Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Beware of hacked ISOs if you downloaded Linux Mint on February 20th!


  • Please log in to reply
66 replies to this topic

#1 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,075 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:11:40 AM

Posted 21 February 2016 - 06:17 AM

I am reposting this here because its important.

 

Thanks to nuna for bringing this to our attention.

 

http://www.bleepingcomputer.com/forums/t/406036/cheesemakers-linux-corner/page-229

 

 

I’m sorry I have to come with bad news.

We were exposed to an intrusion today. It was brief and it shouldn’t impact many people, but if it impacts you, it’s very important you read the information below.

What happened?

Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it.

Does this affect you?

As far as we know, the only compromised edition was Linux Mint 17.3 Cinnamon edition.

If you downloaded another release or another edition, this does not affect you. If you downloaded via torrents or via a direct HTTP link, this doesn’t affect you either.

Finally, the situation happened today, so it should only impact people who downloaded this edition on February 20th.

How to check if your ISO is compromised?

If you still have the ISO file, check its MD5 signature with the command “md5sum yourfile.iso” (where yourfile.iso is the name of the ISO).

The valid signatures are below:

6e7f7e03500747c6c3bfece2c9c8394f  linuxmint-17.3-cinnamon-32bit.iso
e71a2aad8b58605e906dbea444dc4983  linuxmint-17.3-cinnamon-64bit.iso
30fef1aa1134c5f3778c77c4417f7238  linuxmint-17.3-cinnamon-nocodecs-32bit.iso
3406350a87c201cdca0927b1bc7c2ccd  linuxmint-17.3-cinnamon-nocodecs-64bit.iso
df38af96e99726bb0a1ef3e5cd47563d  linuxmint-17.3-cinnamon-oem-64bit.iso

If you still have the burnt DVD or USB stick, boot a computer or a virtual machine offline (turn off your router if in doubt) with it and let it load the live session.

Once in the live session, if there is a file in /var/lib/man.cy, then this is an infected ISO.

What to do if you are affected?

Delete the ISO. If you burnt it to DVD, trash the disc. If you burnt it to USB, format the stick.

If you installed this ISO on a computer:

  • Put the computer offline.
  • Backup your personal data, if any.
  • Reinstall the OS or format the partition.
  • Change your passwords for sensitive websites (for your email in particular).

Is everything back to normal now?

Not yet. We took the server down while we’re fixing the issue.

Who did that?

The hacked ISOs are hosted on 5.104.175.212 and the backdoor connects to absentvodka.com.

Beware of hacked ISOs if you downloaded Linux Mint on February 20th


Edited by NickAu, 21 February 2016 - 06:23 AM.

Arch Linux .
 
 Come join the fun, chat to Bleeping computer members and staff in real time on Discord.
 
The BleepingComputer Official Discord Chat Server!


BC AdBot (Login to Remove)

 


#2 Guest_GNULINUX_*

Guest_GNULINUX_*

  • Guests
  • OFFLINE
  •  

Posted 21 February 2016 - 06:24 AM

Important: The torrent downloads are NOT compromised!  :wink:
 
Greets!

#3 NickAu

NickAu

    Bleepin' Fish Doctor

  • Topic Starter

  • Moderator
  • 13,075 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia

Posted 21 February 2016 - 06:35 AM

 

Important: The torrent downloads are NOT compromised!  :wink:

Ok you win...... This time.

 

 

 

File Sharing (P2P), Torrents, Keygens, Cracks, Warez, and Pirated Software are a Security Risk

The practice of using any torrent, file sharing, peer-to-peer (P2P) program (i.e. Limewire, eMule, Kontiki, BitTorrent, BitComet, uTorrent, BitLord, BearShare, Azureus/Vuze, Skype, etc), keygens, hacking toolscracking tools, warez, or any pirated software is a security risk which can make your system susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft.

http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/?p=3297086


Edited by NickAu, 21 February 2016 - 06:38 AM.

Arch Linux .
 
 Come join the fun, chat to Bleeping computer members and staff in real time on Discord.
 
The BleepingComputer Official Discord Chat Server!


