AuthorTopic: Linux Mint Website Hacked and ISOs replaced with Backdoored Operating System  (Read 1104 times)

Offline Palloy

  • Moderator
  • Sous Chef
  • *****
  • Posts: 3751
    • View Profile
Linux OSs come in various flavours, being built up out of various public libraries of code.  The most popular basic flavour is Debian, and the most popular Debian sub-flavour is Ubuntu, and one of the popular sub-sub-flavours is Mint, and one of the sub-sub-sub-flavours is Mint Cinnamon.  The download file (a .iso disc image file of about 1 GB) is available via HTTP, FTP and Torrent.  The downloads are hosted on mirrors around the world to spread the server load.

If you downloaded Linux Mint Cinnamon on Saturday/Sunday via FTP from the Bulgarian mirror, then you got a hacked copy, and will have to wipe it and start again.

The Mint website was hacked via its WordPress blogging software, and I guess that means it was a password breach.  My websites get probed for Wordpress weaknesses all the time, but I don't use WordPress. does use WP, so Admins should go to and check that their Username/Password combination has a strong password - mine has 20 characters including letters, numbers and symbols.  If you haven't changed your password since HTTPS was introduced (2 Jan 2016), then it will have been passed over the internet in clear text before then, so update it now.

No doubt more detail will come out soon, meanwhile the website is offline.
Warning — Linux Mint Website Hacked and ISOs replaced with Backdoored Operating System
February 21, 2016
Swati Khandelwal
Are you also the one who downloaded Linux Mint on February 20th? You may have been Infected!

Linux Mint is one of the best and popular Linux distros available today, but if you have downloaded and installed the operating system recently you might have done so using a malicious ISO image.

Here's why:

Last night, Some unknown hacker or group of hackers had managed to hack into the Linux Mint website and replaced the download links on the site that pointed to one of their servers offering a malicious ISO images for the Linux Mint 17.3 Cinnamon Edition.

    "Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it," the head of Linux Mint project Clement Lefebvre said in a surprising announcement dated February 21, 2016.

Who are affected?

As far as the Linux Mint team knows, the issue only affects the one edition, and that is Linux Mint 17.3 Cinnamon edition.

The situation happened last night, so the issue only impacts people who downloaded the above-mentioned version of Linux Mint on February 20th.

However, if you have downloaded the Cinnamon edition or release before Saturday 20th, February, the issue does not affect you. Even if you downloaded a different edition including Mint 17.3 Cinnamon via Torrent or direct HTTP link, this does not affect you either.

What had Happened?

Hackers believed to have accessed the underlying server via the team's WordPress blog and then got shell access to www-data.

From there, the hackers manipulated the Linux Mint download page and pointed it to a malicious FTP (File Transfer Protocol) server hosted in Bulgaria (IP:, the investigative team discovered.

The infected Linux ISO images installed the complete OS with the Internet Relay Chat (IRC) backdoor Tsunami, giving the attackers access to the system via IRC servers.

Tsunami is a well-known Linux ELF trojan that is a simple IRC bot used for launching Distributed Denial of Service (DDoS) attacks.

Hackers vs. Linux Mint SysAdmins

However, the Linux Mint team managed to discover the hack, cleaned up the links from their website quickly, announced the data breach on their official blog, and then it appears that the hackers compromised its download page again.

Knowing that it has failed to eliminate the exact point of entry of hackers, the Linux Mint team took the entire domain offline to prevent the ISO images from spreading to its users.

The Linux Mint official website is currently offline until the team investigates the issue entirely. However, the hackers' motive behind the hack is not clear yet.

    "What we don't know is the motivation behind this attack. If more efforts are made to attack our project and if the goal is to hurt us, we’ll get in touch with authorities and security firms to confront the people behind this," Lefebvre added.

Hackers Selling Linux Mint Website's Database

The hackers are selling the Linux Mint full website's database for a just $85, which shows a sign of their lack of knowledge.

The hack seems to be a work of some script kiddies or an inexperienced group as they opted to infect a top-shelf Linux distro with a silly IRC bot that is considered to be outdated in early 2010. Instead, they would have used more dangerous malware like Banking Trojans.

Also, even after the hack was initially discovered, the hackers re-compromised the site, which again shows the hackers' lack of experience.

Here's How to Protect your Linux Machine

Users with the ISO image can check its signature in an effort to make sure it is valid.

To check for an infected download, you can compare the MD5 signature with the official versions, included in Lefebvre's blog post.

If found infected, users are advised to follow these steps:

    Take the computer offline.
    Backup all your personal data.
    Reinstall the operating system (with a clean ISO) or format the partition.
    Change passwords for sensitive websites and emails.

You can read full detail about the hack here. The official website is not accessible at the time of writing. We’ll update the story when we hear more.
The State is a body of armed men

Offline Palloy

  • Moderator
  • Sous Chef
  • *****
  • Posts: 3751
    • View Profile
It seems the hack might have been more extensive than reported.  I am subscribed to , I don't remember why, and my email address and password combination for the forum login has been released on a hacker site.  That's not a problem for me because the password is unique to that site. 

Thank you BreachAlarm for monitoring those hacker sites and informing me.
The State is a body of armed men

Offline Palloy

  • Moderator
  • Sous Chef
  • *****
  • Posts: 3751
    • View Profile
I got an email from today, apologising for the hack, and linking to a better explanation of the hack:

How were the forums hacked?

By lack of hardening on the server. The hackers used the forums software to upload a PHP backdoor which gave them a local www-data shell. From there they were able to access the database.

What is being done to prevent this in the future?

One key aspect is the uniqueness and the complexity of the passwords. If your password is complex, it's harder to crack. If your password is unique, it doesn't matter that much if it gets cracked.

This attack raised awareness and hopefully will make our users use unique passwords.

The settings were modified on the forums and they now require stronger passwords.

On the servers themselves, the team worked day and night to harden as many aspects as possible. Each website is now running on its very own server. All websites are now behind a strict firewall and the presence of malware is monitored by a security firm. Many restrictions were placed on apache and php to restrict their scope and privileges. All automated backups were reviewed. Https was implemented to prevent man-in-the-middle attacks.

Firewalls work by putting rules on reading from and writing to ports.  So this implies that the hackers had used PHP to open a new port and communicate via that, and the firewall didn't prevent that.  REALLY BASIC stuff.   :-[
The State is a body of armed men


Related Topics

  Subject / Started by Replies Last post
15 Replies
Last post September 01, 2016, 02:06:20 AM
by Surly1
0 Replies
Last post July 18, 2016, 04:32:19 PM
by Palloy
0 Replies
Last post February 01, 2017, 05:07:52 PM
by Palloy2