be secured, other ISC information resources such as our Knowledge Base (kb.isc.org), FTP service (ftp.isc.org), and GIT repository (source.isc.org) were not compromised and continue to operate normally.
+ Although many visitors discover the links by visiting
- www.isc.org, ISC software products such as DHCP and BIND are actually delivered via the ISC ftp server (ftp.isc.org) which was not affected. For additional security, all official ISC software releases are cryptographically signed using the ISC code signing key (codesign at isc.org) and their integrity can be verified using PGP or GPG in conjunction with the codesign at isc.org public key.

What we strongly suspect:

+ The intrusion is believed to have been accomplished
- by exploiting a vulnerability in one of the plug-ins used by our Wordpress content management system.
+ We have no reason to believe that ISC was specifically
- targeted; we believe we were simply a convenient target because we used a vulnerable Wordpress component. According to security researchers at Sucuri.net, on the order of 100,000 Wordpress sites may have been compromised by this or similar attacks.

What are we doing to prevent this from happening again?

+ ISC took down the affected site and replaced it with a
- static page which will remain until we are confident that the site has been secured.
+ In the immediate short term, a new site is being built
- on a freshly-installed VM with more stringent security restrictions on Wordpress. All of the content on the site is being scrutinized by an engineer to make sure that the restored site does not contain any content introduced during the intrusion. Going forward, ISC will re-assess whether Wordpress is an appropriate choice for the foundation of our public website.
+ New policies will be adopted to track staff edits
- which, in conjunction with software tools which track changes in site content, will allow site admins to quickly identify any unexpected changes to the site in the future and respond accordingly.

ISC is deeply sorry for any inconvenience or risk caused to people who visited the www.isc.org site and we pledge to do our best to ensure that this situation does not reoccur.

Michael McNally (writing for ISC Security Officer)