LinuxMint Trojan in ISO

2021. 10. 28. 21:55 Beware of hacked ISOs if you downloaded Linux Mint on February 20th! – The Linux Mint Blog
https://blog.linuxmint.com/?p=2994 1/278
The Linux Mint Blog
(https://blog.linuxmint.com/)
NEWS FROM THE MINT TEAM

Beware of hacked ISOs if you downloaded Linux Mint on
February 20th!
FEBRUARY 21, 2016 (HTTPS://BLOG.LINUXMINT.COM/?P=2994) BY CLEM (HTTPS://BLOG.LINUXMINT.COM/?
AUTHOR=1) · 787 COMMENTS (HTTPS://BLOG.LINUXMINT.COM/?P=2994#COMMENTS)
I’m sorry I have to come with bad news.
We were exposed to an intrusion today. It was brief and it shouldn’t impact many people, but
if it impacts you, it’s very important you read the information below.
What happened?
Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our
website to point to it.
Does this affect you?
As far as we know, the only compromised edition was Linux Mint 17.3 Cinnamon edition.
If you downloaded another release or another edition, this does not affect you. If you
downloaded via torrents or via a direct HTTP link, this doesn’t affect you either.
Finally, the situation happened today, so it should only impact people who downloaded this
edition on February 20th.
How to check if your ISO is compromised?
If you still have the ISO file, check its MD5 signature with the command “md5sum
yourfile.iso” (where yourfile.iso is the name of the ISO).
OK
By continuing to use this website, you consent to the use of cookies in accordance with our Cookies

Previous
Monthly News – January 2016 (https://blog.linuxmint.com/?p=2985)
The valid signatures are below:
If you still have the burnt DVD or USB stick, boot a computer or a virtual machine offline (turn
off your router if in doubt) with it and let it load the live session.
Once in the live session, if there is a file in /var/lib/man.cy, then this is an infected ISO.
What to do if you are affected?
Delete the ISO. If you burnt it to DVD, trash the disc. If you burnt it to USB, format the stick.
If you installed this ISO on a computer:
Put the computer offline.
Backup your personal data, if any.
Reinstall the OS or format the partition.
Change your passwords for sensitive websites (for your email in particular).
Is everything back to normal now?
Not yet. We took the server down while we’re fixing the issue.
Who did that?
The hacked ISOs are hosted on 5.104.175.212 and the backdoor connects to
absentvodka.com.
Both lead to Sofia, Bulgaria, and the name of 3 people over there. We don’t know their roles in
this, but if we ask for an investigation, this is where it will start.
What we don’t know is the motivation behind this attack. If more efforts are made to attack
our project and if the goal is to hurt us, we’ll get in touch with authorities and security firms
to confront the people behind this.
If you’ve been affected by this, please do let us know.
6e7f7e03500747c6c3bfece2c9c8394f  linuxmint-17.3-cinnamon-32bit.iso
e71a2aad8b58605e906dbea444dc4983  linuxmint-17.3-cinnamon-64bit.iso
30fef1aa1134c5f3778c77c4417f7238  linuxmint-17.3-cinnamon-nocodecs-32bit.iso
3406350a87c201cdca0927b1bc7c2ccd  linuxmint-17.3-cinnamon-nocodecs-64bit.iso
df38af96e99726bb0a1ef3e5cd47563d  linuxmint-17.3-cinnamon-oem-64bit.iso
OK
Policy. (https://www.linuxmint.com/privacy.php)

Next
All forums users should change their passwords. (https://blog.linuxmint.com/?
p=3001)
787 COMMENTS
gunvolt
February 21, 2016 at 1:48 am (https://blog.linuxmint.com/?p=2994#comment-124877)
Are there lots of server problems lately or are you just being more transparent about them?
Edit by Clem: We’ve always been transparent. It’s something we owe people to a certain
extent, and it’s also easier to just say things the way they are. That’s how I was brought up
anyway, so that’s how it is. Regarding servers, there are more and more servers all the time,
yes. The only attacks we suffered in the past were DDOS though, this is new. It’s also
important we communicate about this attack because we’re not talking about downtime or
inconvenience here, this is a call to action. We need people who are affected by this, to
understand that they are, so they don’t get hurt or used going forward.
Reply (https://blog.linuxmint.com/?p=2994&replytocom=124877#respond)
Clem
If you have any doubt or any question, please don’t hesitate to ask. I tried to stick to the most
important information, but I understand how unsettling this can be. I’ll be happy to answer as
many questions as I can.
Dana
Dumb question but were any of the repositories affected? I did an upgrade today and was
surprised that firmware upgraded to Linux 3.19.0-32-generic #37~14.04.1-Ubuntu
Edit by Clem: No.
OK

Sebbie
Were downloads via Torrent also affevted, or is Torrent more difficult to compromise?
Edit by Clem: No they weren’t.
ARitz Cracker
Heyo, it seems like the download pages still point to the hacked ISOs.

Honestly, the only reason why I noticed is because I was downloading the ISOs in bulk using
wget, I saw a strange IP address and the fact that it was a PHP file.
Anyway, are the download pages going to be fixed anytime soon? I want to burn a CD for an
old family friend… He got scammed by the “windows tech support” scammers and I want to
show him the joys of Linux Mint!
Edit by Clem: Thanks for reporting this, this is a second attack so it means we’re still
vulnerable. I’m shutting the server down right now.
k0nsl
I’ll ask this question, without knowing the intrinsic details, or any specific details other than
what has been posted above; did the breach have anything to do with the fact that you’re
running WordPress?
Best wishes and thanks for the heads up.
-k0nsl
Edit by Clem: Yes, the breach was made via wordpress. From there they got a www-data
shell.
OK

Lucky W. Donegan
Was there a time stamp upon this file you mention as to when it was created on the server.
Hopefully there was sufficient info on the intrusion of the server and to which version of
Cinnamon weather it was a 32bit or 64bit version affected or both ?
Lucky
Edit by Clem: Yes, it was from today. 64-bit definitely, 32-bit didn’t show links but was found
on the Bulgarian server, so it looks like they were preparing to compromise this one as well
later on.
gunvolt
#3 -No, that’s an Ubuntu package, not Mint. And it’s not firmware, it’s a system component.
James
I’ve just been trying to install a fresh version of Linux Mint on a new machine from this
corrupted ISO for the last couple of hours. I thought something was weird when I was unable
to connect to the internet after installing, yet I was able to reach my router. I’d stupidly not
checked the MD5 checksum before using the ISO. Has anyone/is anyone going to be looking
into the ‘functional’ difference between the genuine and hacked versions? I’d be interested to
know what/if any of my data or keyboard input has been stolen from me.
Thank you for letting us know about this.
Edit by Clem: Yes, it’s Mint with tsunami running on it. Here’s some info on it
http://blog.malwaremustdie.org/2013/05/story-of-unix-trojan-tsunami-ircbot-w.html
(http://blog.malwaremustdie.org/2013/05/story-of-unix-trojan-tsunami-ircbot-w.html)
OK

John
So, it is only Cinnamon versions, correct? I just installed linuxmint-17.3-xfce-64bit today and I
am a bit concerned after reading this blog.
Edit by Clem: Check the MD5 to be safe, but yes, it’s Cinnamon.
Fred Barclay
Hi Clem. Thanks for being straightforward and quick to let us know. I guess being targeted is
the price you have to pay for making the most popular Linux distro. 😀 Thankfully I haven’t
downloaded anything within the last few days.
Considering that this might happen again, have you guys considered some sort of way
(besides md5sums) that we can verify the ISOs come from you? Maybe something like GPG?

