Absolute security is a myth. And this has been proved once again with Linux Mint website being hacked.
Yes, one of the most popular Linux distribution, Linux Mint was attacked recently. Hackers managed to hack the website and replace the download links of some Linux Mint ISOs to their own, modified ISOs with a backdoor in it. Users who downloaded these compromised ISOs are at risk of hacking attacks.
Update: Linux Mint Forum has been hacked as well. The forums database has been compromised. This gives the hackers access to users’ email and encrypted version of their password. Though encrypted, passwords can be brute-forced.
How was Linux Mint hacked?
As per the information available at present, attackers got hold of the ISOs through WordPress. Linux Mint uses the Open Source CMS WordPress for its website. “The breach was made via WordPress. From there they got a www-data shell”.
Once they entered the website, they changed the download links to point it to a server in Bulgaria where the compromised Linux Mint ISOs with backdoor were served to unsuspecting users.
Don’t panic. Not just now. The hacking attack has compromised ISOs but not all of them.
Only Linux Mint 17.3 Cinnamon edition ISOs that were downloaded on 20th February are the victim. Rest are fine, assured Linux Mint. That too, when you downloaded directly from the website. If you used a torrent, you should be safe.
Though Linux Mint says that only Cinnamon editions should be impacted, as a precautionary measure, I suggest that all the Linux Mint ISOs downloaded after 18 February 2016 must be checked (explained later in the next section) to know if it’s been compromised or not.
[Tweet “If you downloaded Linux Mint ISO after 19 Feb, you are at risk. #LinuxMintHacked”]
Check if your Linux Mint has been compromised or not?
If you still have the ISO, you should run a md5 checksum with the following command:
In the end of this check, you should see a random number. Match them against their respective versions using the table below:
6e7f7e03500747c6c3bfece2c9c8394f linuxmint-17.3-cinnamon-32bit.iso e71a2aad8b58605e906dbea444dc4983 linuxmint-17.3-cinnamon-64bit.iso 30fef1aa1134c5f3778c77c4417f7238 linuxmint-17.3-cinnamon-nocodecs-32bit.iso 3406350a87c201cdca0927b1bc7c2ccd linuxmint-17.3-cinnamon-nocodecs-64bit.iso df38af96e99726bb0a1ef3e5cd47563d linuxmint-17.3-cinnamon-oem-64bit.iso
If the checksum doesn’t match with its corresponding edition, you have a compromised ISO.
Don’t have ISO anymore but have a live USB/disk?
If you have a live USB or disk still with you, load the live session and run the following command in a terminal:
sudo ls -l /var/lib/man.cy
If it doesn’t find the file, you are good. But if it finds the file, you have a compromised ISO.
What if you have the compromised ISO?
Get rid of the ISO. If you burnt it to DVD, trash the disc. If you used it on USB, do a full format of the USB stick.
If you have installed this ISO on a computer:
- Put the system offline.
- Backup your personal data, if any.
- Reinstall the OS (with an uncompromised ISO) or format the partition (if you are dual booting).
- Change your passwords for important websites such as your email, Facebook etc
How is Linux Mint handling this issue?
At the time of writing this article, Linux Mint website is down. No downloads are available for now.
Linux Mint team is backtracking the hackers and have found that the hacked ISOs are hosted on 126.96.36.199 and the backdoor connects to absentvodka.com. Both of these lead to Sofia, Bulgaria, and the name of 3 people over there.
Linux Mint stated:
We don’t know their roles (those 3 people who are linked to the IP) in this, but if we ask for an investigation, this is where it will start.
What we don’t know is the motivation behind this attack. If more efforts are made to attack our project and if the goal is to hurt us, we’ll get in touch with authorities and security firms to confront the people behind this.
We need to wait and watch until the dust settles. This is a huge setback to the reputation of Linux Mint. But Linux Mint is not the first one to fall prey to the hackers. A few years back, Ubuntu Forums was hacked and the all user credentials were stolen.
In the cyber world, such attacks are not uncommon. I hope that Linux Mint takes control of the situation and focus more on the security of its websites and servers.
Meanwhile, have you been impacted with the malicious backdoor? What are your views on the entire Linux Mint hacking episode?