I’m sorry I have to come with bad news.
We were exposed to an intrusion today. It was brief and it shouldn’t impact many people, but if it impacts you, it’s very important you read the information below.
What happened?
Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it.
Does this affect you?
As far as we know, the only compromised edition was Linux Mint 17.3 Cinnamon edition.
If you downloaded another release or another edition, this does not affect you. If you downloaded via torrents or via a direct HTTP link, this doesn’t affect you either.
Finally, the situation happened today, so it should only impact people who downloaded this edition on February 20th.
How to check if your ISO is compromised?
If you still have the ISO file, check its MD5 signature with the command “md5sum yourfile.iso” (where yourfile.iso is the name of the ISO).
The valid signatures are below:
6e7f7e03500747c6c3bfece2c9c8394f linuxmint-17.3-cinnamon-32bit.iso e71a2aad8b58605e906dbea444dc4983 linuxmint-17.3-cinnamon-64bit.iso 30fef1aa1134c5f3778c77c4417f7238 linuxmint-17.3-cinnamon-nocodecs-32bit.iso 3406350a87c201cdca0927b1bc7c2ccd linuxmint-17.3-cinnamon-nocodecs-64bit.iso df38af96e99726bb0a1ef3e5cd47563d linuxmint-17.3-cinnamon-oem-64bit.iso
If you still have the burnt DVD or USB stick, boot a computer or a virtual machine offline (turn off your router if in doubt) with it and let it load the live session.
Once in the live session, if there is a file in /var/lib/man.cy, then this is an infected ISO.
What to do if you are affected?
Delete the ISO. If you burnt it to DVD, trash the disc. If you burnt it to USB, format the stick.
If you installed this ISO on a computer:
- Put the computer offline.
- Backup your personal data, if any.
- Reinstall the OS or format the partition.
- Change your passwords for sensitive websites (for your email in particular).
Is everything back to normal now?
Not yet. We took the server down while we’re fixing the issue.
Who did that?
The hacked ISOs are hosted on 5.104.175.212 and the backdoor connects to absentvodka.com.
Both lead to Sofia, Bulgaria, and the name of 3 people over there. We don’t know their roles in this, but if we ask for an investigation, this is where it will start.
What we don’t know is the motivation behind this attack. If more efforts are made to attack our project and if the goal is to hurt us, we’ll get in touch with authorities and security firms to confront the people behind this.
If you’ve been affected by this, please do let us know.
Are there lots of server problems lately or are you just being more transparent about them?
Edit by Clem: We’ve always been transparent. It’s something we owe people to a certain extent, and it’s also easier to just say things the way they are. That’s how I was brought up anyway, so that’s how it is. Regarding servers, there are more and more servers all the time, yes. The only attacks we suffered in the past were DDOS though, this is new. It’s also important we communicate about this attack because we’re not talking about downtime or inconvenience here, this is a call to action. We need people who are affected by this, to understand that they are, so they don’t get hurt or used going forward.
If you have any doubt or any question, please don’t hesitate to ask. I tried to stick to the most important information, but I understand how unsettling this can be. I’ll be happy to answer as many questions as I can.
Dumb question but were any of the repositories affected? I did an upgrade today and was surprised that firmware upgraded to Linux 3.19.0-32-generic #37~14.04.1-Ubuntu
Edit by Clem: No.
Were downloads via Torrent also affevted, or is Torrent more difficult to compromise?
Edit by Clem: No they weren’t.
Heyo, it seems like the download pages still point to the hacked ISOs.
Honestly, the only reason why I noticed is because I was downloading the ISOs in bulk using wget, I saw a strange IP address and the fact that it was a PHP file.
Anyway, are the download pages going to be fixed anytime soon? I want to burn a CD for an old family friend… He got scammed by the “windows tech support” scammers and I want to show him the joys of Linux Mint!
Edit by Clem: Thanks for reporting this, this is a second attack so it means we’re still vulnerable. I’m shutting the server down right now.
I’ll ask this question, without knowing the intrinsic details, or any specific details other than what has been posted above; did the breach have anything to do with the fact that you’re running WordPress?
Best wishes and thanks for the heads up.