That way if the server was hacked, the isos were replaced, and the publicly listed .iso
md5sums were changed, the isos would still have incorrect gpg signatures.
Assuming you did start signing the releases and posting a link on the Linux Mint main page
to the public Mint gpg key, an attacker could still replace the isos with malicious ones and
replace the key link with one that links to his own. To combat this, some of us in the
community and on the forums who use gpg (I know of several besides myself) could sign
the Mint gpg key with our own keys. That way more trust could be put in the Mint key. I mean,
even I could easily create a gpg key that claims to be from Clement Lefebvre, but it would be
much harder for me or an actual attacker to then sign that key with the keys of several other
members of the community.
Just an idea but thought you might be interested. 🙂 I’m sure whatever you guys end up doing
will be great!
Also, do you think you could make an announcement on the forums/link this one there?
OK

Edit by Clem: What really helps here is duplication and the community. We were alerted very
fast and we were able to be alerted because people could find contradicting MD5s (and
that’s mostly because the MD5s aren’t just in one place, but in many). Another thing which is
going to help is to buy more servers and separate services even more. That way, if somebody
hacks say wordpress, there’s only wordpress on that server and nothing else.
nizzle
Doesn’t do much good to post hashes on a site that’s not served over TLS.
When will *.linuxmint.com go https only?
Edit by Clem: It’s planned and I’m hoping it’ll happen soon. Please note that this wouldn’t
have helped here though. You’d be served the exact same hacked information via HTTPs.
Harry
Hi Clem, did this happen because there’s no HTTPS protection on mint website?
Edit by Clem: No. We need HTTPs to protect communication (mostly on your side, and
against local or middle attacks). Here we have an intrusion, so it has nothing to do with the
protocol. The hackers used wordpress to get in.
chris black
Hi, I downloaded and installed LinuxMint on Feb 18’th using a link from the official website, I
should be ok, right?
Thanks
Edit by Clem: Yes. Check the signature just out of precaution.
OK

concerneduser
Clem, is there any way to confirm that the hashes posted on this page are valid? They aren’t
signed and the page isn’t even served over HTTPS. For all we know they could be spoofed as
well.
Edit by Clem: You can find them at http://ftp.heanet.ie/pub/linuxmint.com/stable/17.3/
(http://ftp.heanet.ie/pub/linuxmint.com/stable/17.3/) also along with signed sha256sums.
Erick
I really appreciate you keeping us posted. This was passed along to me by another friend
whom knows I am devoted to Linux Mint. I was going to ask similarly if anyone had checked
all the repositories, though I’ve not had anything seemingly affected.
I am always thankful that you guys are not only working on the project, but that you are
straight forward and proactive. Thank you guys for being diligent enough to see it, and
transparent enough to let us know just in case. Keep us updated.
Though I will ask why you are not pursuing action now, and only waiting to see if they try this
again? Have you let authorities know and sent them the information?
Edit by Clem: It’s 3am here for us and 4am for them and the main concern is to clean up and
get back to being safe and operational.
ARitz Cracker
Hey… uh… I realized that my previous comment sounded a tad demanding. You guys are
literally doing the impossible, and I really appreciate it. Thank you.
Reply (https://blog.linuxmint.com/?p=2994&replytocom=124893#respond) OK

BALLOON a.k.a. Fu-sen.
I was sure that the Linux Mint Website download page is still hacking.

IP address to these link has been added.
https://scrot.moe/image/JtvQ (https://scrot.moe/image/JtvQ)
It has done this other than Cinnamon. Download now of ISO is dangerous!
Jeo
WARNING: The download links are still redirecting to this bulgarian IP, 5.104.175.212.
DO NOT DOWNLOAD!!!
Clem please disable downloads until you can gurantee user safety.
Edit by Clem: We shut down the server until we find the source of the second intrusion
(probably something left by the first).
No Body
WordPress = shit.
Patrick
Please add HTTPS support to linuxmint.com, whether it’s related or not to this hacking, this
is really unacceptable in 2016
Edit by Clem: It’s not, but we will. OK

bananabob
Just downloaded two copies of the 64 bit Cinnamon from the Oceania links for University of
Canterbury and Xnet both are coming up with the same incorrect md5sum
(7d590864618866c225ede058f1ba61f0) – So of course I have not installed. (Time NZST
15.50 Date 21 Feburary 2016)
How long before we can get a trusted download here in NZ?
Edit by Clem: That’s the MD5SUM of the hacked ISO alright. The server was taken down until
we know it’s safe again. I’m sorry I can’t give you an ETA.
Robert
Looks Like I was a lucky one….

Decided to set up an old laptop yesterday.

Had version 15 of mint could/would not update,

Downloaded the ISO, rufused to a USB and installed….
Interesting times.
gunvolt
Oh no… linuxmint.com is down

https://www.dropbox.com/s/yuawahvhbmj82by/Screenshot%20from%202016-02-
20%2020%3A20%3A51.png?dl=1
(https://www.dropbox.com/s/yuawahvhbmj82by/Screenshot%20from%202016-02-
20%2020%3A20%3A51.png?dl=1)
OK

Edit by Clem: Yes, we can’t investigate and clean up while still being open to attacks. We had
to take it down.
Hayden
I’m a Gentoo user mainly, but was trying to find out why the mint site wasn’t working and
ended up here (have a new netbook with a 32gb SSD – not enough free space for Windows
10 to update, even with a 8gb micro)
Just want to say top marks to Clem for personally responding to nearly every post. That is
the mark of a legend.
Neb
Mint was (and still is) something like a sanctuary for me and probably for many. It is where I
feel warm and safe and strong and alive. I absolutely hate the fact that someone took
advantage of this clean and wonderful world of Linux Mint and I personally offer anything
that is in my power to help it get back to all of us.
Tracy
Are downloads elsewhere fine then?
I got mine here:
http://mirror.internode.on.net/pub/linuxmint/stable/17.3/
(http://mirror.internode.on.net/pub/linuxmint/stable/17.3/)
OK

Zoltan
Thanks Clem for taking quick action and being so upfront about this.
I would like to call to everybody reading this to spread the warning to others they might know
using Mint in case they haven’t seen this post. I am afraid many people who use Mint don’t
read the blog here, so they might not be aware of the danger.
If you have access to some linux-related blog, rss feed, etc, then pls share this so it can get
to the people who might have downloaded the hacked isos during this sad day…
chris black
thanks, I checked it out, I still have the USB, the ISO is gone
Once in the live session, if there is a file in /var/lib/man.cy, then this is an infected ISO.
I only found a man.db, I hope it’s ok (I am a total noob, it’s my first linux after 15 years of
windows lol)
Fred Barclay
@bananabob: any chance you didn’t delete those isos? I’d like to examine one if possible. 🙂
Veed
“Edit by Clem: Yes, the breach was made via wordpress. From there they got a www-data
shell.”
OK

“Edit by Clem:Another thing which is going to help is to buy more servers and separate
services even more. That way, if somebody hacks say wordpress, there’s only wordpress on
that server and nothing else.”

