Beware of hacked ISOs if you downloaded Linux Mint on February 20th, 2016

grandpaflo · Feb 21, 2016

"I'm sorry I have to come with bad news.[1]

We were exposed to an intrusion today. It was brief and it shouldn't impact many people, but if it impacts you, it's very important you read the information below.

What happened?

Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it.

Does this affect you?

As far as we know, the only compromised edition was Linux Mint 17.3 Cinnamon edition.

If you downloaded another release or another edition, this does not affect you. If you downloaded via torrents or via a direct HTTP link, this doesn't affect you either.

Finally, the situation happened today, so it should only impact people who downloaded this edition on February 20th.

How to check if your ISO is compromised?"

Continued @: http://blog.linuxmint.com/?p=2994

[1] Written by Clem on Sunday, February 21st, 2016 @ 1:44 am

#####

https://news.ycombinator.com/item?id=11142986

https://www.reddit.com/r/linux/comments/46tdcj/beware_of_hacked_isos_if_you_downloaded_linux/

sao123 · Feb 21, 2016

February 21st, 2016 at 2:29 am
Heyo, it seems like the download pages still point to the hacked ISOs.
Honestly, the only reason why I noticed is because I was downloading the ISOs in bulk using wget, I saw a strange IP address and the fact that it was a PHP file.

Anyway, are the download pages going to be fixed anytime soon? I want to burn a CD for an old family friend… He got scammed by the “windows tech support” scammers and I want to show him the joys of Linux Mint!

Edit by Clem: Thanks for reporting this, this is a second attack so it means we’re still vulnerable. I’m shutting the server down right now.

just an update

MustISO · Feb 21, 2016

I always check the MD5/SHA1 just to be sure but I suppose if the site gets hacked they could easily change those to match the "bad" ISO.

Ken g6 · Feb 21, 2016

Reportedly their phpBB forum was hacked as well.

Elixer · Feb 21, 2016

Ouch, that is troubling, they are going after the popular distros now.

Looks like they need to post SHA1's to another more secure site.

The trojan was to launch a DDoS attack as well.

Someone made a gist of the payload https://gist.github.com/Oweoqi/31239851e5b84dbba894

Side note, this is what always bugged by about phpBB, they should use key authentication for admins.
We basically had the same thing happen to us when one admin's password was guessed, and they then modified a php file to gain access to the system, then used the server to launch attacks against other servers.

Red Squirrel · Feb 21, 2016

Sucks someone would attack a Linux distro. Why can't they at least hack the RIAA or MPAA or something. Not that hacking of this nature is ok, but at least pick targets that deserve it.

Crusty · Feb 22, 2016

MustISO said:
I always check the MD5/SHA1 just to be sure but I suppose if the site gets hacked they could easily change those to match the "bad" ISO.

That's why they should also be signed by a PGP key.

edit: or use torrents to download the ISO, the DHT algorithm would prevent someone from altering the files on an already existing torrent network. Granted, now you have to trust the .torrent file somehow, but it's a lot easier/faster to check a small file vs a giant ISO.

Elixer · Feb 22, 2016

Crusty said:
That's why they should also be signed by a PGP key.

Then again, apparently security has been so lax, who is to say that they couldn't get a hold of the PGP key as well?

Red Squirrel · Feb 22, 2016

Yeah checking MD5 is mostly to ensure the file did not get corrupted. If someone hacks a site they can easily just change the MD5, PGP or any other type of key. If the MD5 hash was hosted on a completely different server then it's probably safer as the odds of both being hacked are probably more slim.

The good news of all this is how fast The Linux Mint team was able to react to this and advise people.

I see their site is still down, I guess they took the whole server offline till they can figure out how they got in and to secure it.

lxskllr · Feb 23, 2016

Elixer said:
Then again, apparently security has been so lax...

https://lwn.net/Articles/676664/

A5 · Feb 23, 2016

Red Squirrel said:
Yeah checking MD5 is mostly to ensure the file did not get corrupted. If someone hacks a site they can easily just change the MD5, PGP or any other type of key. If the MD5 hash was hosted on a completely different server then it's probably safer as the odds of both being hacked are probably more slim.

They should really stop using MD5 at all. Most things have moved to SHA-256.

BarkingGhostar · Feb 23, 2016

Someone on Ars reported that hash are available on some mirrors and provided an example. I think it is just as reputable that someone doesn't check the validity of their d/l as those providing them.

Crusty · Feb 23, 2016

A5 said:
They should really stop using MD5 at all. Most things have moved to SHA-256.

Fortunately for this purpose it really doesn't matter, nobody is trying to brute force a hash value here. Hashing is not the same thing as encrypting and using SHA vs MD5 would not have changed a single thing in this case.

In order to prove authenticity of the hash value there should be asymmetrical encryption happening so that the person publishing the hash can also prove that they are indeed the real source of the hash or that they have not tampered with the value of the hash.

Elixer · Mar 1, 2016

You would think they would automatically reset the password...

The Linux Mint forums software was compromised by an external attacker. As a result, the attacker has gained access to read your username, email address and an encrypted (hashed and salted) copy of your password from the forum database.

If you have used this password and email address to authenticate at any other website, you are urged to reset the password on those accounts immediately as the attacker may be able to use the compromised personal information to access these other accounts. It is important to have a distinct password for different accounts.

Please also take the time to change your forums.linuxmint.com account password.

For any queries or questions related to this incident, please visit the following topic:

https://forums.linuxmint.com/viewtopic.php?f=60&t=217506

They tell you to check with https://haveibeenpwned.com/ ... and who runs that site?

I'm Troy Hunt, a Microsoft Most Valuable Professional awardee for Developer Security, blogger at troyhunt.com, international speaker on web security and the author of many top-rating security courses for web developers on Pluralsight.

I created Have I been pwned? as a free resource for anyone to quickly assess if they may have been put at risk due to an online account of theirs having been compromised or "pwned" in a data breach. I wanted to keep it dead simple to use and entirely free so that it could be of maximum benefit to the community.

Short of the odd donation, all costs for building, running and keeping the service currently come directly out of my own pocket. Fortunately, today's modern cloud services like Microsoft Azure make it possible to do this without breaking the bank!

Search

Beware of hacked ISOs if you downloaded Linux Mint on February 20th, 2016

grandpaflo

Member

sao123

Lifer

MustISO

Lifer

Ken g6

Programming Moderator, Elite Member

Elixer

Lifer

Red Squirrel

No Lifer

Crusty

Lifer

Elixer

Lifer

Red Squirrel

No Lifer

lxskllr

No Lifer

A5

Diamond Member

BarkingGhostar

Diamond Member

Crusty

Lifer

Elixer

Lifer

TRENDING THREADS