#4 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 822 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:40 AM

Posted 21 February 2016 - 07:54 AM

I think the important lesson to learn here, is that whatever source you use to obtain your ISO file, and whatever means you use to download it, you should always hash check its MD5 or SHA1

 

Doing so ensures ...

 

  • Your copy has not got corrupted during the download process
  • You have downloaded a clean copy (one free from deliberate modifications by an unknown party)

I expect that there are quite a lot of people who don't perform this quick and simple check, and who then spend a lot of time trying to deal with problems that they wouldn't have had if they had performed the check.



#5 Agouti

Agouti

  • Members
  • 1,548 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 21 February 2016 - 11:06 AM

I think the important lesson to learn here, is that whatever source you use to obtain your ISO file, and whatever means you use to download it, you should always hash check its MD5 or SHA1

My thoughts exactly and the very same thing I was saying here.



#6 Guest_GNULINUX_*

Guest_GNULINUX_*

  • Guests
  • OFFLINE
  •  

Posted 21 February 2016 - 11:51 AM

Article on The Hacker News:wink:

 

Greets!



#7 nuna

nuna

  • Members
  • 155 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:40 PM

Posted 21 February 2016 - 12:32 PM

As @GNULINUX link says, the forums database was compromised. 

 

 

It was confirmed that the forums database was compromised during the attack led against us yesterday and that the attackers acquired a copy of it. If you have an account on forums.linuxmint.com, please change your password on all sensitive websites as soon as possible.

The database contains the following sensitive information:

  • Your forums username
  • An encrypted copy of your forums password
  • Your email address
  • Any personal information you might have put in your signature/profile/etc…
  • Any personal information you might written on the forums (including private topics and private messages)

People primarily at risk are people whose forums password is the same as their email password or as the password they use on popular or sensitive websites. Although the passwords cannot be decrypted, they can be brute-forced (found by trial) if they are simple enough or guessed if they relate to personal information.

Out of precaution we recommend all forums users change their passwords.

While changing your passwords, please start with your email password and do not use the same password on different websites.

 

 

All (Linux Mint) forums users should change their passwords



#8 JohnC_21

JohnC_21

  • Members
  • 23,611 posts
  • OFFLINE
  •  
  • Gender:Male

Posted 21 February 2016 - 01:22 PM

Breach made using WordPress. Why am I not surprised.



#9 Guest_hollowface_*

Guest_hollowface_*

  • Guests
  • OFFLINE
  •  

Posted 21 February 2016 - 03:32 PM

Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it.
-REF:http://blog.linuxmint.com/?p=2994

 

I'm impressed with how fast Linux Mint got on top of this.

I'm wondering which mirror url the hackers swapped out with their own, or did they just add their own as a new mirror at the top of the list? I tried looking on Wayback Machine, but it doesn't have an index from Feb 20th.

This is why it is important to check that a hyperlink points you to the site you're expecting it to. With sites like Linux Mint, which I trust, I usually let my guard down and just click. Also important to choose a mirror you feel you can trust. I usually like to choose mirrors owned by schools. One of the nice things about how my browser is setup is that when I hover over a link I can see the url. Some of the mirrors have slightly unclear names, if only an IP is used you're out of luck, but others like "University of Waterloo Computer Science Club" ---> "http://mirror.csclub.uwaterloo.ca/" make it pretty easy to tell you're visiting the site you expected. You can then use a WHOIS service to see whom actually owns the main domain, which in this case is "University of Waterloo".

Also shows how important it is to compare checksums, which honestly, I usually don't do, despite being a fan of hashing. Surprised Linux Mint doesn't supply SHA-256 on the download page (only MD5 and SHA-1), but luckily the mirrors do as "sha256sum.txt".

 

Scary stuff.
 



#10 Chris Cosgrove

Chris Cosgrove

  • Moderator
  • 6,550 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:02:40 AM

Posted 21 February 2016 - 05:34 PM

Might have to wait a day or two !

 

As of  now the Mint site and the forums are still down.

 

Chris Cosgrove



#11 SuperSapien64

SuperSapien64

  • Members
  • 888 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:40 PM

Posted 21 February 2016 - 07:34 PM

As @GNULINUX link says, the forums database was compromised. 