—
Speculating:
(cr)acker exploits and gains shell by webserver user (which is www-data as reported)

looks at wp-config.php, uses the username and password in the file to gain a mysql shell
(which is fine since mysql is bound to localhost usually the cracker is the www-data user)

Probably a search made for post wanted (download links) edited from there..
The only things I can suggest are:

– Ensure the webserver user’s shell is /bin/false or /bin/nologin (and not /bin/sh or
/bin/bash)

– Spend some quality time on planning separation of privilege for software. webserver user
should have write access to as little as possible (just wp-content in wordpress))

– Ensure incremental, automated backups are make that are not accessible to the webserver
user

– Usage of chroot jails to really separate stuff.
Sorry this happened! The people who did this were clearly not on a thrill ride – they wanted
backdoored LM installs out there. Scary
Kurt
I updated from 17.2 to 17.3 via the software update link today via the update manager (didn’t
do a clean install from an ISO or USB). Were those affected too?
Wes
If you want to make things better I’d at least do the following:
OK

1) Completely rebuild everything and verify nobody made any changes to the code (I assume
you’re using a vcs like Git so that should be easy)
2) Rebuild everything on a development machine and move the ISO downloads to a separate
server only serving static files (no PHP or MySQL).
3) Make sure your developers are using secure passwords generated by something like
KeepassX
4) Ensure it’s using TLS with HSTS enabled (very important because it makes sure everyone
is using TLS). Also disable outdated ciphers like RC4, etc. Here’s some help
https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
(https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations)
5) Provide magnet links or GPG signatures for downloads over https.
Rod Brown
FYI. I am a newbie to Linux Mint and downloaded iso this morning (Sunday in Melbourne
Australia). After this notice found that check sums incorrect and took the recommended
action.
I kept the wget file which had the following address:
http://5.104.175.214/stable/17.3/linuxmint-17.3-cinnamon-64bit.iso
(http://5.104.175.214/stable/17.3/linuxmint-17.3-cinnamon-64bit.iso)
FYI
Ryan
Argh. I just had a minor panic attack after checking the MD5 of an ISO I downloaded Tuesday
(e71a2aad8b58605e906dbea444dc4983)(I figured it was possible that they did an earlier
attack that was missed, so I might as well check the ISO to be safe) and saw it matched the
OK

one listed above. I panicked, started to tell you I had a bad ISO, then re-read the post and
realized it was the MD5 of a clean ISO. I need to get some sleep.
But I’m saying this because I think you should make the post a bit more clear that the listed
MD5s are the SAFE ones.
Yro
Time to retaliate and send shit back… Lets work guys, I know youre here, reading..
Back on topic: Clem, please, consider releasing a new website, but this time in pure html5
and let the forum and blog on a separate hosting, and dev/integratio/talk on another host.
This will cost a little more but will be for the best interest of all.. The ISOs could be on the
default server, the html5 one, or via the partners around the world.
archsiderreal
😀 phew , thank goodness I downloaded via torrent, I just finished downloaded yesterday and
this post really scared me
Aaron E.
I just got a security update install request and downloaded it. Is my machine compromised?
Chair
Could someone upload the backdoor to virustotal.com and post back with the hash? OK

Niko
Hi, hopefully the website is coming back soon. If you need some technical support, don’t
hesitate to contact me! Maybe I can help you out with some Server or Hosting. Just get in
contact with me.

Best wishes

Niko
Some freak
I was literally downloading cinnamon tonite Feb 20 (app. 11-12 EST), Was going very slow
and said 5 hours to go and while viewing http://linuxscoop.com/video/fedora-23-workstation
(http://linuxscoop.com/video/fedora-23-workstation) in another firefox tab got a pop up that
said clickjack attempt. The iso was only half downloaded. In a panic I closed all tabs.

I think its unusual that there was a supposed clickjack attempt while downloading the iso. Its
only the second time I EVER saw that.

Please check what you have and your site’s carefully. Im wondering if I was possibly infected
by an incomplete download because that is a real “coincidence”.

(Just by clicking the link? is that possible?)

Also please update us detailed ASAP
Xan
Clem, I see this blog is currently running WordPress 4.4.2, the latest version. Was the blog
running this version when it got exploited or was it an older version that hadn’t been updated
to 4.4.2 yet? Did you update to 4.4.2 after the exploit happened? Or could the exploit have
been caused by a vulnerable extension/addon/theme/etc? Whatever you find out, report it to
whoever can patch it.
OK

Thank you for transparently reporting this info. Honestly, a lot of organizations that
encounter situations like this would prefer nothing more than to hide it all, deny it ever
happened, or downplay and obscure the seriousness of the damage. Public relations can be
a sick game of deceit sometimes. Thank you for your honesty and openness.
Edit by Clem: I’m answering this on Feb 24th and we have more info. It was a brand new
version of WP with no plugins but using a theme called Sydney. That said, there were already
PHP backdoors on the forums and we think we had lax file permissions too.
zombieland
I second the recommendation to sign all ISOs with GPG and host the gpg sigs and key(s) via
HTTPS. They are after all really small files and are very important! For checksums I’d switch
to using both sha512 and whirlpool.
Darkwolf
I just wanted to say that for all of those requesting that linuxmint.com should have https:// ,
that would do absolutely nothing to prevent all attacks and would be no guarantee that any
information (such as hashes) that is put on the site is legit.
All that does is encrypt the data between the server and the viewer.
It does prevent that data from being sniffed, however if a site is compromised and false
information (such as fake hashes) posted, then having https:// isn’t going to make a
difference.
On the flip side however:
1. The site really should have https:// enabled, as it can help to encrypt data between servers
and those with administrative access to help decrease the chance of MITM attacks and
sniffing. Having no SSL or mixed SSL usage on a site is a recipe for disaster.
OK

