[BreachExchange] FAQ: What the heck happened to Linux Mint?

Inga Goddijn inga at riskbasedsecurity.com
Wed Mar 2 20:10:58 EST 2016


http://www.networkworld.com/article/3040247/linux/faq-what-the-heck-happened-to-linux-mint.html

Linux Mint is one of the most popular desktop distributions of Linux in the
world, so when the organization suffered a serious security breach
<http://www.csoonline.com/article/3035743/security/linux-mint-hacked-compromised-data-up-for-sale-iso-downloads-backdoored.html>
late last month, it made waves in the open-source community.

*Q: What, exactly, happened?*

On Saturday, Feb. 20, somebody noticed that the download link for certain
versions of the operating system on Mint’s official website had been
changed. The fiddled-with link now pointed to a malicious website, hosted
in Bulgaria.

*Q. So what did this malicious website try to do?*

It served up what appeared to be the file that people were trying to
download – a disk image for installing Mint. However, it was a hacked copy,
which included a backdoor into the installation. Simply put, if you
installed Linux Mint using one of these corrupted images, you gave the
hackers a direct line into your computer.

*Q. Is that a complicated operation?*

It sure was. In addition to creating the hacked version of Mint, the
attacker had to compromise the website to ensure that the compromised
copies could be distributed. So that’s a couple different moving parts to
worry about. And while the whole thing was going on, the attacker grabbed
complete copies of Mint’s forum data, including personally identifiable
information and crackable passwords, selling the information online.

*Q. How many installs were affected?*

Hard to say exactly, although Level 3 Communications estimates in an
analysis of the attack
<http://blog.level3.com/security/the-linux-mint-backdoor-how-bad-was-it/>
that “hundreds of users” may have downloaded the corrupted disk image.

*Q. Who did it?*

Apparently, a hacker going by the handle “Peace.” Peace gave an interview
to ZDNet reporter Zach Whittaker
<http://www.zdnet.com/article/hacker-hundreds-were-tricked-into-installing-linux-mint-backdoor/>,
in which he or she explained that the idea was mainly just to get access to
as many computers as possible, possibly for a botnet. Peace first gained
access to the site in January, via a security vulnerability in a WordPress
plugin.

*Q. What did Mint do about it?*

To its credit, the Mint team was pretty open about the whole thing, warning
users as soon as they were aware of the hack and eventually taking down the
site in order to halt the spread of the corrupted disk images.

*Q. If I downloaded and installed Mint during the time the site was
affected, how do I know if I’m vulnerable?*

If you’ve got the .iso file still handy, you can compare the MD5 checksum
to the one for legitimate copies listed at the official Mint blog
<http://blog.linuxmint.com/?p=2994>. If not, check to see whether there’s a
file in the folder /var/lib/man.cy. If the folder is empty, you should be
OK. However, if there is a file in there, you probably have the compromised
version, and should back up your personal data before wiping the hard drive
and reinstalling your operating system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160302/bdf4c74c/attachment-0001.html>


More information about the BreachExchange mailing list