-k0nsl
Edit by Clem: Yes, the breach was made via wordpress. From there they got a www-data shell.
Was there a time stamp upon this file you mention as to when it was created on the server. Hopefully there was sufficient info on the intrusion of the server and to which version of Cinnamon weather it was a 32bit or 64bit version affected or both ?
Lucky
Edit by Clem: Yes, it was from today. 64-bit definitely, 32-bit didn’t show links but was found on the Bulgarian server, so it looks like they were preparing to compromise this one as well later on.
#3 -No, that’s an Ubuntu package, not Mint. And it’s not firmware, it’s a system component.
I’ve just been trying to install a fresh version of Linux Mint on a new machine from this corrupted ISO for the last couple of hours. I thought something was weird when I was unable to connect to the internet after installing, yet I was able to reach my router. I’d stupidly not checked the MD5 checksum before using the ISO. Has anyone/is anyone going to be looking into the ‘functional’ difference between the genuine and hacked versions? I’d be interested to know what/if any of my data or keyboard input has been stolen from me.
Thank you for letting us know about this.
Edit by Clem: Yes, it’s Mint with tsunami running on it. Here’s some info on it http://blog.malwaremustdie.org/2013/05/story-of-unix-trojan-tsunami-ircbot-w.html
So, it is only Cinnamon versions, correct? I just installed linuxmint-17.3-xfce-64bit today and I am a bit concerned after reading this blog.
Edit by Clem: Check the MD5 to be safe, but yes, it’s Cinnamon.
Hi Clem. Thanks for being straightforward and quick to let us know. I guess being targeted is the price you have to pay for making the most popular Linux distro. 😀 Thankfully I haven’t downloaded anything within the last few days.
Considering that this might happen again, have you guys considered some sort of way (besides md5sums) that we can verify the ISOs come from you? Maybe something like GPG?
That way if the server was hacked, the isos were replaced, and the publicly listed .iso md5sums were changed, the isos would still have incorrect gpg signatures.
Assuming you did start signing the releases and posting a link on the Linux Mint main page to the public Mint gpg key, an attacker could still replace the isos with malicious ones and replace the key link with one that links to his own. To combat this, some of us in the community and on the forums who use gpg (I know of several besides myself) could sign the Mint gpg key with our own keys. That way more trust could be put in the Mint key. I mean, even I could easily create a gpg key that claims to be from Clement Lefebvre, but it would be much harder for me or an actual attacker to then sign that key with the keys of several other members of the community.
Just an idea but thought you might be interested. 🙂 I’m sure whatever you guys end up doing will be great!
Also, do you think you could make an announcement on the forums/link this one there?
Edit by Clem: What really helps here is duplication and the community. We were alerted very fast and we were able to be alerted because people could find contradicting MD5s (and that’s mostly because the MD5s aren’t just in one place, but in many). Another thing which is going to help is to buy more servers and separate services even more. That way, if somebody hacks say wordpress, there’s only wordpress on that server and nothing else.
Doesn’t do much good to post hashes on a site that’s not served over TLS.
When will *.linuxmint.com go https only?
Edit by Clem: It’s planned and I’m hoping it’ll happen soon. Please note that this wouldn’t have helped here though. You’d be served the exact same hacked information via HTTPs.
Hi Clem, did this happen because there’s no HTTPS protection on mint website?
Edit by Clem: No. We need HTTPs to protect communication (mostly on your side, and against local or middle attacks). Here we have an intrusion, so it has nothing to do with the protocol. The hackers used wordpress to get in.
Hi, I downloaded and installed LinuxMint on Feb 18’th using a link from the official website, I should be ok, right?
Thanks
Edit by Clem: Yes. Check the signature just out of precaution.
Clem, is there any way to confirm that the hashes posted on this page are valid? They aren’t signed and the page isn’t even served over HTTPS. For all we know they could be spoofed as well.
Edit by Clem: You can find them at http://ftp.heanet.ie/pub/linuxmint.com/stable/17.3/ also along with signed sha256sums.
I really appreciate you keeping us posted. This was passed along to me by another friend whom knows I am devoted to Linux Mint. I was going to ask similarly if anyone had checked all the repositories, though I’ve not had anything seemingly affected.
