Linux Mint hacked!

If you downloaded Linux Mint over the past week-end, you may have downloaded a compromised build as hackers managed to take over their website on 20 Feb 2016 and distribute ISOs with backdoors.

If you also have an account on their forum (forums.linuxmint.com), you may want to change your password as their database was compromised too.

You can read more here:
http://blog.linuxmint.com/?p=2994
and
http://blog.linuxmint.com/?p=3001

 

Hacker explains how he put "backdoor" in hundreds of Linux Mint downloads
http://www.zdnet.com/article/hacker-hundreds-were-tricked-into-installing-linux-mint-backdoor/

 

Not just the Linux Mint 17.3 Cinnamon Edition download, but also the Forum - with passwords hashed by a crackable method...

"The hacker shared a portion of the forum dump, which we verified contains some personally identifiable information, such as email addresses, birthdates, profile pictures, as well as scrambled passwords.

Those passwords might not stay that way for much longer. The hacker said that some passwords have already been cracked, with more on the way. (It's understood that the site used PHPass to hash the passwords, which can be cracked.)

Lefebvre confirmed on Sunday that the forum had been breached.

It later emerged that the hacker had placed the "full forum dump" on a dark web marketplace, a listing we were also able to verify that exists. The listing was going for about 0.197 bitcoin at the time of writing, or about $85 per download."

This is the first notice I saw this weekend:
http://thehackernews.com/2016/02/linux-mint-hack.html
http://blog.linuxmint.com/?p=2994

And, some good news about the forum, it's down, and won't come up until it's hosted from a new server with a secure form of password protection.
http://blog.linuxmint.com/?p=3001

"90% of my passwords are different and complex, including my forums password, and the forums are also currently down. Should I change my password once they go back up?
Hope WordPress can fix the bug

Edit by Clem: The forums will likely go back up on a different server, with a policy to enforce strong passwords and with all accounts required to change their password before being able to login (we’ll need to check how that’s done with phpbbb but that’s the intention)."

 

Here's a copy of the IRC bot backdoor for anyone interested:
https://gist.github.com/Oweoqi/31239851e5b84dbba894

 

Well then...
I still like Linux Mint but this might give me pause before recommending it to people in the future (although, at the same time, hopefully this wont be in issue again anytime soon).

 

I mean, if anything this just proves that ANYTHING can be compromised, and there's not really a whole lot you can do to prevent it. The same could have happened to basically any other distro.

 

Linux source code is vast, with lots of supporting development and build utilities, libraries, system and user commands, with multiple infection points besides the initial installation ISO.

As a single failure point, the ISO download infection is pretty easy to spot, it didn't take long to notice the problem, fix it, and get the word out.

 

Always check your md5 hashes.

 

@S.Prime problem is the hashes posted on the website were updated by the cracker to match their ISOs with the backdoor

I think downloading an official torrent is probably less open to this kind of attack since the hashes are distributed.

 

I love that this happened just a few weeks before I decide to get back into Mint, the only distro other than Puppy that I find relatively functional...basically validating my worst fear that Linux security is inversely related to popularity and user-friendly functionality .

 

There's an important difference between OS security and distro release security.

 

Yea, and that difference isn't entirely lost on me.

 

Distro release security in a nutshell references the ways that an ISO or packages get to you. In this case the webserver hosting the official ISOs was compromised, and so were forums. This concerns the distribution channel of the OS software, not the OS software itself. In this case there wasn't much you could do to tell the ISOs were backdoored, since the webpages were updated to reflect the hashes for the bad ISOs. After that ISO is installed release security involves the signing mechanisms of the updated packages that are installed onto your system. In order for these updates to be compromised, the private keys of the developer(s) would have to be stolen.

 

That's the part I get.

 

It's not relevant in this specific case where it's the distribution channel, rather than the OS's own design that is compromised, as ALLurGroceries has pointed out. But what you said is probably true in a board sense. When a distribution is aimed at consumers with ease-of-learning as a priority, the devs are much more likely to make decisions in favor of convenience, which don't really help improving security. There are always compromises to be made.

Depending on who you're and what your business model is, one could argue that consumers are less sensitive/important users to protect.

 

And from my from my perspective as a new user, I don't even know what to look for or how to know if my system is being compromised. At least with Windows I have a clue, but for all I know every teenaged hacker in the country is following my every move on Mint. And Linux not that quick and easy of an OS to get to know, especially when all you know is Windows. At this very moment my typing is slow and erratic and keeps freezing up, and 2 of my cpu's are pushing 100% when all that's open are Tbird and Firefox. Should I be worried or is this just something that needs tweaking?

 

Look at the output of the top command and see what is tying up your CPU. Also see how much memory is used with free -m. If you have htop installed that is a great program to use for investigating all kinds of system usage statistics.

 

@Wayne99
FF has been creating mad CPU load for quite a while. And memory leaks as well. I don't dare to leave FF running overnight now if I ever use it.

If you think you'll "have a clue" with any OS being compromised, you're being unnecessarily optimistic.

@ALLurGroceries If Wayne99 can see CPU load I think there's already a GUI system monitor running, which might be better for him.

 

I like top, I was wondering how to get a readout like that. Its firefox devouring my cpu. Now what?

And why are you afraid to leave it running overnight?

 

Memory leak. The memory usage keeps creeping up, and after one night it will be over a few G's at least. On portable systems with limited RAM that's not funny.

This is quite weird. It's not common. Otherwise FF would be unusable for most people. But I can somehow reliably trigger it. Different desktops and laptops, Linux, Windows, Mac, 32bit, 64bit, whatever, even Palemoon which is a FF fork based on old versions gives me leaks. 100% CPU load happens all the time as well.

You can close/kill the offending process. But without knowing what's causing the issue I've no idea what a proper solution would be. Maybe switch to Chromium if it happens again?

 

I prefer htop also.
another one to check out is nmon.

 

The last post was 3/30/2016 so at this point I have unstuck the post. It should be old news by now and does not seem to be a further recurring problem.

 

And, in more positive news...

Linux Mint 18 Finally Arrives — Download Cinnamon and MATE Edition ISO Files Here
http://fossbytes.com/linux-mint-18-download-features-cinnamon-mate-iso/

" Short Bytes: The wait for the summer’s hottest Linux distro is over and you can finally download the release version of Linux Mint 18 “Sarah”. Often called the best Linux distribution for desktop PCs, Mint 18 comes loaded with new features and Linux 4.4 LTS Kernel."


Monthly News – June 2016 | Linux Mint 18 “Sarah” MATE released! »
Linux Mint 18 “Sarah” Cinnamon released!
Written by Clem on Thursday, June 30th, 2016 @ 12:43 pm | Main Topics
http://blog.linuxmint.com/?p=3051

With regional download links, direct and torrents.

 

Hopefully it's better than the 18.0 beta because there were some really bad bugs in it. Applications would just close on their own after 4 or 5 minutes of using them.

 

apparently not. http://dedoimedo.com/computers/linux-mint-sarah.html

 

Not to be outdone by Mint, Ubuntu had their forums hacked.

https://insights.ubuntu.com/2016/07/15/notice-of-security-breach-on-ubuntu-forums/

 

Man what is going on

 

vBulletin is what happened..

 

The past is what happened.

 

out of date php, not installing vBulletin patches, etc..

MySQL hacking is the new fad.

https://www.bleepingcomputer.com/news/security/database-ransom-attacks-have-now-hit-mysql-servers/