Linux Mint Website Hacked, ISOs Replaced with Backdoored Versions

RV_ · February 22, 2016

Awhile back I recommended Linux Mint as well as some other variations for using Wine derivations. If anyone is using Mint this information was published yesterday when the breach was found. It includes who is affected and what to do to fix it.

Excerpt:

"Attackers managed to hijack the website of the Linux Mint operating system to push a backdoored ISO image of the software to users over the weekend.

The developers behind the software, one of, if not the most popular Linux distribution, are unsure what the hackers are aiming to achieve by the move but acknowledge that if there are more efforts to attack their project, they plan to get the authorities involved.

Clement Lefebvre, the creator of Linux Mint, disclosed the incident in a blog post early Saturday morning and downplayed it by saying only one version, Linux Mint 17.3 Cinnamon, was compromised and only users who downloaded it via the official site on Feb. 20 are believed to be affected. Users who downloaded through torrents or a direct HTTP link are not affected Lefebvre said.

Regardless, Lefebvre encourages any user who suspects their version is tainted to verify their ISO against a handful of valid signatures listed in the blog – and destroy any compromised versions.

If a user has already installed the ISO, Lefebvre advises users to take the computer offline, backup their data and either reinstall the OS or format the partition.

Lefebvre has been transparent about the breach since it was announced, further clarifying that attackers managed to breach Linux Mint’s site in the first place via a WordPress vulnerability and from there they got a www-data shell. They were running the latest build of WordPress but a custom theme and “lax file permissions for a few hours” led to the hack, he wrote."

More at: https://threatpost.com/linux-mint-website-hacked-isos-replaced-with-backdoored-versions/116370/#sthash.ySN6hHos.dpuf

The Linux Mint Blog post from their website blog is as follows:

"I’m sorry I have to come with bad news.

We were exposed to an intrusion today. It was brief and it shouldn’t impact many people, but if it impacts you, it’s very important you read the information below.

What happened?

Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it.

Does this affect you?

As far as we know, the only compromised edition was Linux Mint 17.3 Cinnamon edition.

If you downloaded another release or another edition, this does not affect you. If you downloaded via torrents or via a direct HTTP link, this doesn’t affect you either.

Finally, the situation happened today, so it should only impact people who downloaded this edition on February 20th.

How to check if your ISO is compromised?

If you still have the ISO file, check its MD5 signature with the command “md5sum yourfile.iso” (where yourfile.iso is the name of the ISO).

The valid signatures are below:

6e7f7e03500747c6c3bfece2c9c8394f linuxmint-17.3-cinnamon-32bit.iso
e71a2aad8b58605e906dbea444dc4983 linuxmint-17.3-cinnamon-64bit.iso
30fef1aa1134c5f3778c77c4417f7238 linuxmint-17.3-cinnamon-nocodecs-32bit.iso
3406350a87c201cdca0927b1bc7c2ccd linuxmint-17.3-cinnamon-nocodecs-64bit.iso
df38af96e99726bb0a1ef3e5cd47563d linuxmint-17.3-cinnamon-oem-64bit.iso

If you still have the burnt DVD or USB stick, boot a computer or a virtual machine offline (turn off your router if in doubt) with it and let it load the live session.

Once in the live session, if there is a file in /var/lib/man.cy, then this is an infected ISO.

What to do if you are affected?

Delete the ISO. If you burnt it to DVD, trash the disc. If you burnt it to USB, format the stick.

If you installed this ISO on a computer:

Put the computer offline.
Backup your personal data, if any.
Reinstall the OS or format the partition.
Change your passwords for sensitive websites (for your email in particular).

Is everything back to normal now?

Not yet. We took the server down while we’re fixing the issue.

Who did that?

The hacked ISOs are hosted on 5.104.175.212 and the backdoor connects to absentvodka.com.

Both lead to Sofia, Bulgaria, and the name of 3 people over there. We don’t know their roles in this, but if we ask for an investigation, this is where it will start.

What we don’t know is the motivation behind this attack. If more efforts are made to attack our project and if the goal is to hurt us, we’ll get in touch with authorities and security firms to confront the people behind this.

If you’ve been affected by this, please do let us know."

That very transparent blog shocked some who do not like Linux associated with any vulnerabilities or hackability. As can be seen in the comments at the bottom of the post Clem and Mint are doing exactly as we all hope our OS maker would do. Explain who is and who is not affected and explain what the fix is.