2. The fact that http://blog.linuxmint.com/wp-login.php (http://blog.linuxmint.com/wp-
login.php) is even accessible when I checked is REALLY disturbing and probably the
BIGGEST security risk. It’s not that hard to move this to another location. There are even
plugins specifically designed to do this.
3. The even if moving the login page, it should only allow requests to administrative areas
specifically for those that should have access to these areas. It is not hard to have a
modified .htaccess file that denies access to administrative areas for preset IP addresses. If
you need to gain access from a location not in the list, modification of the .htaccess to add a
temporary IP via SSH is easy.
Just a few ideas…
Some freak
While you’re moderating maybe make that link ‘not clickable’ so no one accidentally clicks it…
IDK

thankx
senpai
Sorry to hear you guys got hacked. Thanks for being upfront & honest about what happened.
WordPress does seem to have quite a history for these sorts of incidents. Are there any
plans to move away from it? Perhaps in time? Would more manpower/resource for the
website help? Maybe get someone from the community to do it?
I wouldn’t mind having a crack at it as a volunteer, if your team is interested. Mint’s done a lot
for me, so it’d be nice to give back in some way.
snicky OK

I downloaded and installed 17.3 with Xfce 2 days ago, but have already removed
the ISO. I understand your claim that only the Cinnamon version was hacked, but would still
feel much safer if I can run some checks to confirm my installation is virus-free. Is there any
other way to do this?
Kevin R
I have the same question as Neb above me, I checked the live session and only found
man.db not man.cy, am I safe?
KenWeiLL
As mentioned, only the links to the ISOs are compromised. It was also mentioned on the
comments that repositories we’re not compromised.
But, is there a way to check if our machine is infected or not, with this backdoor?
I do update as soon as there’s an update available. And I just did a kernel upgrade before this
was posted. I wonder if there’s a way for me to check if my system is clean from this kind of
backdoor/infection.
Thanks.
neo
“I wonder if there’s a way for me to check if my system is clean from this kind of
backdoor/infection.”
You might try asking @ http://www.kernelmode.info/forum/
(http://www.kernelmode.info/forum/) OK

The staff there seems to be quite in the know.
Daniele
Sorry to ask, but yesterday i’ve downloaded LMDE2 via torrent. I’m checking the md5 sum
anyway, just in case, but i can’t compare it since the site is down…the terminal says:”
55d22b55687770f7e60013ccf1575baf lmde-2-201503-mate-32bit.iso”. Is that right?
Tom Philips
This underscores a serious problem with Linux Mint’s release integrity.
MD5 is totally broken. It takes only an hour to generate a collision on regular hardware. If
hackers placed backdoored ISOs on your servers that had valid MD5s, it would be hard to
detect. I’m surprised they didn’t attempt a hash collision in this breach. You need to switch to
secure hash functions like SHA256.
Redundancy and community reporting of issues only go so far. You also need a secure way
to prove the hashes are authentic. If hackers changed the hashes listed on your server to
hashes of the backdoored ISOs, this would also make it hard to detect the breach. For
example, this very WordPress blog post could be hacked and the hashes listed above as
“valid” could be changed and none of us would know. Get a PGP key and start signing either
the hashes or the ISOs themselves. Every other serious distro does this, and it’s so easy
there is no excuse for not doing it.
This should never happen again.
Discord
OK

Do you think this could have been a false flag attack by the NSA and/or FBI in connection
with the Kennedy assassination?
Usama
I hope that md5sums and sha256sums could be put on 3rd party external server. maybe git
repository.
I do not think it’s secure to have the ISOs and the md5sums on the same server.
Cal
I downloaded the 64bit mint 17.3 cinnamon through your torrent on the 20th, were those
affected also?
Gösta Rapp
I not have the DVD I burn the ISO so how can I check my installation?

I installed i januari 5 so its maybe is Ok?
Andy Mitchell
Well, this is a damn shame and a bloody pain in the arse for you guys. I’m just double
checking here. I presume that LMDE2 is unaffected by this intrusion. I hope for the sake of
everyone, you get it all cleared up soon – good luck.

Capivara
OK, fast reaction, good work. All we can do now is warn as many people as we can through
as many channels possible.
My ISOs were quite ‘old’, hence not affected.
fragmede
Have you considered releasing a version 17.4 so you can simply say 17.3 is bad and for
users to re-download if they have an iso with that filename?
Ja
What is the possibility this has happened previously on older versions and not just 17.3?
misterch0c
Is there any place security researchers can get either the malicious files or the whole
infected ISO?
Ja
OK

How does this affect apt updates from mint domains? Is it possible for them to modify the
signing key thus allowing malicious updates and downloads?
Chris
@KenWeiLL If you haven’t downloaded an ISO recently and update as usual (through apt-get
or update manager), you should not be affected by this. This is only concerning people, who
downloaded and installed a linux mint ISO recently. (Please also read the past comments –
especially #3 and #8)
Alex
Hello

I made a strange observation. A ping to absentvodka brings the following results
ping absentvodka.com

PING absentvodka.com (127.0.0.1) 56 (84) bytes of data.

64 bytes from localhost (127.0.0.1): icmp_seq = 1 ttl = 64 time = 0.033 ms




^ C

— Absentvodka.com ping statistics —

4 packets transmitted, 4 received, 0% packet loss, time 3000ms

rtt min / avg / max / mdev = 0,033 / 0,046 / 0,051 / 0,009 ms
My 17.3 installation is an upgrade version, so should not be affected.

Does somebody has any idea?
Tommy C OK

Are the torrents on this site OK to download?
http://torrents.linuxmint.com/ (http://torrents.linuxmint.com/)
Ngoro
Hey Clem, can i download the good .iso from here
http://ftp.heanet.ie/pub/linuxmint.com/stable/17.3/
(http://ftp.heanet.ie/pub/linuxmint.com/stable/17.3/)
davidpbrown
Is it still good practice to use MD5 for important signatures?.. sha256sum might provide
more confidence.
Schafdog
@clem I know you are prob. very busy cleaning up (or getting a bit of sleep), but when you
have the time, information on the version of wordpress that lead to breach?
@KenWeiLL:

No easy solution. It’s hard work. You could checksum all files in (relevant) packages and
compare that with another machine with same versions of packages that is known to be
clean, but where do you find that? I think you can assume for now that the repositories
haven’t been compromised.
OK

Liam
What you really need to do is ditch wordpress for hosting downloads, move to a static
website that doesn’t depend on any vulnerable plugins. Get HTTPs to ensure that the correct
page is served to clients (costs nothing thanks to Let’s Encrypt) and sign the ISOs with GPG
keys that are not stored on the server, and enforce verification (like Tails).
Rustey Shackleford
looks like bitcoin miners are none too happy with this:
http://bitcoinist.net/linux-mint-backdoor-puts-users-and-bitcoin-miners-at-risk/
(http://bitcoinist.net/linux-mint-backdoor-puts-users-and-bitcoin-miners-at-risk/)
sorry for double-post, delete the first please
Jerry
I wondered why the site was down this morning. Thought it might have been more server
trouble. Thanks Clem and the team for dealing with this so well and so quickly. It really
makes me mad that some asshole would attack us like that.
MM
BTW. could you please add / fix https to your online services, so the readers are sure, that the
MD5 checksums are valid?
OK

Edit by Clem: Yes, it’s coming. Please don’t trust a page just because it’s https though. That
protects you from your local entourage, but it doesn’t protect you from a server being
hacked.
Paul
I know it is unrelated but maybe this is a warning sign that Mint should turn on level 4 and 5
updates in the updater..
samriggs
Wow this sucks.

