Linux Mint Website Hacked, Users Tricked Into Downloading ISOs with Backdoors

Discussion in 'all things UNIX' started by stapp, Feb 21, 2016.

Thread Status:
Not open for further replies.
  1. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    23,936
    Location:
    UK
    http://news.softpedia.com/news/linu...load-isos-with-backdoors-in-them-500707.shtml

     
  2. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    That's why you always check where you're downloading from. And "link scanners" and "website reputation" do help. Shocking news nonetheless, but that is why you always check the checksums as well...

    I'll be damned if they hacked the entire server & actually uploaded the modified version there, and changed the checksums accordingly. You wouldn't have known the difference, especially if they announce a "new release" or something.
     
  3. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    The hack was via Wordpress... Hmm. I wonder if it was actually zero-day, or just a misconfiguration and/or WP not being up to date. It'd be interesting to know what their server was running.

    Preferably GPG signatures first. Or at least get the checksums from a different mirror.

    They could have changed the checksums displayed on the Wordpress download page. That would look fishy, but people probably wouldn't notice if they weren't looking for problems.
     
  4. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,926
    I have never used Mint. They basically steals the Ubuntu OS, polish it up and added a bit flavor to it, and then call it a a new distro. It's a joke to me. They do not have the tech quality that Ubuntu has. Since I used Ubuntu since 2006, I stick to Ubuntu.
     
  5. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,926
    http://blog.linuxmint.com/?p=3001


     
  6. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,101
    So according to your logic,every ubuntu based distro is not a distro..?.So what are they then.Interesting as ubuntu is based on debian so in that case ubuntu is not a distro then.?
    Interesting logic there.
     
  7. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,926
    Yes Ubuntu is based on Debian, but it large enough changes that make it differentiate from Debian. Mint, on the other hand, basically only added the meidabuntu portion so that you don't have to manually install the media addons. What else did they change?
    Look at the Linux family tree, you'll see the difference of Ubuntu and Mint.
     
  8. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    A simple Google search would reveal completely different desktop environments, some new built-in applications, revamped Settings, etc.
     
  9. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    5,554
    Location:
    USA still the best. But barely.
    Didn't other than my machine. But Mint homepage & download are offline.
     
  10. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,926
    Looks like the whole website is down (for me as well). The damage could be much larger then originally thought.
     
  11. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Damn! I thought I wouldn't see this kind of attack so soon.

    I was thinking of trying Mint these last few days. Good thing I didn't try.

    But that's also what Ubuntu does to Debian.

    This is comming from someone who never used Mint? ;)

    Exactly.
     
    Last edited: Feb 21, 2016
  12. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    I have to agree with you on the quality. I find Ubuntu (LTS versions only) to be quite clean and polished and bug free, whereas I've seen numerous bugs and problems in various Mint distros. Mint originally gained popularity years ago by taking Ubuntu and adding codecs and flash and whatever people needed to be up and running out of the box. Then it proceeded from there.. But anyway, I agree, Ubuntu quality is superior on it's LTS versions.
     
  13. Joxx

    Joxx Registered Member

    Joined:
    Sep 5, 2012
    Posts:
    1,718
    I remember reading on their forums yesterday that the download link was behaving strangely (it would start downloading immediately).
    Then someone else confirmed this and added that the checksums where different.
    Then another user noticed a small favicon at the end of the checksum (or was it the download link?).

    I read the thread at this point, went to the download page (this was only Mint Cinnamon) and confirmed all of the above (which I had taken a snapshot).

    Anyway, this breaks the faith in Mint somewhat.
     
  14. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    741
    Location:
    United States
    If you read the user posts on their blog the server was hacked again after they cleaned it up as downloads still pointed to the hacked image. Mint purposely ignores security in favor of stability in Mint itself I have to wonder if they had the same process in use on their servers also. It would be interesting to know what they used for server software also.

    Given that they are still down I'd say this could be worse than was revealed.

    ...........................................................

    "Heyo, it seems like the download pages still point to the hacked ISOs.
    Honestly, the only reason why I noticed is because I was downloading the ISOs in bulk using wget, I saw a strange IP address and the fact that it was a PHP file.

    Anyway, are the download pages going to be fixed anytime soon? I want to burn a CD for an old family friend… He got scammed by the “windows tech support” scammers and I want to show him the joys of Linux Mint!

    Edit by Clem: Thanks for reporting this, this is a second attack so it means we’re still vulnerable. I’m shutting the server down right now."

    Edit by Clem: We shut down the server until we find the source of the second intrusion (probably something left by the first).

    Edit by Clem: That’s the MD5SUM of the hacked ISO alright. The server was taken down until we know it’s safe again. I’m sorry I can’t give you an ETA.

    Edit by Clem: We’ve a bit more information about it now and we think it’s a single individual with no funding behind the attack. We’ll pass the relay to a security firm now.

    Edit by Clem: It’s very good. I disagree with the origin of the attack, we found the first backdoor and it was possible to access the forums database from there. The information about tsunami is very interesting (not that it’s the time for an evening read, we’re ultra busy as you can imagine but it’s important we understand as much as possible and this helps). Regarding the modus operandi I agree as well, we’d spend much more than $85 to stop that data but without trust nothing can happen. We’re getting ready to purchase 2 or 3 additional servers so we can split the services and we’ll probably also contract a security firm to look into the bottom of this for us, we’re software developers not intrusion experts. In the end it’s going to cost much more than $85.
     
  15. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,926
    Agreed that Mint devs have something only they know right now.

    I LOL'ed the statement that they are software developers not intrusion experts.

    Anyway, I have never used Mint, and after this mess, I most likely will not use it in the future.
     
  16. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    741
    Location:
    United States
    I had one machine running Mint and installed Fedora on it last night.