I am always thankful that you guys are not only working on the project, but that you are straight forward and proactive. Thank you guys for being diligent enough to see it, and transparent enough to let us know just in case. Keep us updated.
Though I will ask why you are not pursuing action now, and only waiting to see if they try this again? Have you let authorities know and sent them the information?
Edit by Clem: It’s 3am here for us and 4am for them and the main concern is to clean up and get back to being safe and operational.
Hey… uh… I realized that my previous comment sounded a tad demanding. You guys are literally doing the impossible, and I really appreciate it. Thank you.
I was sure that the Linux Mint Website download page is still hacking.
IP address to these link has been added.
https://scrot.moe/image/JtvQ
It has done this other than Cinnamon. Download now of ISO is dangerous!
WARNING: The download links are still redirecting to this bulgarian IP, 5.104.175.212.
DO NOT DOWNLOAD!!!
Clem please disable downloads until you can gurantee user safety.
Edit by Clem: We shut down the server until we find the source of the second intrusion (probably something left by the first).
WordPress = shit.
Please add HTTPS support to linuxmint.com, whether it’s related or not to this hacking, this is really unacceptable in 2016
Edit by Clem: It’s not, but we will.
Just downloaded two copies of the 64 bit Cinnamon from the Oceania links for University of Canterbury and Xnet both are coming up with the same incorrect md5sum (7d590864618866c225ede058f1ba61f0) – So of course I have not installed. (Time NZST 15.50 Date 21 Feburary 2016)
How long before we can get a trusted download here in NZ?
Edit by Clem: That’s the MD5SUM of the hacked ISO alright. The server was taken down until we know it’s safe again. I’m sorry I can’t give you an ETA.
Looks Like I was a lucky one….
Decided to set up an old laptop yesterday.
Had version 15 of mint could/would not update,
Downloaded the ISO, rufused to a USB and installed….
Interesting times.
Oh no… linuxmint.com is down
https://www.dropbox.com/s/yuawahvhbmj82by/Screenshot%20from%202016-02-20%2020%3A20%3A51.png?dl=1
Edit by Clem: Yes, we can’t investigate and clean up while still being open to attacks. We had to take it down.
I’m a Gentoo user mainly, but was trying to find out why the mint site wasn’t working and ended up here (have a new netbook with a 32gb SSD – not enough free space for Windows 10 to update, even with a 8gb micro)
Just want to say top marks to Clem for personally responding to nearly every post. That is the mark of a legend.
Mint was (and still is) something like a sanctuary for me and probably for many. It is where I feel warm and safe and strong and alive. I absolutely hate the fact that someone took advantage of this clean and wonderful world of Linux Mint and I personally offer anything that is in my power to help it get back to all of us.
Are downloads elsewhere fine then?
I got mine here:
http://mirror.internode.on.net/pub/linuxmint/stable/17.3/
Thanks Clem for taking quick action and being so upfront about this.
I would like to call to everybody reading this to spread the warning to others they might know using Mint in case they haven’t seen this post. I am afraid many people who use Mint don’t read the blog here, so they might not be aware of the danger.
If you have access to some linux-related blog, rss feed, etc, then pls share this so it can get to the people who might have downloaded the hacked isos during this sad day…
thanks, I checked it out, I still have the USB, the ISO is gone
Once in the live session, if there is a file in /var/lib/man.cy, then this is an infected ISO.
I only found a man.db, I hope it’s ok (I am a total noob, it’s my first linux after 15 years of windows lol)
@bananabob: any chance you didn’t delete those isos? I’d like to examine one if possible. 🙂
“Edit by Clem: Yes, the breach was made via wordpress. From there they got a www-data shell.”
“Edit by Clem:Another thing which is going to help is to buy more servers and separate services even more. That way, if somebody hacks say wordpress, there’s only wordpress on that server and nothing else.”
—
Speculating:
(cr)acker exploits and gains shell by webserver user (which is www-data as reported)
looks at wp-config.php, uses the username and password in the file to gain a mysql shell (which is fine since mysql is bound to localhost usually the cracker is the www-data user)
Probably a search made for post wanted (download links) edited from there..
