​Bad, bad Internet news: Internet Systems Consortium site hacked

The ISC site, home to the world's most popular Domain Name System program BIND, appears to have been infected with malware.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

Remember how just last week I told all you dedicated system and network administrators that you weren't going to be starting your holiday weekend early because of a serious NTP security hole? Well, turn your car around and head back to the server room. The Internet Systems Consortium (ISC) has taken the site down for maintenance because they "believe we may be infected with malware."

ISC, the home for the BIND DNS program, was infected with malware. Time to take a long, hard look at your BIND-based DNS servers.
O'Reilly Media
Oh boy.

OK, so those of you are battle-hardened network and sysadmins already know why this is bad news and you're already logging in via ssh to your Domain Name System (DNS) servers. For the rest of you, here is why this could be really, really bad news.

ISC is the group behind the open-source Berkeley Internet Name Domain (BIND) program. BIND is arguably the most popular DNS software on the planet. It is certainly the most used DNS program on the Unix and Linux systems that make up most of the Internet's fundamental infrastructure.

DNS is the master address list of the Internet. It's what translates every human-readable Internet address in the world, say http://www.google.com, into its IPv4 and IPv6 addresses. These numeric addresses are then used by routers and switches to move data from your computer, smartphone, tablet, whatever, to your Web sites, your e-mail server, and back again.

In other words, it's really important. Without DNS, there is no functional Internet.

If the BIND code itself has been corrupted, and you've updated your DNS BIND server with the code, you could be in for a world of hurt. Your site might now have a security hole on it. It's also all too possible that it could be used for a Distributed Denial of Service (DDoS) attack.

Adding insult to injury, ISC runs the F DNS root server. This is one of the 13 root servers that the Internet relies upon for global DNS services.

Before you start hyperventilating, it may not be that bad.

Cyphort, an Internet security company, reported that they'd told ISC that their site had malware on it on December 22. ISC's main site, which used an out of date version of WordPress, had, according to Cyphort had been compromised to point visitors to the sites infected with Angler Exploit Kit. Fortunately, for the Internet, if not Windows users, Angler is a Windows specific malware package.

On the other hand, while ISC's DNS code and DNS servers are on separate servers from the front-end WordPress driven site, where there's' been one security compromise there might have been other, more critical ones.

For now, there are no such reports on the BIND announcement or BIND-user mailing lists. On the static page that now greets you on the ISC site, ISC recommends that anyone who's visited the site recently "scan any machine that has accessed this site recently for malware."

In a separate issue, on December 9th, Carnegie Mellon University's Computer Emergency Response Team (CERT) has reported that there is a new DNS vulberability by which recursive DNS resolvers can be knocked out of service by an infinite chain of referrals if provoked a malicious DNS authoritative server. This problem has been fixed, so you will need to update BIND.

So, it looks like the chances are that ISC's problem is limited to Windows PC malware and it hasn't effected BIND or ISC's DNS site. But do you really want to take that chance?

I didn't think so. Start checking your sites for malware now and looking at your DNS logs for suspicious activity. That's what I'm doing now. Lucky us.

Related Stories:

Editorial standards