Linux Mint Users - Everythings Compromised! (seriously) (20/02)

Security-advisory for any Linux Mint users here.

Update Linux mint forum passwords were also compromised. see: http://blog.linuxmint.com/?p=3001?

If you downloaded an ISO on 20th Feb 2016 it may have been compromised. The download servers were compromised and a modified ISO was placed on them.

It is believed to have affected only the Linux Mint 17.3 Cinnamon editions.

MY advice would be to delete any ISOs you download on or around that time. And reinstall any installation using ISOs on or around that time. And change any passwords you used in that time.

Full Description

I’m sorry I have to come with bad news.

We were exposed to an intrusion today. It was brief and it shouldn’t impact many people, but if it impacts you, it’s very important you read the information below.

What happened?

Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it.

Does this affect you?

As far as we know, the only compromised edition was Linux Mint 17.3 Cinnamon edition.

If you downloaded another release or another edition, this does not affect you. If you downloaded via torrents or via a direct HTTP link, this doesn’t affect you either.

Finally, the situation happened today, so it should only impact people who downloaded this edition on February 20th.

How to check if your ISO is compromised?

If you still have the ISO file, check its MD5 signature with the command “md5sum yourfile.iso” (where yourfile.iso is the name of the ISO).

The valid signatures are below:

6e7f7e03500747c6c3bfece2c9c8394f  linuxmint-17.3-cinnamon-32bit.iso
e71a2aad8b58605e906dbea444dc4983  linuxmint-17.3-cinnamon-64bit.iso
30fef1aa1134c5f3778c77c4417f7238  linuxmint-17.3-cinnamon-nocodecs-32bit.iso
3406350a87c201cdca0927b1bc7c2ccd  linuxmint-17.3-cinnamon-nocodecs-64bit.iso
df38af96e99726bb0a1ef3e5cd47563d  linuxmint-17.3-cinnamon-oem-64bit.iso

If you still have the burnt DVD or USB stick, boot a computer or a virtual machine offline (turn off your router if in doubt) with it and let it load the live session.

Once in the live session, if there is a file in /var/lib/man.cy, then this is an infected ISO.

What to do if you are affected?

Delete the ISO. If you burnt it to DVD, trash the disc. If you burnt it to USB, format the stick.

If you installed this ISO on a computer:

  • Put the computer offline.
  • Backup your personal data, if any.
  • Reinstall the OS or format the partition.
  • Change your passwords for sensitive websites (for your email in particular).
  • Is everything back to normal now?

Not yet. We took the server down while we’re fixing the issue.

Who did that?

The hacked ISOs are hosted on 5.104.175.212 and the backdoor connects to absentvodka.com.

Both lead to Sofia, Bulgaria, and the name of 3 people over there. We don’t know their roles in this, but if we ask for an investigation, this is where it will start.

What we don’t know is the motivation behind this attack. If more efforts are made to attack our project and if the goal is to hurt us, we’ll get in touch with authorities and security firms to confront the people behind this.

If you’ve been affected by this, please do let us know.

3 Likes

good to know

They dumped also the site db and all; most likely already on sale:

1 Like

Always verify the signature of the ISO that you are installing:

  1. Find a .sig file for the iso. It should be on the website.
  2. do:

gpg --verify <iso_name>.iso.sig

Don't have the key? Then do

gpg --rec-keys <key_id>

where you can get the key id from the the first command message. You should probably verify the key fingerprint too, that's on the website too but sometimes burried pretty deep.

Any decent linux distro should have a tutorial on this.

2 Likes

Hi guys,

Not sure if it's been posted here yet but if you've downloaded Linux Mint from their site this past weekend (specifically on the 20th), may want to give this a look:

Transparency is good. So for a day some people manage to point the official links to their ISO-images with built in back-doors. Pretty crafty, but they were exposed on the same day though. This is why I always validate the checksums of ISO's.

UPDATE Linux Mint users with Linux Mint forum accounts, you need to change your passwords, there forum database was compromised.

http://blog.linuxmint.com/?p=3001?

It was confirmed that the forums database was compromised during the attack led against us yesterday and that the attackers acquired a copy of it. If you have an account on forums.linuxmint.com, please change your password on all sensitive websites as soon as possible.

The database contains the following sensitive information:

  • Your forums username
  • An encrypted copy of your forums password
  • Your email address
  • Any personal information you might have put in your signature/profile/etc…
  • Any personal information you might written on the forums (including private topics and private messages)

People primarily at risk are people whose forums password is the same as their email password or as the password they use on popular or sensitive websites. Although the passwords cannot be decrypted, they can be brute-forced (found by trial) if they are simple enough or guessed if they relate to personal information.

Out of precaution we recommend all forums users change their passwords.

While changing your passwords, please start with your email password and do not use the same password on different websites.

To add more info. It looks like their forum uses very poor password hashing. Consider your password completely compromised if you have an account there.

Oh joy, now I'm gonna get phone calls from angry customers about how the Linux Mint laptops I built are compromised... But since I check the signatures before putting it on USB and I installed it back in January, they should be fine. But still a lot of explaining to do now...

At least they dont know about the weird security issue Mint has had for a while, where it doesnt update the kernel by default. You have to go in and manually tell it to update it. :/

Eh some are unfortunately in that "know enough to be dangerous". So as a precaution I'm giving them calls.

1 Like

Maybe a good idea just so they have a heads up. It doesnt look like the package database was compromised. Just ISOs and the site the other day.

@Big_Al_Tech They also may or may not come across this https://lwn.net/Articles/676664/ It questions their professionalism.

1 Like

Ah those kind of things realy sucks.
Glad ive never installed any of their distro´s realtime.

Wasn't this only if you did a dist-upgrade from 17.2 to 17.3 and not if you did a clean install?

this is if you downloaded the .iso and didn't verify the md5 and did this at or around February 20th as a new install. But checking for this kind of stuff never hurts

1 Like

I can't even reach the web page, I don't use Mint anymore, but I was pretty active on their forum and still would like to change my password

1 Like

Yeah I saw this, i wonder about people that have been running it for months or more. any issues from previous installs?

Link: http://www.pcworld.com/article/3035682/security/hackers-planted-a-backdoor-inside-a-compromised-version-of-linux-mint.html

1 Like

Oh, yes, but I was talking about the kernel update @Eden mentioned and not the hacked iso. Sorry for off topic. Unless there is something I don't know of..

Edit: Stumbled upon someone on reddit talking about it

Since they are mixing binary packages of their own packaging and
Debian/Ubuntu's packaging which creates a so-called FrankenDebian which -
as a result - is prone to breakage when trying to upgrade packages.

Their answer to this is to simply blacklist certain packages on the
upgrade list meaning that these packages do not receive security updates
by default. This blacklist contains essential packages like X.Org and
the kernel.

So apparently there was something I did not know. Surprising.. hah not.

1 Like

The reason why I never touched mint is.. its a frankenstined distro; using a funny mix of ubuntu, debian and own sources... mixing and stitching them together; blacklisting packets from the ubuntu and or debian repos; hijacking the namespace of other established programs with their own stuff...

Mint, as it may seem customer friendly actually is a horrible mess of packets that tend to not like each other as they never got tested.

2 Likes

They seem to take their website down every time something happens, no idea why.

1 Like