Discussion in 'all things UNIX' started by stapp, Feb 21, 2016.
That's why you always check where you're downloading from. And "link scanners" and "website reputation" do help. Shocking news nonetheless, but that is why you always check the checksums as well...
I'll be damned if they hacked the entire server & actually uploaded the modified version there, and changed the checksums accordingly. You wouldn't have known the difference, especially if they announce a "new release" or something.
The hack was via Wordpress... Hmm. I wonder if it was actually zero-day, or just a misconfiguration and/or WP not being up to date. It'd be interesting to know what their server was running.
Preferably GPG signatures first. Or at least get the checksums from a different mirror.
They could have changed the checksums displayed on the Wordpress download page. That would look fishy, but people probably wouldn't notice if they weren't looking for problems.
I have never used Mint. They basically steals the Ubuntu OS, polish it up and added a bit flavor to it, and then call it a a new distro. It's a joke to me. They do not have the tech quality that Ubuntu has. Since I used Ubuntu since 2006, I stick to Ubuntu.
So according to your logic,every ubuntu based distro is not a distro..?.So what are they then.Interesting as ubuntu is based on debian so in that case ubuntu is not a distro then.?
Interesting logic there.
Yes Ubuntu is based on Debian, but it large enough changes that make it differentiate from Debian. Mint, on the other hand, basically only added the meidabuntu portion so that you don't have to manually install the media addons. What else did they change?
Look at the Linux family tree, you'll see the difference of Ubuntu and Mint.
A simple Google search would reveal completely different desktop environments, some new built-in applications, revamped Settings, etc.
Didn't other than my machine. But Mint homepage & download are offline.
Looks like the whole website is down (for me as well). The damage could be much larger then originally thought.
Damn! I thought I wouldn't see this kind of attack so soon.
I was thinking of trying Mint these last few days. Good thing I didn't try.
But that's also what Ubuntu does to Debian.
This is comming from someone who never used Mint?
I have to agree with you on the quality. I find Ubuntu (LTS versions only) to be quite clean and polished and bug free, whereas I've seen numerous bugs and problems in various Mint distros. Mint originally gained popularity years ago by taking Ubuntu and adding codecs and flash and whatever people needed to be up and running out of the box. Then it proceeded from there.. But anyway, I agree, Ubuntu quality is superior on it's LTS versions.
I remember reading on their forums yesterday that the download link was behaving strangely (it would start downloading immediately).
Then someone else confirmed this and added that the checksums where different.
Then another user noticed a small favicon at the end of the checksum (or was it the download link?).
I read the thread at this point, went to the download page (this was only Mint Cinnamon) and confirmed all of the above (which I had taken a snapshot).
Anyway, this breaks the faith in Mint somewhat.
If you read the user posts on their blog the server was hacked again after they cleaned it up as downloads still pointed to the hacked image. Mint purposely ignores security in favor of stability in Mint itself I have to wonder if they had the same process in use on their servers also. It would be interesting to know what they used for server software also.
Given that they are still down I'd say this could be worse than was revealed.
"Heyo, it seems like the download pages still point to the hacked ISOs.
Honestly, the only reason why I noticed is because I was downloading the ISOs in bulk using wget, I saw a strange IP address and the fact that it was a PHP file.
Anyway, are the download pages going to be fixed anytime soon? I want to burn a CD for an old family friend… He got scammed by the “windows tech support” scammers and I want to show him the joys of Linux Mint!
Edit by Clem: Thanks for reporting this, this is a second attack so it means we’re still vulnerable. I’m shutting the server down right now."
Edit by Clem: We shut down the server until we find the source of the second intrusion (probably something left by the first).
Edit by Clem: That’s the MD5SUM of the hacked ISO alright. The server was taken down until we know it’s safe again. I’m sorry I can’t give you an ETA.
Edit by Clem: We’ve a bit more information about it now and we think it’s a single individual with no funding behind the attack. We’ll pass the relay to a security firm now.
Edit by Clem: It’s very good. I disagree with the origin of the attack, we found the first backdoor and it was possible to access the forums database from there. The information about tsunami is very interesting (not that it’s the time for an evening read, we’re ultra busy as you can imagine but it’s important we understand as much as possible and this helps). Regarding the modus operandi I agree as well, we’d spend much more than $85 to stop that data but without trust nothing can happen. We’re getting ready to purchase 2 or 3 additional servers so we can split the services and we’ll probably also contract a security firm to look into the bottom of this for us, we’re software developers not intrusion experts. In the end it’s going to cost much more than $85.
Agreed that Mint devs have something only they know right now.
I LOL'ed the statement that they are software developers not intrusion experts.
Anyway, I have never used Mint, and after this mess, I most likely will not use it in the future.
I had one machine running Mint and installed Fedora on it last night.
Granted this was their servers not the distro itself but their philosophy of stability over security needs a rethink imo. Not that they need to go crazy in that regard but maybe balance the two things a bit more evenly.
