Beware Of Hacked Linux Mint ISOs

H

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
The Linux Mint Blog is warning anyone that downloaded a copy of the 17.3 Cinnamon edition over the weekend could be compromised by hackers. Clem Lefebvre, the creator of Linux Mint, had this to say:

I’m sorry I have to come with bad news. We were exposed to an intrusion today. It was brief and it shouldn’t impact many people, but if it impacts you, it’s very important you read the information below.

What happened?

Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it.

Does this affect you?

As far as we know, the only compromised edition was Linux Mint 17.3 Cinnamon edition.
 
Wow; hack the install ISO image. Really that is brilliant. IF only these guys used their powers for good instead of evil.
 
Linuxmint.com used an old unpatched version of Wordpress and ancient PHPbb which allowed the attackers to get www-data access.
 
B00nie said:
Linuxmint.com used an old unpatched version of Wordpress and ancient PHPbb which allowed the attackers to get www-data access.
Click to expand...

Just goes to show the importance of patching your shit! :p

I wonder why these weren't automatically updated using the apt package manager?
 
Modern Wordpress does auto patch vulnerabilities... They must have really been rocking an old version. But it goes to show, can you really keep up with everything? Manage a linux distro, fail at managing the website.
 
And the best part is, you STILL don't know for sure if it's completely clean. They made a best-effort to remove the malware, but it is possible to sneak things past even the best tools.

That's the problem with trust these days, there's really none of it remaining.
 
This serves as a lesson - never assume anything is secure. Too many people just assume what they are downloading is secure, because it comes from a "reputable" source, or just don't think about it at all.
 
defaultluser said:
And the best part is, you STILL don't know for sure if it's completely clean. They made a best-effort to remove the malware, but it is possible to sneak things past even the best tools.

That's the problem with trust these days, there's really none of it remaining.
Click to expand...

You mean the ISO or the site?

As far as the ISO goes, I'd imagine they re-hosted an offline copy, and rechecked against original checksum.

As far as the forums and website goes, id imagine this would be a wakeup call for a fresh install. They'd obviously restore the forum database, but everything else would probably be fresh.

It's really odd to me, because they would have had to disregard the principles of using the auto-patching package manager they use in the distribution they manage for something like this top happen.
 
defaultluser said:
And the best part is, you STILL don't know for sure if it's completely clean. They made a best-effort to remove the malware, but it is possible to sneak things past even the best tools.

That's the problem with trust these days, there's really none of it remaining.
Click to expand...

It wasn't their ISO that was hacked...their website download links got hacked to point to a compromised ISO at a completely different hosting location.
 
Linuxmint bulletin board database was on sale on darknet for 2 months prior to this being found out so all bets are off...
 
defaultluser said:
And the best part is, you STILL don't know for sure if it's completely clean. They made a best-effort to remove the malware, but it is possible to sneak things past even the best tools.

That's the problem with trust these days, there's really none of it remaining.
Click to expand...


It is called a hashsum check
 
Skripka said:
It is called a hashsum check
Click to expand...

Can't you cause a collision with md5? Not that it matters because this was a redirect, not a hack embedding malicious code into the image as I originally interpreted things.
 
Last edited:
defaultluser said:
Can't you cause a collision with md5? Not that it matters because this was a redirect, not a hack embedding malicious code into the image as I originally interpreted things.
Click to expand...
Yes, but that's why hashes should be SHA256 these days.
 
Mint made themselves a target with that political pow-wow some time back. He tried to retract it, but that's hard to do on the internet.
 
I use Mint for work/utility purposes. So whether I use a brand new ISO, or one from 3 years ago it really doesn't matter either way to me. I'm using 17.0 Qiana at wok. It is my Linux flavor of choice though.

They are very popular though, so this doesn't surprise me one bit.
 
jardows said:
This serves as a lesson - never assume anything is secure. Too many people just assume what they are downloading is secure, because it comes from a "reputable" source, or just don't think about it at all.
Click to expand...

Stuxnet in a nuclear doper. Evil Shit (TM) in hard drive firmware. Surprises in your router's firmware. Surprise in an antivirus update.
The only way I know is
a) have at least one locked down, bare metal, securily imaged for future re-use 'known good OS' with 'known good HW'.
b) Tap yourself into somewhere between your UTM/Gateway and the Provider's end and author the most insanely complicated filters and rules as well as insanely verbose logging of all network traffic.
Obviously you won't be able to just 'throw it in' like it was an ordinary appliance because even a small (50?) stations network will simply fill your buffers before you can get to them. This should be done from the ground up to 'teach' the network analyzer what's legit traffic and what's not
c) If you're one of the four people who cared enough, you still have an unlimited amount of heuristic checks to conjure up in order to pick up attacks formed as legitimate traffic. How will you find your 'Guy Fawkes' enthusiast in the building if his 'tool' can disguise the DDOS requests, stagger them in time etc.?
The amount of cross-referencing against logged events, infrastructure events, manpower related events is truly INSANE.

Skripka said:
It is called a hashsum check
Click to expand...

defaultluser said:
Can't you cause a collision with md5? Not that it matters because this was a redirect, not a hack embedding malicious code into the image as I originally interpreted things.
Click to expand...

Yes, MD5 is prone to collisions and there are ready made tables for decoding simple things. Yes, it would be possible to find a combination of malicious and non-malicious code so friggin fortunate you could disguise it thanks to a sum collision. Super rare. Almost impossible, but possible.
A kilobyte long AES key is no longer overkill :O
 
westrock2000 said:
I use Mint for work/utility purposes. So whether I use a brand new ISO, or one from 3 years ago it really doesn't matter either way to me. I'm using 17.0 Qiana at wok. It is my Linux flavor of choice though.

They are very popular though, so this doesn't surprise me one bit.
Click to expand...

I've used Mint distros in the past and really like Cinnamon, but last couple times I tried them I found the distro only support older (read buggy) version of some key software and you would have to do work around to get the newer version working. No thanks.
Went to Xubuntu.
 
xorbe said:
Google "linux mint political agenda".
Click to expand...

Ahh,

I gather this drew some outrage from the "Any criticism of the state of Israel or it's government automatically means you are antisemitic and a racist" crowd?

I don't find his comments offputting. I generally would agree that Israels mistreatment of the Palestinian people, and the continued building on occupied territories is a big problem, counter-productive to the goal of peace in the region (and a large reason why they piss them off to the extent that they attack Israelis, and also serves as a rallying cry for militant jihadists around the world). Where he went astray was implicating everyone in israel who might want to use or donate to Mint as part of the problem. Israel is like any other country, in that there are differing political views and opinions about how their country should react to outside threats, and there are many who live there who disagree with these policies as well. It would have been better if he limited his critique to the actions of the Israeli government.

Actually, it would have been better if he refrained from using his position within the Mint project to spread his own political beliefs to begin with. Say what you want on the side, or on your own blog, but don't pull a major software project into the mix. That's kind of unprofessional.

Anyway, this happened in 2009, that's why I missed it. I fell off the internet for a few years there.... That's 7 years ago now though!

It seems odd that a hacker motivated by his political stance would wait 7 years and then strike :p
 
You must log in or register to reply here.
Back
Top