 

 

It was confirmed that the forums database was compromised during the attack led against us yesterday and that the attackers acquired a copy of it. If you have an account on forums.linuxmint.com, please change your password on all sensitive websites as soon as possible.

The database contains the following sensitive information:

  • Your forums username
  • An encrypted copy of your forums password
  • Your email address
  • Any personal information you might have put in your signature/profile/etc…
  • Any personal information you might written on the forums (including private topics and private messages)

People primarily at risk are people whose forums password is the same as their email password or as the password they use on popular or sensitive websites. Although the passwords cannot be decrypted, they can be brute-forced (found by trial) if they are simple enough or guessed if they relate to personal information.

Out of precaution we recommend all forums users change their passwords.

While changing your passwords, please start with your email password and do not use the same password on different websites.

 

 

All (Linux Mint) forums users should change their passwords

I'll make sure to update my password.

 

Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it.
-REF:http://blog.linuxmint.com/?p=2994

 

I'm impressed with how fast Linux Mint got on top of this.

I'm wondering which mirror url the hackers swapped out with their own, or did they just add their own as a new mirror at the top of the list? I tried looking on Wayback Machine, but it doesn't have an index from Feb 20th.

This is why it is important to check that a hyperlink points you to the site you're expecting it to. With sites like Linux Mint, which I trust, I usually let my guard down and just click. Also important to choose a mirror you feel you can trust. I usually like to choose mirrors owned by schools. One of the nice things about how my browser is setup is that when I hover over a link I can see the url. Some of the mirrors have slightly unclear names, if only an IP is used you're out of luck, but others like "University of Waterloo Computer Science Club" ---> "http://mirror.csclub.uwaterloo.ca/" make it pretty easy to tell you're visiting the site you expected. You can then use a WHOIS service to see whom actually owns the main domain, which in this case is "University of Waterloo".

Also shows how important it is to compare checksums, which honestly, I usually don't do, despite being a fan of hashing. Surprised Linux Mint doesn't supply SHA-256 on the download page (only MD5 and SHA-1), but luckily the mirrors do as "sha256sum.txt".

 

Scary stuff.
 

 

I always check the iso links with Web Of Trust to verify the URL and I check the MD5 for LMKDE that I installed on my desktop its 9d702816f8180bcab94d8c1fde317af7  http://blog.linuxmint.com/?p=2890



#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home

Posted 22 February 2016 - 09:00 AM

If they are smart they modify the listed md5 as well. If you have full access to everything, the md5 is the easiest thing to fix.

 

Here is another article confirming the forums are hacked:

http://www.welivesecurity.com/2016/02/22/linux-mint-hacked/

(and apparently there were two intrusions, a test run in january and the compromising in february.)

http://news.softpedia.com/news/linux-mint-website-hack-a-timeline-of-events-500719.shtml

also interesting

 

And one on tsunami:

http://blog.malwaremustdie.org/2013/05/story-of-unix-trojan-tsunami-ircbot-w.html

 

regards

myrti


is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 mremski

mremski

  • Members
  • 493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:02:40 AM

Posted 22 February 2016 - 09:25 AM

What's old is new again.  If you must have public facing services available on your system, make sure you know what is enabled and what is not.  myrti:  thanks for the malwaremustdie link, good reading on the forensic piece, I always find the attack vector a lot of interest


FreeBSD since 3.3, only time I touch Windows is to fix my wife's computer


#14 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 822 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:40 PM

Posted 22 February 2016 - 10:25 AM

 

You can also check for the existance of /var/lib/man.cy file and if its present then you have a vulnerable version.

 

https://superuser.com/questions/1043706/can-my-linux-mint-become-vulnerable-after-updating/1043707

 

https://gist.github.com/Oweoqi/31239851e5b84dbba894



#15 Agouti

Agouti

  • Members
  • 1,548 posts
  • OFFLINE
  •  
  • Local time:03:40 AM

Posted 22 February 2016 - 11:21 AM

If they are smart they modify the listed md5 as well. If you have full access to everything, the md5 is the easiest thing to fix.

If I look up the MD5 in the earliest snapshot at the Wayback Machine, can they modify the MD5 there as well?


Edited by Agouti, 22 February 2016 - 11:21 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users