Glad you noticed this right away Clem, I installed awhile ago way before the 20th so I should
be good and checked the var/lib folder seems clean but will double check things just be
sure.

Thanks for the very quick response, just good to see that and wanted to shout out a big
thanks for the quick response.

I’ll check back to see when things are cleared up before doing any updates just to be on the
safe side.

Don’t rush it, better to be clean and sure 🙂

Good to be back home
Pingback: PC Fórum
BG
OK

You commented that they got in through WordPress. Not that supricing, WordPress never
had a good securityrecord, but exactly what method did they use to get in? Was the fault on
you because of outdated software, or on WordPress? Also, have you considered replacing
WP with something with a better record like Drupal or maybe no cms at all to reduce the
attacksurface?
Rob
Ok I started downloading it via torrent, but now stopped it until things are correct.

I am concerned about sites I maintain via wordpress hosting, however my servers are on
1and1 so I think 1and1 keeps them pretty safe and I have security plugins, but my wordpress
have been hacked before also, but not since beefing up wordpress security, 1and1 is good in
shutting down the site if it is under attack and alerting me.

Do you have your own server or is it hosted, maybe you should go to hosting that has more
security ? Idk, now I must check my wordpress sites.
Yes linuxmint still down. Ok I will wait until you fix it.
What about updates via my linux mint pcs are these effected, I noticed some posts about
that .??
Kim
What is the timeframe for this shutdown? Is there another way to download it (like a torrent
or something)?
I’m asking because trying out Linux was supposed to be my sunday activity this weekend
Carl Duff
OK

What a scumbag thing to do to such a benevolent project. Appreciate you quickly making the
right decision to inform the public, Clem. Mint has a great reputation for a good reason.
Rob
by the way i notied when submitting my comment, you have wordpress on this blog below,
not good for hackers.. also different table names instead of the default wp_ and not using
admin as a username, and also once hacked recommend malware and virus scanning all
files on the server, and if you are not sure, go way back until you know a file on the server
was not compromised.

I have over 100 sites I manage, this happened to several of them 2 times, until I had more
beefed up security.

do you use bulletproof security, ithemes security, wordfence and other plugins to protect ? I
would also recommend googling for stronger wordpress security, I read these every month
and continue to make my sites stronger

this is a good one, https://premium.wpmudev.org/blog/keeping-wordpress-secure-the-
ultimate-guide/ (https://premium.wpmudev.org/blog/keeping-wordpress-secure-the-
ultimate-guide/)

if you need more advice you probably can see my email, i can recommend some things for
you
B. Rubble
please use GPG and sign the releases from now on! checksums are good for download
verification but GPG Signatures are the real deal!
Mikal L
OK

I hope from now on Clem and Linux Mint developers will take privacy and security a lot more
seriously in terms of not just the website but more importantly the Mint OS as well as
applying security and kernel updates.
Security has to be moved to high on the development agenda and not just the basic
implementations like it is now.
bananabob
Fred Barclay – I still have copies of those ISOs – How do you want me to get them to you?
Clem – That’s OK I understand the problem and all the extra work that is involved.
Moem
If your sentence starts with “I know it is unrelated but”… then is it really worth finishing?
Clem, thank you for your vigilance, it’s appreciated. As for the crackers: may the fleas of a
thousand camels infest these miscreants’ armpits and groin regions.
Mike
Sorry I didn’t get it, the torrents were not affected and direct http version was not affected
either. So what was actually affected?
Edit by Clem: The website itself, i.e. the MD5 and the links pointing to the mirrors (they
weren’t pointing to the mirrors but to the hacked ISO).
OK

Andrea B.
That sucks so bad man! Total support for you Clem and the whole team . I am not using mint
at the moment but i love it and i have used it for many years. As soon as everything is up and
running again and i’ll make a donation to support you guys.
kappazjani
Where we can download 17.3 Cinnamon now?

Or when we will be able?
I want to install it on my PC for some work, and I want to know when it is safe
nik
Are mirrors affected? Or only the links on the website?
Is this clean?
http://mirror.telepoint.bg/ (http://mirror.telepoint.bg/)
pepecrans
Yesterday I downloaded linuxmint-17.3-cinnamon-32bit.iso.

According to the file properties it is from Sat 20 Feb 2016 09:48:42 PM CET
Did md5sum it checks-out ok.

Jumped the gun! :-S

Website must have been compromised after that time
OK

Good luck with resolving the issue!
Daniel Coffey
Facebook is even offering the Hacker side of this issue in its “People Also Shared” list
showing how to compromise the Mint ISO (the blog appeared to be from the Mint 15.x days).
Ken
my MD5sum is ok.
But please clarify:

“Once in the live session, if there is a file in /var/lib/man.cy, then this is an infected ISO.”
Is the live session directory /var/lib and the infected file man.cy?
Raf
Dear Linux Mint team,
I´ve downloaded my ISO file on the 19th. Should I be affected by this unfortunate occurence,
that happened to Linux Mint Website?
cat1092
Does this include all of the mirrors whom hosts Linux Mint downloads also? I get all of mine
from the James Madison University site, because in my area, it’s the fastest.
OK

On the other hand, do have a couple of MInt 17 (no point release) & MInt 17.2, which is
usable, yet don’t like, as it takes away much of cpufreq. The answer after I filed a bug, was to
disable Intel_PState, and this would make Mint act as the older versions.
Just scared to do something that may mess up my new CPU, the i7-4790K.
Cat
Gerry
I did download the ISO, and found the man.cy
I installed it to a new partition next to win8 on my secondary laptop with a USB drive.
However, I think I’m lucky because even though I did connect to the network, I was not able
to access any websites due to the DNS service not working (due to a bug?) I was able to ping
IP-s but not able to access any websites.
So didn’t login anywhere on the net, and found this blog post while searching for a solution.
Could you confirm that I’m safe this way?
Thanks,

Gerry
Edit by Clem: Afaik the backdoor couldn’t create the initial connection without DNS
resolution (it tries a list of domain names), so you’re probably safe. Make sure you wipe that
install and destroy that ISO though if it’s not already done.
Alexander
Maybe torrent is an option, as it is harder to hack. As long as the server is down, you cold
publish the torrent files here on the blog so that people who need it can download the ISOs.
OK

kyhwana
bananabob: I’d like a copy of the backdoored iso as well, there seemed to be quite a big size
difference between the legit and backdoored one that wasn’t explained by just that script.
Unfortunately I could’ve grab a full copy from the attackers server before it got taken offline.
Could you upload it to mega or torrent/etc somewhere where we can grab it?
Stéphane Bortzmeyer
Be careful with attribution. The link with Bulgaria is far from obvious. First, the IP address
5.104.175.212 is registered to an ISP in Belize, Verdina (the code BG – Bulgaria – is probably
a mistake since it does not fit the city). The contact (Lyubomir Bambov) is mentioned with an
address in Bulgaria but we all know Internet databases are purely declarative so the Verdina
client could have say anything.
Second, the domain absentvodka.com does not have public data (hidden behind a proxy) so
you cannot really tell.
Third, this domain went (in january) to another IP address in Belize, 82.118.233.119 (Verdina,
again) but now goes to 127.0.0.1, not convenient for remote access.
Andy
Could you please detail the way your website was hacked?
I think this would help other admins alot from not experiencing the same situation.
Felix
OK