The only things I can suggest are:
– Ensure the webserver user’s shell is /bin/false or /bin/nologin (and not /bin/sh or /bin/bash)
– Spend some quality time on planning separation of privilege for software. webserver user should have write access to as little as possible (just wp-content in wordpress))
– Ensure incremental, automated backups are make that are not accessible to the webserver user
– Usage of chroot jails to really separate stuff.
Sorry this happened! The people who did this were clearly not on a thrill ride – they wanted backdoored LM installs out there. Scary
I updated from 17.2 to 17.3 via the software update link today via the update manager (didn’t do a clean install from an ISO or USB). Were those affected too?
If you want to make things better I’d at least do the following:
1) Completely rebuild everything and verify nobody made any changes to the code (I assume you’re using a vcs like Git so that should be easy)
2) Rebuild everything on a development machine and move the ISO downloads to a separate server only serving static files (no PHP or MySQL).
3) Make sure your developers are using secure passwords generated by something like KeepassX
4) Ensure it’s using TLS with HSTS enabled (very important because it makes sure everyone is using TLS). Also disable outdated ciphers like RC4, etc. Here’s some help https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
5) Provide magnet links or GPG signatures for downloads over https.
FYI. I am a newbie to Linux Mint and downloaded iso this morning (Sunday in Melbourne Australia). After this notice found that check sums incorrect and took the recommended action.
I kept the wget file which had the following address:
http://5.104.175.214/stable/17.3/linuxmint-17.3-cinnamon-64bit.iso
FYI
Argh. I just had a minor panic attack after checking the MD5 of an ISO I downloaded Tuesday (e71a2aad8b58605e906dbea444dc4983)(I figured it was possible that they did an earlier attack that was missed, so I might as well check the ISO to be safe) and saw it matched the one listed above. I panicked, started to tell you I had a bad ISO, then re-read the post and realized it was the MD5 of a clean ISO. I need to get some sleep.
But I’m saying this because I think you should make the post a bit more clear that the listed MD5s are the SAFE ones.
Time to retaliate and send shit back… Lets work guys, I know youre here, reading..
Back on topic: Clem, please, consider releasing a new website, but this time in pure html5 and let the forum and blog on a separate hosting, and dev/integratio/talk on another host. This will cost a little more but will be for the best interest of all.. The ISOs could be on the default server, the html5 one, or via the partners around the world.
😀 phew , thank goodness I downloaded via torrent, I just finished downloaded yesterday and this post really scared me
I just got a security update install request and downloaded it. Is my machine compromised?
Could someone upload the backdoor to virustotal.com and post back with the hash?
Hi, hopefully the website is coming back soon. If you need some technical support, don’t hesitate to contact me! Maybe I can help you out with some Server or Hosting. Just get in contact with me.
Best wishes
Niko
I was literally downloading cinnamon tonite Feb 20 (app. 11-12 EST), Was going very slow and said 5 hours to go and while viewing http://linuxscoop.com/video/fedora-23-workstation in another firefox tab got a pop up that said clickjack attempt. The iso was only half downloaded. In a panic I closed all tabs.
I think its unusual that there was a supposed clickjack attempt while downloading the iso. Its only the second time I EVER saw that.
Please check what you have and your site’s carefully. Im wondering if I was possibly infected by an incomplete download because that is a real “coincidence”.
(Just by clicking the link? is that possible?)
Also please update us detailed ASAP
Clem, I see this blog is currently running WordPress 4.4.2, the latest version. Was the blog running this version when it got exploited or was it an older version that hadn’t been updated to 4.4.2 yet? Did you update to 4.4.2 after the exploit happened? Or could the exploit have been caused by a vulnerable extension/addon/theme/etc? Whatever you find out, report it to whoever can patch it.
Thank you for transparently reporting this info. Honestly, a lot of organizations that encounter situations like this would prefer nothing more than to hide it all, deny it ever happened, or downplay and obscure the seriousness of the damage. Public relations can be a sick game of deceit sometimes. Thank you for your honesty and openness.