    Granted this was their servers not the distro itself but their philosophy of stability over security needs a rethink imo. Not that they need to go crazy in that regard but maybe balance the two things a bit more evenly.
     
  17. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,267
    Location:
    Southern Rocky Mountains USA
    All my Mint installs are 17.2 from a few months ago. I haven't run any of them for a few weeks and don't see anything to worry about at the moment. Just out of mild paranoia, I'm going to recheck the checksums on the ISOs I downloaded last year.

    Why Mint? Is it because it is a fairly easy and popular distro that attracts a lot refugees from Windows who don't like versions later than Xp other than 7. It is based on Ubuntu LTS but it is definitely not Ubuntu and has some advantages over it.
     
  18. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    741
    Location:
    United States
  19. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    741
    Location:
    United States
    A comment on a hacker news discussion by who appears to be the hacker writes this below which should make users of Mint more than a bit uncomfortable and it goes hand in hand with the Mint developers statement "we’re software developers not intrusion experts":
    The hacker refers to this story in one of their posts:

    http://news.softpedia.com/news/linux-mint-website-hack-a-timeline-of-events-500719.shtml

    https://news.ycombinator.com/item?id=11143162

    I think calling softpedia "press" is an insult to every real journalist.
    The fact that they're calling the bot "tsunami" just proves their incompetence. The bot isn't called tsunami, it's called kaiten and it's been open source for more than a decade.

    https://packetstormsecurity.com/files/25575/kaiten.c.html

    They also managed to confuse FTP and HTTP

    >the hackers have only altered the man.cy [https://gist.github.com/Oweoqi/31239851e5b84dbba894] file, where they've added a new function called tsunami.

    Doesn't look like they just added a new function called tsunami to me.

    >Selling the forum's database for a meager $85 is a sign of their lack of vision. The group seems to have mishandled the entire hack, opting to distribute a silly IRC DDoS bot instead of more dangerous and lucrative malware like Bitcoin miners or banking trojans.

    Stupid speculation by writer.

    Linux Mint remains compromised despite the current events, it's rather unlikely that kaiten is used as a DDoS bot instead of just a stager to execute shell commands on the affected computers. The presence of DoS commands is meaningless, the only reason kaiten is still used today is because it runs everywhere so it seems fair to assume that that'd be why the attacker opted to just use it instead of writing their own. (No real benefit to that here)

    Also, bitcoin mining stopped being lucrative ages ago.

    edit: >One person seems to have bought the hackers' files and dumped the forum's config file on Hacker News discussions thread.

    I neither bought nor sold the data.


    "But that wasn't the point, the point was to expose the level of stupidity at play here.
    I strongly believe the users deserve to know just how incompetent these guys are, because next time it won't be some idiot swapping the iso links. It'll be someone slightly more competent that pushes a backdoored commit or gets into the apt repos, and then _every_ _single_ user will be affected...
    Also, at the time of the posting the site was down. And it remains so."
     
    Last edited: Feb 22, 2016
  20. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    @AutoCascade

    Oh, wow. I've thought Mint was needlessly insecure for a while, but never would have imagined that level of incompetence.
     
  21. TS4H

    TS4H Registered Member

    Joined:
    Nov 5, 2013
    Posts:
    523
    Location:
    Australia
    Some very interesting opinions on the subject...

    https://lwn.net/Articles/676613/
     
  22. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    741
    Location:
    United States
    Wow, the rest of that thread literally HAMMERS Mint. This thread is a must read.

    My favorite is this post:

    "Well, Linux Mint is generally very bad when it comes to security and quality.

    First of all, they don't issue any Security Advisories, so their users cannot - unlike users of most other mainstream distributions [1] - quickly lookup whether they are affected by a certain CVE.

    Secondly, they are mixing their own binary packages with binary packages from Debian and Ubuntu without rebuilding the latter. This creates something that we in Debian call a "FrankenDebian" which results in system updates becoming unpredictable [2]. With the result, that the Mint developers simply decided to blacklist certain packages from upgrades by default thus putting their users at risk because important security updates may not be installed.

    Thirdly, while they import packages from Ubuntu or Debian, they hi-jack package and binary names by re-using existing names. For example, they called their fork of gdm2 "mdm" which supposedly means "Mint Display Manager". However, the problem is that there already is a package "mdm" in Debian which are "Utilities for single-host parallel shell scripting". Thus, on Mint, the original "mdm" package cannot be installed.

    Another example of such a hi-jack are their new "X apps" which are supposed to deliver common apps for all desktops which are available on Linux Mint. Their first app of this collection is an editor which they forked off the Mate editor "pluma". And they called it "xedit", ignoring the fact that there already is an "xedit" making the old "xedit" unusable by hi-jacking its namespace.

    Add to that, that they do not care about copyright and license issues and just ship their ISOs with pre-installed Oracle Java and Adobe Flash packages and several multimedia codec packages which infringe patents and may therefore not be distributed freely at all in countries like the US.

    To conclude, I do not think that the Mint developers deliver professional work. Their distribution is more a crude hack of existing Debian-based distributions. They make fundamental mistakes and put their users at risk, both in the sense of data security as well as licensing issues.

    I would therefore highly discourage anyone using Linux Mint until Mint developers have changed their fundamental philosophy and resolved these issues."

    Adrian
     
  23. Joxx

    Joxx Registered Member

    Joined:
    Sep 5, 2012
    Posts:
    1,718
    indeed, thanks for the link
     
  24. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,101
    Are other distros susceptible to this then.?
    Do the so called mint issues affect other distros and if so what counter measures are they employng which cannot be employed by the mint team.?

    How secure are other distro servers and MD5 signatures.I think before we hammer the mint team we should analyze the entire linux infrastructure first.
     
  25. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,417
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.