Please don’t use md5 for this kind of integrity check anymore. It’s possible for an attacker to
craft a modified ISO with the same checksum as the original.
Do use SHA2-based sums.
plata
Maybe it would be good to have an internet standard for automatic checks of MD5sums in
general. Something like they’re trying for Tails
(https://tails.boum.org/blueprint/bootstrapping/extension/
(https://tails.boum.org/blueprint/bootstrapping/extension/)).
Jvdb
On a dutch tech-site I’m reading about the forum also beïng hacked. Is this true and do we
need to change our passwords?
Jonas Wielicki
Dear Clem,
Thank you for your great work on this Linux distribution and for informing the community
right away. You have my sympathy, I would not want to have to go through what you are
going through right now.
I have a few questions though. First, why don’t you immediately involve the authorities? It
seems the right thing to do; You have been attacked and a potentially large amount of users
could have been affected.
Second, I politely suggest you to read .
OK

Third, could you link the shasums you provided in the comments more prominently in the
post itself? (Also, the mirror server you linked supports HTTPS.)
Fourth, however, I know that this is not your first priority currently, have you looked into
letsencrypt? That should be a safe and quick way to get HTTPS running on the linux mint
websites.
Best regards,

jwi
Peatsy
Clem, regarding:
‘As far as we know, the only compromised edition was Linux Mint 17.3 Cinnamon edition. If
you downloaded another release or another edition, this does not affect you. If you
downloaded via torrents or via a direct HTTP link, this doesn’t affect you either.’
I’m afraid this is not right. Friday the 20th I downloaded 3 iso’s.
At first a 17.3 64bit XFCE via torrent. Checked the MD5sum: faulty result. Deleted the
download.

Secondly tried a direct download for again 17.3 64bit XFCE. Same problem, incorrect
MD5sum – deleted.

Couple of hours later I downloaded a 17.3 64bit Cinnamon, directly from Heanet. After
checking the MD5sum and getting bad result I deleted and gave up.
I probably should have informed you guys (earlier), which I unfortunately didn’t. Sorry for
that.
Florian
Hello Clem, as a friend and promoter of Linux Mint, I am a bit surprised that in your reply to
Fred Barclay’s Post (#11 ITT) you don’t react at all to his constructive suggestion of using
PGP signatures for download verification, but instead fully ignore it and talk about the oh so
OK

great security of duplicated md5sums.
Cryptographic signing with PGP is the global de facto standard for secure verification of
digital data, which can’t be stressed enough.
On the contrary, posting (known insecure) md5sums on the same (hacked) website
(wordpress!) as the download link itself and not even providing secure https connections, is
IMHO for the very least *grossly negligent* and hard to not interpret as a dead canary.
I am well aware that 100% security is an illusion – and the closer we get, the harder they
fight. But the tools to massively improve it are at our fingertips.
Nevertheless thanks for this great distro!
Regards,
Florian
Danilo
I tried to install Linux Mint 17.3 with a USB installer (pendrivelinux) on the 19th, but it gave an
error with choosing a partition after which I gave up installing it. I tried to redownload it on
the 20th, however again the same error occured, after which I gave up again and today read
this. So I did start up Mint 17.3 (using the USB stick) but when I wanted to install it on my
computer the installer failed me. Should I really reset my entire windows OS for this or is
there no damage done to me? Isn’t there any other way?
lilydjwg
Please do not refer to checksums as signatures, it’s misleading. If the user verifies the (real
in meaning) signatures she can instantly know that bad things happened and keeps safe.
OK

one_question
Are you sure the md5 values in this page did not have been modify?
Community
February 21, 2016 at 12:00 pm (https://blog.linuxmint.com/?p=2994#comment-125026)
Hey team,
I would like to thank you for being open and transparent on this.
This event should be an eye opener in general how important it is to keep the “our basement
safe.
Moreover, I would like to point out that you have reacted extremely fast. Such hacks
generally run through undetected for months. Thank you for this!
I know that you are passing a very shitty time for the moment, even more since you are doing
all this work out of passion for FOSS. Please keep in mind that your are the victims here and
not the wrongdoers.
Please keep the process as transparent as possible and do not hesitate to ask security
people for help.
Good Luck!
Yuka
I’m new to linux, so I have some rather dumb questions. I downloaded the affected iso on my
windows 10 pc. I wanted to install Linux Mint but I haven’t done anything with the iso so far
(neither opened or burned). Is my windows 10 now contaminated as well?
Edit by Clem: No, the ISO file itself isn’t dangerous. What’s dangerous is the backdoor that is
run within the OS included in the ISO when and after it is installed.

xen
Clem, if you still want to use WordPress after this, please consider spending a little time
doing some security hardening of your WordPress installation.

The are several excellent plugins available that will assist in the process, such as iThemes
Security. It may not be enough to keep a determined attacker out, but it will certainly improve
your odds against random script kids and classic exploits.

Better yet, compartmentalize: don’t put WordPress on the same system as anything
important.
Bash64
To cat1092:

I address the cpufreq and Intel PState issues in my ebook.

Its in the Turbo chapter.

You can download it at my website.

http://bettyboopdatabase.atwebpages.com/book/
(http://bettyboopdatabase.atwebpages.com/book/)
Luuk
Maybe you should look into the advertisements on your page too. Is openofflice.padott.com
a serious website or something else?
Good luck

Luuk
OK

zeta
I have installed the hacked version alongside a Windows partition – is it likely that data /
credentials were read from the Windows partition?
X
I’m curious if you have been able to narrow down exactly how the breach happened. I’m
primarily interested if there was a wordpress core exploit, or if the attack was done through a
vulnerable plugin.
senbagaraman
For any good , I downloaded the direct file mint cinnamon 17.3 64bit edition .I have checked
md5sum via terminal and it matches exactly with the value given above .Thanks to the
developers for telling the problems to the user as soon as founding the threat.
Security and vulnerabilities can’t be compromised in this digital world.Take some measures
and good luck for the recovery of our beautiful Os. Make the site up and be running soon.
Thank you once again Developers.
gawain
you’re doing a valiant job Clem and co., and your upfront honesty is refreshing, as indeed is
your vigilance in responding quickly to this. You deserve a cold beer at the end of the day.
OK

Bartek
Are you still going to use WordPress? In this CMS, there are bug on bug.
Does this problem touch oder distro like KDE?
Andy
” Ken Says:

