Linux Mint Website Hacked, ISOs Compromised With Backdoor

Linux Mint hacked

Absolute security is a myth. And this has been proved once again with Linux Mint website being hacked.

Yes, one of the most popular Linux distribution, Linux Mint was attacked recently. Hackers managed to hack the website and replace the download links of some Linux Mint ISOs to their own, modified ISOs with a backdoor in it. Users who downloaded these compromised ISOs are at risk of hacking attacks.

Update: Linux Mint Forum has been hacked as well. The forums database has been compromised. This gives the hackers access to users’ email and encrypted version of their password. Though encrypted, passwords can be brute-forced.

How was Linux Mint hacked?

As per the information available at present, attackers got hold of the ISOs through WordPress. Linux  Mint uses the Open Source CMS WordPress for its website. “The breach was made via WordPress. From there they got a www-data shell”.

Once they entered the website, they changed the download links to point it to a server in Bulgaria where the compromised Linux Mint ISOs with backdoor were served to unsuspecting users.

Don’t panic!

Don’t panic. Not just now. The hacking attack has compromised ISOs but not all of them.

Only Linux Mint 17.3 Cinnamon edition ISOs that were downloaded on 20th February are the victim. Rest are fine, assured Linux Mint. That too, when you downloaded directly from the website. If you used a torrent, you should be safe.

Though Linux Mint says that only Cinnamon editions should be impacted, as a precautionary measure, I suggest that all the Linux Mint ISOs downloaded after 18 February 2016 must be checked (explained later in the next section) to know if it’s been compromised or not.

[Tweet “If you downloaded Linux Mint ISO after 19 Feb, you are at risk. #LinuxMintHacked”]

Check if your Linux Mint has been compromised or not?

If you still have the ISO, you should run a md5 checksum with the following command:

md5sum path_to_iso

In the end of this check, you should see a random number. Match them against their respective versions using the table below:

6e7f7e03500747c6c3bfece2c9c8394f  linuxmint-17.3-cinnamon-32bit.iso
e71a2aad8b58605e906dbea444dc4983  linuxmint-17.3-cinnamon-64bit.iso
30fef1aa1134c5f3778c77c4417f7238  linuxmint-17.3-cinnamon-nocodecs-32bit.iso
3406350a87c201cdca0927b1bc7c2ccd  linuxmint-17.3-cinnamon-nocodecs-64bit.iso
df38af96e99726bb0a1ef3e5cd47563d  linuxmint-17.3-cinnamon-oem-64bit.iso

If the checksum doesn’t match with its corresponding edition, you have a compromised ISO.

Don’t have ISO anymore but have a live USB/disk?

If you have a live USB or disk still with you, load the live session and run the following command in a terminal:

sudo ls -l /var/lib/man.cy

If it doesn’t find the file, you are good. But if it finds the file, you have a compromised ISO.

What if you have the compromised ISO?

Get rid of the ISO. If you burnt it to DVD, trash the disc. If you used it on USB, do a full format of the USB stick.

If you have installed this ISO on a computer:

  • Put the system offline.
  • Backup your personal data, if any.
  • Reinstall the OS (with an uncompromised ISO) or format the partition (if you are dual booting).
  • Change your passwords for important websites such as your email, Facebook etc

How is Linux Mint handling this issue?

At the time of writing this article, Linux Mint website is down. No downloads are available for now.

Linux Mint team is backtracking the hackers and have found that the hacked ISOs are hosted on 5.104.175.212 and the backdoor connects to absentvodka.com. Both of these lead to Sofia, Bulgaria, and the name of 3 people over there.

Linux Mint stated:

We don’t know their roles (those 3 people who are linked to the IP) in this, but if we ask for an investigation, this is where it will start.

What we don’t know is the motivation behind this attack. If more efforts are made to attack our project and if the goal is to hurt us, we’ll get in touch with authorities and security firms to confront the people behind this.

What next?

We need to wait and watch until the dust settles. This is a huge setback to the reputation of Linux Mint. But Linux Mint is not the first one to fall prey to the hackers. A few years back, Ubuntu Forums was hacked and the all user credentials were stolen.

In the cyber world, such attacks are not uncommon. I hope that Linux Mint takes control of the situation and focus more on the security of its websites and servers.

Meanwhile, have you been impacted with the malicious backdoor? What are your views on the entire Linux Mint hacking episode?

Similar Posts

    • It’s not a literal. You are running md5sum to get the checksum of the iso you downloaded so you have to tell md5sum where that file is by specifying its path. E.g. if you downloaded it into a folder named installs under your user’s home directory, you would open a terminal and type

      md5sum $HOME/installs/linuxmint-17.3-cinnamon-64bit.iso

      If you downloaded a different version than the one I listed, you would use that file name instead.

  • I can’t see how this is secifically a Linux Mint problem. it was the Linux Mint website that was attacked and the perps got there through WordPress. Surely it’s a word press security issue.

    • Putting the blame on WordPress would be incorrect. It depends how you manage WordPress. If you have an outdated, risky plugin or even if your theme code has vulnerability.

      A vulnerability in WordPress will impact thousands of websites, not just Linux Mint.