It was a lousy day for Linux Mint, a popular Linux desktop distribution. Clement Lefebvre, head of Linux Mint, revealed that the Mint web site had been hacked.
Lefebvre wrote on Sunday, "Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it."
Specifically, the hacker, whom we now know goes by Peace, cracked into the site via a security flaw in a WordPress plugin. Once there, according to Lefebvre, "they got a www-data shell."
Inside the site, Peace edited the download page. The result was that when a user tried to download 64-bit version of the Linux Mint 17.3 with the Cinnamon desktop, the most popular edition, they were directed to a rogue download server.
Once there, a user would be sent a hacked copy of Mint containing the Tsunami malware program. This backdoor enables the controller to remotely access the system. When used in a botnet, Tsunami has often been used in distributed denial of service (DDoS) attacks.
Scary stuff, but the good news is that Linux Mint users spotted the problem early. Lefebvre took down the site to prevent the polluted Mint ISO images from being distributed any further.
Lefebvre reported that while the hackers were ready to deploy a corrupted 32-bit version of the Linux Mint 17.3 with the Cinnamon desktop, they did not redirect those links. None of the other versions of Linux Mint were affected.
If you tried to download Linux Mint directly from the Mint web site or from BitTorrent, you're safe. You also can't get infected by patching your already good Mint desktop.
In short, the only way you could have gotten a bad version was if you used a mirrored site to download the 64-bit version of the Linux Mint 17.3 with the Cinnamon desktop on Saturday.
To make sure your copy of the Linux Mint ISO is safe run the command "md5sum yourfile.iso" from a Linux shell (replacing "yourfile.iso" with the name of the downloaded file).
The following are the valid MD5 signatures:
If you see a different alphanumeric signature, delete the file. It's either corrupt or infected. In either case you don't want it.
Already have the ISO on a DVD or USB stick but you haven't installed Mint yet? Then, disconnect your PC from the Internet and start up a Mint live session. Once in the live session, look for a file in the directory "/var/lib/man.cy." If you see one, you have an infected ISO. Then, toss the DVD or reformat the USB stick as needed.
Let's say you're one of the few hundred who were infected. If that's your sad case, take the following steps:
It's a nuisance, but it shouldn't take long and very few of you will need to do this.
More troubling for most of us is the hacker also stole personal data from the web site's forum. The hacker swiped the data twice: Once on January 28, and once on February 18, two days before the hack was confirmed.
This data includes:
The real problem here is that the passwords were encrypted with phpass, the popular WordPress encryption library that is no longer considered secure. If you used a weak password, it's all too likely that a cracker can get your password with a program such as phpass-crack.
The real security problems aren't the less than a thousand people who may have downloaded the corrupt ISO. The real issue is the more than 70,000 people who've had their information exposed.
You can check to see if your data has already been revealed to the world on the Have I Been Pwned web site. Even if this gives you a clean bill of health, you should still reset your Mint password. Once, that is, the site is back up.
As of Monday the web site is still closed.
If you've used that same password on multiple sites, you'll want to change those passwords as well. Based on my long, bitter experience with security, I'm sure many of you are using the same password on multiple sites.
Once that's done, you'll be fine and ready to face the next security threat. We can be dead certain there will be another one.