February 21st, 2016 at 10:43 am
my MD5sum is ok.
But please clarify:

“Once in the live session, if there is a file in /var/lib/man.cy, then this is an infected ISO.”
Is the live session directory /var/lib and the infected file man.cy?”
Would be very interesting. I got it in the same way.
In my case, I haven’t stored the image file, but installed Linux Mint. That means, if there is no
file called “man.cy” my system is clean, right ?
Thx, Andy
Andrew
Wow, that’s crazy timing… I started downloading mint yesterday (20th), but it was going slow
so I swapped to a different mirror… turns out my download history shows:
http://5.104.175.216/stable/17.3/linuxmint-17.3-cinnamon-64bit.iso
(http://5.104.175.216/stable/17.3/linuxmint-17.3-cinnamon-64bit.iso)
Wanted to download it to see how the backdoor worked, but it’s not there anymore.
Anyone had a look at the back door in question? Interested now.
OK

Eros
Thank you for your segnalation and your control. I like this attention, I do not trust those who
claim to never have problems.
Best regards. Eros.
m8ron
Bad news here… One noob question: if the website is compromised, can’t they modify the
ISO files AND the MD5 signature ?

Additionally, you should change md5 to sh256 or better gpg signature with public keys on an
independent website.
Geoffrey
Yes, I downloaded it from the Kent Uni site. It’s on a USB and I haven’t been able to boot into
it for some reason (options are USB hard drive, USB superdrive). Just done a checksum
check and they don’t match, so will download again.
Trying to breath new life into an HP 8510w.
Geoffrey
Doug
OK

I hope you are able to figure out the issues. Mint is my favorite distribution. I guess since
people are hacking Mint, you are now considered popular!
user
so did you bother to track the back door? where does the rabbit hole lead?
Edit by Clem: The fake ISO in Sofia, the OS backdoor in Sofia also, the guy accessing our
server via the second backdoor from Russia, but when you look at a hole and see somebody
looking at you, you need to figure out who knows more than the other, and if we’re reacting to
their actions it was pretty clear we had to take everything down. The hacker from Russia
(could be a VPN of course) even DDOSed my personal IP to prevent me from taking the site
down. He also took down part of his set up since.
Roland
I DID download and install Linux 32bit Cinnamon yesterday, Feb 20th from a German server.
The md5 checksum was valid. However, there was an error message during install that
caught my attention:
“EDID checksum is invalid reminder is 45” (or so)
I downloaded, burnt and installed twice, I got the same error message each time. Might not
have anything to do with the Bulgarians, but I still wanted to let You know.
I’m new to Linux Mint, and boy is this exciting. I just wanted to create an account on
linuxmint.org to post this, but had to post here instead.
Of course I am wondering if my iso is corrupted, but I’ll probably reinstall either way.
Edit by Clem: Hi, it’s not related. The MD5 sum of the hacked ISO would not match.
OK

GaryJ
What evidence have you got that the attack was via WordPress? If it’s something in core
(extremely unlikely), then you should report it responsibly.
More likely it’s from a poorly coded plugin or theme, which should also be reported
responsibly to the author concerned. Or, it’s due to lax file permissions or other server mis-
configuration.
Either way, accusing WordPress (core) without any further details is detrimental to all.
Edit by Clem: We found an uploaded php backdoor in the theme directory of a wordpress
installation, which was 1 day old and had no plugins running. The theme was new but most
importantly I think we had lax file permissions on this. This was only set up hours before the
attack but we were probably scanned for something like this for a while. Anyhow, we don’t
know yet how it was uploaded but we know it happened there, and I’m certainly not pointing
the finger at anybody. People just asked if we were running wordpress or if wordpress was
used in the attack and I answered yes.
dalibor
hope you will fix this mess up fast…

and hope you switch to joomla

🙂
Tedbax
(sorry, bad english)
Why only the links to the ISOs are changed and not also the displayed MD5 numbers?
Edit by Clem: They could change anything in the database, so both md5s and links to
mirrors.
OK

Dirk
@plata : might come to have a need for encrypted ISO’s, not just checksums…
Hope these guys didn’t hack he update-servers as well. Guess I’ll have to suspend update-
checking for a few days.
Chucklemaniac
Hi, sorry to hear this happened

I downloaded a linux mint 17.3 xfce 64 bit, and wanted to verify the checksum just in case,
however your site is down at the moment.
Is there a way you could get it from somewhere else?
Edit by Clem: Yes, http://ftp.heanet.ie/pub/linuxmint.com/stable/17.3/
(http://ftp.heanet.ie/pub/linuxmint.com/stable/17.3/)
Ilija
Hi,

First of all – thanks for managing this incident so well. Looks like an paid attack. What kind
of hacker could have the motivation to hurt Linux in general? Linux is the number one OS for
hackers. I would suggest you install some kind of a guardian-service that shields your
downloads completely from the rest of your web-presence. Only allowing access through a
“manager” that sits within an virtual network that only can be accessed from within the
virtual network, implementing a background-check for the downloaded files and issuing
some kind of download-tickets. Another service could check the extracted ISO files
(something similar to RKhunter) each hour for file changes.
OK

Edit by Clem: We’ve a bit more information about it now and we think it’s a single individual
with no funding behind the attack. We’ll pass the relay to a security firm now.
Faraday
Are you sure it was the 20th? I have 2 different hashes of 17.3 cinnamon ISOs that I
downloaded 19th morning. I didnt check hash until today.
Edit by Clem: What hashes do you have?
Shulai
Clem, are you aware of this? (Found via Slashdot firehose)
http://news.softpedia.com/news/linux-mint-website-hack-a-timeline-of-events-500719.shtml
(http://news.softpedia.com/news/linux-mint-website-hack-a-timeline-of-events-
500719.shtml)
“Someone with the peace_of_mind username was selling the “Linuxmint.com shell, php
mailer, and full forum dump” for 0.1910 Bitcoin (~$85)”
Edit by Clem: It’s very good. I disagree with the origin of the attack, we found the first
backdoor and it was possible to access the forums database from there. The information
about tsunami is very interesting (not that it’s the time for an evening read, we’re ultra busy
as you can imagine but it’s important we understand as much as possible and this helps).
Regarding the modus operandi I agree as well, we’d spend much more than $85 to stop that
data but without trust nothing can happen. We’re getting ready to purchase 2 or 3 additional
servers so we can split the services and we’ll probably also contract a security firm to look
into the bottom of this for us, we’re software developers not intrusion experts. In the end it’s
going to cost much more than $85.
OK