All my Mint installs are 17.2 from a few months ago. I haven't run any of them for a few weeks and don't see anything to worry about at the moment. Just out of mild paranoia, I'm going to recheck the checksums on the ISOs I downloaded last year.
Why Mint? Is it because it is a fairly easy and popular distro that attracts a lot refugees from Windows who don't like versions later than Xp other than 7. It is based on Ubuntu LTS but it is definitely not Ubuntu and has some advantages over it.
They did a bit more than what's been revealed so far. Good read below:
A comment on a hacker news discussion by who appears to be the hacker writes this below which should make users of Mint more than a bit uncomfortable and it goes hand in hand with the Mint developers statement "we’re software developers not intrusion experts":
The hacker refers to this story in one of their posts:
I think calling softpedia "press" is an insult to every real journalist.
The fact that they're calling the bot "tsunami" just proves their incompetence. The bot isn't called tsunami, it's called kaiten and it's been open source for more than a decade.
They also managed to confuse FTP and HTTP
>the hackers have only altered the man.cy [https://gist.github.com/Oweoqi/31239851e5b84dbba894] file, where they've added a new function called tsunami.
Doesn't look like they just added a new function called tsunami to me.
>Selling the forum's database for a meager $85 is a sign of their lack of vision. The group seems to have mishandled the entire hack, opting to distribute a silly IRC DDoS bot instead of more dangerous and lucrative malware like Bitcoin miners or banking trojans.
Stupid speculation by writer.
Linux Mint remains compromised despite the current events, it's rather unlikely that kaiten is used as a DDoS bot instead of just a stager to execute shell commands on the affected computers. The presence of DoS commands is meaningless, the only reason kaiten is still used today is because it runs everywhere so it seems fair to assume that that'd be why the attacker opted to just use it instead of writing their own. (No real benefit to that here)
Also, bitcoin mining stopped being lucrative ages ago.
edit: >One person seems to have bought the hackers' files and dumped the forum's config file on Hacker News discussions thread.
I neither bought nor sold the data.
"But that wasn't the point, the point was to expose the level of stupidity at play here.
I strongly believe the users deserve to know just how incompetent these guys are, because next time it won't be some idiot swapping the iso links. It'll be someone slightly more competent that pushes a backdoored commit or gets into the apt repos, and then _every_ _single_ user will be affected...
Also, at the time of the posting the site was down. And it remains so."
Oh, wow. I've thought Mint was needlessly insecure for a while, but never would have imagined that level of incompetence.
Some very interesting opinions on the subject...
Wow, the rest of that thread literally HAMMERS Mint. This thread is a must read.
My favorite is this post:
"Well, Linux Mint is generally very bad when it comes to security and quality.
First of all, they don't issue any Security Advisories, so their users cannot - unlike users of most other mainstream distributions  - quickly lookup whether they are affected by a certain CVE.
Secondly, they are mixing their own binary packages with binary packages from Debian and Ubuntu without rebuilding the latter. This creates something that we in Debian call a "FrankenDebian" which results in system updates becoming unpredictable . With the result, that the Mint developers simply decided to blacklist certain packages from upgrades by default thus putting their users at risk because important security updates may not be installed.
Thirdly, while they import packages from Ubuntu or Debian, they hi-jack package and binary names by re-using existing names. For example, they called their fork of gdm2 "mdm" which supposedly means "Mint Display Manager". However, the problem is that there already is a package "mdm" in Debian which are "Utilities for single-host parallel shell scripting". Thus, on Mint, the original "mdm" package cannot be installed.
Another example of such a hi-jack are their new "X apps" which are supposed to deliver common apps for all desktops which are available on Linux Mint. Their first app of this collection is an editor which they forked off the Mate editor "pluma". And they called it "xedit", ignoring the fact that there already is an "xedit" making the old "xedit" unusable by hi-jacking its namespace.
Add to that, that they do not care about copyright and license issues and just ship their ISOs with pre-installed Oracle Java and Adobe Flash packages and several multimedia codec packages which infringe patents and may therefore not be distributed freely at all in countries like the US.
To conclude, I do not think that the Mint developers deliver professional work. Their distribution is more a crude hack of existing Debian-based distributions. They make fundamental mistakes and put their users at risk, both in the sense of data security as well as licensing issues.
I would therefore highly discourage anyone using Linux Mint until Mint developers have changed their fundamental philosophy and resolved these issues."
indeed, thanks for the link
Are other distros susceptible to this then.?
Do the so called mint issues affect other distros and if so what counter measures are they employng which cannot be employed by the mint team.?
How secure are other distro servers and MD5 signatures.I think before we hammer the mint team we should analyze the entire linux infrastructure first.
Security of the "entire linux infrastructure" apart, the points quoted in https://www.wilderssecurity.com/thre...ding-isos-with-backdoors.383981/#post-2566638 are cause for concern specifically to Mint users.
Separate names with a comma.