Hackers breached the Linux Mint website, Linux noted in a blog posting today. The Linux Mint 17.3 Cinnamon is the only compromised edition to the best of the company’s knowledge. Users who downloaded another edition or release are not affected. Users who downloaded via a direct HTTP link or via torrents are not affected either.
Since the breach occurred today, it should not affect users who downloaded the edition on Feb. 20.
Linux Gives Corrective Action
Users who still have the ISO file are instructed to check the MD5 signature posted on the blog with the “md5sum yourfile.iso” command where “yourfile.iso” is the ISO name. The blog page lists the valid signatures.
Those with the burnt DVD or USB stick should boot a virtual machine or a computer offline with it and let it load the live session. Users are encouraged to turn off their router if they are in doubt.
After the live session starts and there is a file in “/var/lib/man.cy,” the ISO is infected.
If the ISO is infected, the user should delete it. If they burnt it to a DVD, they should trash the disc. If burnt to the USB, the user should format the stick.
For those who installed the ISO on a computer, they should take the computer offline, back up personal data, reinstall the OS or format the partition, then change passwords for sensitive websites.
Linux took the server down while fixing the issue.
Entry Via WordPress
In response to a question, the blog’s editor said the hackers made the breach via WordPress.
The posting noted the hacked ISOs are hosted on 220.127.116.11 and the backdoor connects to absentvodka.com. Both lead to Sofia, Bulgaria, and there are three persons’ names. The motivation for the attack is unknown.
The posting said Linux will contact authorities if attacks continue.
People are still debating the hackers’ point of entry, according to Softpedia. While Clement Lefebvre, leader of the Linux Mint project, said the initial entry point was their WordPress blog, Softpedia noted that Yonathan Klijnsma, senior threat intelligence analyst at Dutch security firm Fox-IT noticed a few hours prior to Linux’s announcement that someone placed an ad on TheRealDeal Dark Web marketplace. Someone using the username “peace_of_mind” was selling “Linuxmint.com shell, php mailer and full forum dump” for 0.1910 bitcoin.
TheRealDeal Dark Web marketplace website was not accessible at 1:15 p.m. Eastern Standard Time.
Also read: New ransomware targets Linux powered websites
MD5 Signatures Must Be Checked
The incident reminds users of the importance of checking MD5 signatures for critical downloads, according to Tim Anderson, writing in The Register. He said it is also important to be sure the MD5 signatures are from a trusted source instead of one hackers could have modified. These signatures are posted in more than one place in the case of a popular Linux distribution. Hence, signature consistency signals that something could be wrong.
Image from Shutterstock.