Moem
Dirk: See comment #3. Clem says the repositories (the update-servers) aren’t affected. So,
no need to suspend updating.
Radish
In some ways it might be good that this has happened. I’m a bit of a newbie to Mint and I like
it a lot. However, I was, and still am, amazed at the attitude to basic security that is often
seen on Mint forums.
Every now and then someone posts into the forums asking why the GUI firewall controller
(GUFW) isn’t installed and activated by default in new installs of Linux Mint. The response,
and this is from people that are real gurus when it comes to Mint, is that this isn’t necessary
– Linux is inherently secure. (This, more of often than not, is stated as a “relative to
Windows” point of view.) This attitude, often expressed by experts, never ceases to amaze
me.
Installing and activating GUFW as part of a new install of Mint, as best as I can see, at the
least enhances security a little bit and is certainly not detrimental to security – on that basis
alone, I would take it as a better than good argument for installing and activating it at the
time of install of Mint. By doing that one thing an additional layer of security would be added
to Mint at the time of install. So why isn’t this done?
I would suppose now that Mint developers will be hardening security for its own servers – all
to the good. However, please don’t leave the end users out of this equation. If Mint can (now)
see the point of hardening its own security why, oh why, can’t that same courtesy also be
extended to the end user as a matter of routine.
Install and activate GUFW at the time of a new install, it makes sense. And maybe, going
forward, do some serious development on GUFW so that it is readily configurable by
(relatively) naive users (like myself). GUFW could be greatly improved just by allowing or
blocking of connections on a per-program/per-process basis.
OK

P.S. I do understand that on the surface this looks like I’m not actually suggesting anything
that is related to the situation with compromised ISO’s. However, I would argue that it does –
there is an attitude that exists in the Linux community that leads to lax opinions around the
area of security. That attitude relates to both these issues and, I would say, really does need
to be addressed. Now would be good time to address it.
Hope this helps.
Elie
I decided to give Linux a try yesterday and downloaded the mint 64 bit. I verified the
signature and it seems I have a hacked copy 🙁 I hope my personal informatiom wasn’t
compromised.
Edit by Clem: Afaik downloading it isn’t dangerous. The backdoor opens when you run it or
after you install it.
Bodies74
Would have compromised any my other computers on my network? Or only the one that I
installed it on?
Edit by Clem: By itself it only creates a backdoor. But from that backdoor, the hacker can
issue commands run by your computer so it’s hard to know what he might do, how much
efforts he might put into hacking you specifically etc. If a computer was hacked on your
network, check what that computer is able to do on other computers on the network.
Sam
Hey Clem, as a Drupal site administrator I feel your pain. Thanks for the transparency.
OK

Have you considered using a static site generator such as Hugo (https://gohugo.io
(https://gohugo.io)) or a similar tool? They are very easy to use and have some fantastic site
templates. The advantage is that all of the CMS features happen on your desktop computer,
and all you have to do is rsync a bunch of automatically generated HTML and CSS files to
your server. Practically impossible to exploit that.
Edit by Clem: That sounds cool, we’ll still need dynamic server pages for the forums of
course but we can look into that at some stage.
plata
I remember clem saying in a discussion about security on IRC that you will lock your door but
not secure it against someone who fires an RPG at it. Maybe the real lesson out of this will
be that Linux Mint has become important enough to fire RPGs after all.
kashu
Why are you still using MD5 to check the signature?
ednong
Hi,

you should make a redirection from linuxmint.org/.com to this post, so everybody can see
what happened.
At the moment I got an error of an unreachable website.
OK

Imp
Did the hackers also have access to password data? Even if it was hashed you probably
should warn users.
Edit by Clem: Yes, I made a separate post for this after it was confirmed as it affects
different people than the hacked ISOs.
Carlson
Thank you for responding to this security issue.
Here are some suggestions to improve security, which can hopefully be included in the next
LTS.
-always show security updates and mark them as trusted;optionally let them install
automatically

-remove flash from the list of default packages
Gaul
Please clarify if the (man.cy)is a file or folder.

The only available in my live ISO is (man-db) but no (man.cy)

Thanks
Edit by Clem: It’s a file, it’s the source code for the backdoor.
hackan
OK

#11 is right: having a hashes file signed is the way to go, as long as the signing key is
trustable (meaning, signed by well-known keys in the community).
In this attack, hashes weren’t affected but if they were, it could’ve been a lot harder to detect!
Also, consider using other hash algo rather than MD5, which has been deprecated for years…
SHA256 is the minimum standard, and the change affects nothing. Even cellphones can
quickly calculate a 2GB SHA256 hash in 1 minute or less.
Of course multiplication and decentralization works, as Clem says, but having an extra check
doesn’t hurt at all…
Cheers and kudos for addressing this quickly, I’m sure many of you didn’t sleep last night,
and many other might have been awakened w/ an urgent bad news… thx to you, guys!
Johan
Can´t you use MintUpdate to push an update to infected computers that removes the
backdoor?
Edit by Clem: We’re still looking into that backdoor. We’ve got the code for it, we know what it
does, we think it portrays itself as being apt-cache and we don’t know everything about it just
yet. It’s important we do before messing with it remotely.
Raymond E.
Hi Clem.
Consider watching this video from late-2013. It says that MD5 is broken. SHA2 or SHA3 were
recommended instead.
Hashing Algorithms and Security – Computerphile: https://www.youtube.com/watch?
v=b4b8ktEV4Bg (https://www.youtube.com/watch?v=b4b8ktEV4Bg)
I’d like to hear your thoughts on this.
OK

chris
could you at the very least post legitimate torrents of the iso I need it…
Habitual
“second intrusion”?
Racerdc
If I updated to 17.3 from the update manager yesterday, should I be concerned?
Edit by Clem: no.
Schafdog
@Radish
Adding a FW does not help if you need to interact with a box through network protocol like
http AND the software (wordpress) has a breach.
However enabling a firewall is a smart move in case you run software that isnt suppose to be
exposed (outside your box or LAN), and I prefer to let ’em hang when I drop the packets (pun
intended).
OK

BigEasy
No housewifes (read newbies for whom Linux Mint is friendly) never watched and never will
neither MD5 nor SHA*. It should be clear to those who just wants to say something about
security. Eeepic fail was inevitable.
Patrick Bulteel
Hi guys,
I’m sorry to hear about the issues you’re having now. The Mint project has been a great way
of getting people onto Linux and I’m sure it’ll keep being that way.
I’m not sure if you’ve heard but letsencrypt.org is a good way of getting https setup with free
ssl certificates. (Brought together by our friends at the Linux Foundation.)
Also it might be worth having a static page in place of the main linuxmint page with a
message. Startup a free instance of AWS to put the page on.
-P
chris
https://ftp.heanet.ie/mirrors/linuxmint.com/stable/17.3/
(https://ftp.heanet.ie/mirrors/linuxmint.com/stable/17.3/) for those wanting it, I checked the
md5 of the 64 bit mine cinnamon iso. Use a md5 checker to verify your download. 🙂
Alen
OK

LinuxMint Trojan in ISO

Recommended

Recommended

More Related Content

Similar to LinuxMint Trojan in ISO

Similar to LinuxMint Trojan in ISO (20)

Recently uploaded

Recently uploaded (20)

LinuxMint Trojan in ISO