My hat is off to Clem and his Mint team! The MInt Blog is here: http://blog.linuxmint.com/?p=2994

Dutch_12078 · February 23, 2016

In this case, it wasn't even Mint that was hacked, but rather their web server. Logically, we can expect the server was likely running a Linux server OS, but we don't know which one or what was hacked to gain access and change the link. The linked bogus Mint ISO simply had a file or files added that diverted selected data, something that can easily be done with any OS when unimpeded access to it is available. The trick is to get people to load and use the doctored OS, something the hackers did manage to do briefly. But not by hacking Mint...

RV_ · February 23, 2016

Dutch,

But it didn't happen today to any OS, just Mint. And "simply diverted data", meaning sent personal data elsewhere is serious to me and any that used the bad files.

Why are you saying we? Are you part of the Mint team working with Clem on this?

You seem to be trying to change this from serious to just nothing because the vebiage is wrong.

See. I don't consider having to do this minor:

"If you installed this ISO on a computer:

Put the computer offline.
Backup your personal data, if any.
Reinstall the OS or format the partition.
Change your passwords for sensitive websites (for your email in particular)."

Because saving personal data the wiping and starting over is a lot of work! Do you think that's am acceptable result of trying a Linux Distro??

.
You obviously don't like my use of the word "hackability" in relation to the sever getting hacked, in the words of Clem in his blog. If you would like posts about back doored versions of a Linux distro, that might affect some of our friends here, worded in your words, I invite you to post it first, in your words.

After the initial report in the blog of the hack an hour or so later this was posted:

"Heyo, it seems like the download pages still point to the hacked ISOs.

Honestly, the only reason why I noticed is because I was downloading the ISOs in bulk using wget, I saw a strange IP address and the fact that it was a PHP file.

Anyway, are the download pages going to be fixed anytime soon? I want to burn a CD for an old family friend… He got scammed by the “windows tech support” scammers and I want to show him the joys of Linux Mint!

Edit by Clem: Thanks for reporting this, this is a second attack so it means we’re still vulnerable. I’m shutting the server down right now."

All that was Early Sunday morning and later. I will see when it is fixed, but in the meantime I posted my kudos on that blog as RV about their great response and outstanding distro.

Clem's comments were all thorough, very direct, and without ego or casting stones. He never once said that his breach was OK because Windows had so many equal or greater breaches as many others and users do. Windows has nothing to do with the attacks on the Mint websites, user created vulnerabilities, administration mistakes, or security breaches of its users or the users of other OS'.

Above are links to the story which has no clickbait title, and the Mint Blog link. Perhaps you can post your comments there to the people I am quoting.

I did.

Dutch_12078 · February 23, 2016

I'm using "we" as in you and I, along with anyone else with no direct knowledge of the web server situation. The bottom line is that Mint was not hacked, only the unknown web server OS was hacked. The change introduced into the bogus Mint ISO could just as easily have been done to a Windows or Apple OS download, and a redirected link placed on the appropriate website, assuming a similar vulnerability. My point is that Mint itself was not hacked, just that a bogus backdoored Mint ISO was created using standard build processes. Of course it's serious for the relatively few people affected, but the fault lies with the vulnerability that allowed the web site hack, not with any fault within Mint. I'd hate to see Mint itself get an undeserved rap over the event.

My only connection to Mint is the Cinnamon version Torrent I downloaded and installed on a memstick to check it out after reading your recommendation. I do applaud their being forthcoming about the issue, and I hope they solve the server issue quickly and permanently. Hopefully, they'll post details about that vulnerability once they discover it.

RV_ · February 23, 2016

Dutch thanks for clarifying,

I don't think it makes any difference whether the OS was hacked before install giving a data theft backdoor, or the Linux Server was hacked, or the Wordpress connection proves out. I posted as soon as I saw it because I did, and do, recommend it as a good way to switch from Windows. A compromised system is a Security nightmare regardless of OS.

skp51443 · February 23, 2016

This is an issue for Windows folks looking to switch because they aren't used to verifying the digital signatures on software they download. It might also serve as a reminder to Linux users that are a bit lax in verifying their downloads before installing.

The verification is pretty simple as can be seen in the first post and only takes a couple minutes to do. It also has the advantage of insuring your downloaded .iso is bit for bit an exact copy of the original which can be a frustration saver.