This post was originally published on January 7, 2015.
This week the Internet Systems Consortium site was hacked.
Visitors to the site, which develops the BIND DNS, OpenReg, ISC AFTR and ISC DHCP tools, are greeted with a message which states that:
“We believe the web site may have become infected with malware. Please scan any machine that has accessed this site recently for malware.”
The consortium believes the issue resides either with the content management system it uses – WordPress – or associated files and plugins.
ISC says ftp.isc.org, kb.isc.org and other network resources are unaffected and that it hasn’t received any reports to suggest that any client machines have been infected from its website. It does, however, ask visitors to notify firstname.lastname@example.org if they do believe they have acquired a malware infection from the site.
According to Techworm, the attackers behind the hack redirected visitors to ISC.org to another website that was loaded with the Angler Exploit kit which security firm Symantec identifies as posing a severe security risk following the discovery, among others, that it could leverage a flaw in Flash to take control of a targeted user’s system.
The fact that the consortium has been attacked in such a way is a concern given its role in developing and maintaining the core protocols of the structure of the internet as well as its running of the world’s F root servers which are at the heart of the domain name system.
Non-casual visitors to the ISC website are likely to be involved in hardware and software engineering within organisations and frameworks that are key to the internet’s operation. A targeted attack against such operators is therefore likely to yield highly valuable information about systems and people to those responsible.
Fortunately, it seems as though the F root servers have remained unaffected, at least up until now – Dan Mahoney, an ISC security officer, told The Register that the “service and security is absolutely unaffected” by the hack.
The ISC website has been presenting visitors with the current placeholder site since 23 December, the day after a Cyphort Labs blog post warned it was distributing malware.
The company said that visitors to the infected site were being redirected to the following sites and IP addresses:
- snail0compilacion.localamatuergolf.com (18.104.22.168)
- symbolology-rumperis.prairievillage.info (22.214.171.124)
- zapalny.placerosemere-ideescadeaux.ca (126.96.36.199)
- chambouler.mygiftback.com (188.8.131.52)
As part of its investigation into the ISC compromise it analysed several files of interest, including “class-wp-xmlrpc.php” which, when executed, led to a login interface for the attackers. After entering the ‘root’ password, the attacker was able to access various controls that would allow them to:
- Open a shell.
- Upload and execute files.
- Read and write files.
- Create files and directories.
- List files.
- Open SQL databases.
- Execute PHP code.
- Kill Self (delete itself).
- List security information of your server including user accounts, account settings, database versions, php version, server software, drives and available space.
Back in November another crucial internet organisation – ICANN – was compromised as a result of a spear-phishing attack but it is not thought that the two incidents are related.