Edit by Clem: I’m answering this on Feb 24th and we have more info. It was a brand new version of WP with no plugins but using a theme called Sydney. That said, there were already PHP backdoors on the forums and we think we had lax file permissions too.
I second the recommendation to sign all ISOs with GPG and host the gpg sigs and key(s) via HTTPS. They are after all really small files and are very important! For checksums I’d switch to using both sha512 and whirlpool.
I just wanted to say that for all of those requesting that linuxmint.com should have https:// , that would do absolutely nothing to prevent all attacks and would be no guarantee that any information (such as hashes) that is put on the site is legit.
All that does is encrypt the data between the server and the viewer.
It does prevent that data from being sniffed, however if a site is compromised and false information (such as fake hashes) posted, then having https:// isn’t going to make a difference.
On the flip side however:
1. The site really should have https:// enabled, as it can help to encrypt data between servers and those with administrative access to help decrease the chance of MITM attacks and sniffing. Having no SSL or mixed SSL usage on a site is a recipe for disaster.
2. The fact that http://blog.linuxmint.com/wp-login.php is even accessible when I checked is REALLY disturbing and probably the BIGGEST security risk. It’s not that hard to move this to another location. There are even plugins specifically designed to do this.
3. The even if moving the login page, it should only allow requests to administrative areas specifically for those that should have access to these areas. It is not hard to have a modified .htaccess file that denies access to administrative areas for preset IP addresses. If you need to gain access from a location not in the list, modification of the .htaccess to add a temporary IP via SSH is easy.
Just a few ideas…
While you’re moderating maybe make that link ‘not clickable’ so no one accidentally clicks it…IDK
thankx
Sorry to hear you guys got hacked. Thanks for being upfront & honest about what happened.
WordPress does seem to have quite a history for these sorts of incidents. Are there any plans to move away from it? Perhaps in time? Would more manpower/resource for the website help? Maybe get someone from the community to do it?
I wouldn’t mind having a crack at it as a volunteer, if your team is interested. Mint’s done a lot for me, so it’d be nice to give back in some way.
I downloaded and installed 17.3 with Xfce 2 days ago, but have already removed the ISO. I understand your claim that only the Cinnamon version was hacked, but would still feel much safer if I can run some checks to confirm my installation is virus-free. Is there any other way to do this?
I have the same question as Neb above me, I checked the live session and only found man.db not man.cy, am I safe?
As mentioned, only the links to the ISOs are compromised. It was also mentioned on the comments that repositories we’re not compromised.
But, is there a way to check if our machine is infected or not, with this backdoor?
I do update as soon as there’s an update available. And I just did a kernel upgrade before this was posted. I wonder if there’s a way for me to check if my system is clean from this kind of backdoor/infection.
Thanks.
“I wonder if there’s a way for me to check if my system is clean from this kind of backdoor/infection.”
You might try asking @ http://www.kernelmode.info/forum/
The staff there seems to be quite in the know.
Sorry to ask, but yesterday i’ve downloaded LMDE2 via torrent. I’m checking the md5 sum anyway, just in case, but i can’t compare it since the site is down…the terminal says:” 55d22b55687770f7e60013ccf1575baf lmde-2-201503-mate-32bit.iso”. Is that right?
This underscores a serious problem with Linux Mint’s release integrity.
MD5 is totally broken. It takes only an hour to generate a collision on regular hardware. If hackers placed backdoored ISOs on your servers that had valid MD5s, it would be hard to detect. I’m surprised they didn’t attempt a hash collision in this breach. You need to switch to secure hash functions like SHA256.
Redundancy and community reporting of issues only go so far. You also need a secure way to prove the hashes are authentic. If hackers changed the hashes listed on your server to hashes of the backdoored ISOs, this would also make it hard to detect the breach. For example, this very WordPress blog post could be hacked and the hashes listed above as “valid” could be changed and none of us would know. Get a PGP key and start signing either the hashes or the ISOs themselves. Every other serious distro does this, and it’s so easy there is no excuse for not doing it.
This should never happen again.
Do you think this could have been a false flag attack by the NSA and/or FBI in connection with the Kennedy assassination?
I hope that md5sums and sha256sums could be put on 3rd party external server. maybe git repository.
I do not think it’s secure to have the ISOs and the md5sums on the same server.
I downloaded the 64bit mint 17.3 cinnamon through your torrent on the 20th, were those affected also?
I not have the DVD I burn the ISO so how can I check my installation?
I installed i januari 5 so its maybe is Ok?
Well, this is a damn shame and a bloody pain in the arse for you guys. I’m just double checking here. I presume that LMDE2 is unaffected by this intrusion. I hope for the sake of everyone, you get it all cleared up soon – good luck.
OK, fast reaction, good work. All we can do now is warn as many people as we can through as many channels possible.
My ISOs were quite ‘old’, hence not affected.
Have you considered releasing a version 17.4 so you can simply say 17.3 is bad and for users to re-download if they have an iso with that filename?
What is the possibility this has happened previously on older versions and not just 17.3?
Is there any place security researchers can get either the malicious files or the whole infected ISO?
How does this affect apt updates from mint domains? Is it possible for them to modify the signing key thus allowing malicious updates and downloads?
@KenWeiLL If you haven’t downloaded an ISO recently and update as usual (through apt-get or update manager), you should not be affected by this. This is only concerning people, who downloaded and installed a linux mint ISO recently. (Please also read the past comments – especially #3 and #8)
Hello
I made a strange observation. A ping to absentvodka brings the following results
ping absentvodka.com
PING absentvodka.com (127.0.0.1) 56 (84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq = 1 ttl = 64 time = 0.033 ms
64 bytes from localhost (127.0.0.1): icmp_seq = 2 ttl = 64 time = 0.051 ms
64 bytes from localhost (127.0.0.1): icmp_seq = 3 ttl = 64 time = 0.050 ms
64 bytes from localhost (127.0.0.1): icmp_seq = 4 ttl = 64 time = 0.051 ms
^ C
— Absentvodka.com ping statistics —
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min / avg / max / mdev = 0,033 / 0,046 / 0,051 / 0,009 ms
My 17.3 installation is an upgrade version, so should not be affected.
Does somebody has any idea?
Are the torrents on this site OK to download?
http://torrents.linuxmint.com/
Hey Clem, can i download the good .iso from here http://ftp.heanet.ie/pub/linuxmint.com/stable/17.3/
Is it still good practice to use MD5 for important signatures?.. sha256sum might provide more confidence.
@clem I know you are prob. very busy cleaning up (or getting a bit of sleep), but when you have the time, information on the version of wordpress that lead to breach?
@KenWeiLL:
No easy solution. It’s hard work. You could checksum all files in (relevant) packages and compare that with another machine with same versions of packages that is known to be clean, but where do you find that? I think you can assume for now that the repositories haven’t been compromised.
What you really need to do is ditch wordpress for hosting downloads, move to a static website that doesn’t depend on any vulnerable plugins. Get HTTPs to ensure that the correct page is served to clients (costs nothing thanks to Let’s Encrypt) and sign the ISOs with GPG keys that are not stored on the server, and enforce verification (like Tails).
looks like bitcoin miners are none too happy with this:
http://bitcoinist.net/linux-mint-backdoor-puts-users-and-bitcoin-miners-at-risk/
sorry for double-post, delete the first please
I wondered why the site was down this morning. Thought it might have been more server trouble. Thanks Clem and the team for dealing with this so well and so quickly. It really makes me mad that some asshole would attack us like that.
BTW. could you please add / fix https to your online services, so the readers are sure, that the MD5 checksums are valid?
Edit by Clem: Yes, it’s coming. Please don’t trust a page just because it’s https though. That protects you from your local entourage, but it doesn’t protect you from a server being hacked.
I know it is unrelated but maybe this is a warning sign that Mint should turn on level 4 and 5 updates in the updater..
Wow this sucks.
Glad you noticed this right away Clem, I installed awhile ago way before the 20th so I should be good and checked the var/lib folder seems clean but will double check things just be sure.
Thanks for the very quick response, just good to see that and wanted to shout out a big thanks for the quick response.
I’ll check back to see when things are cleared up before doing any updates just to be on the safe side.
Don’t rush it, better to be clean and sure 🙂
Good to be back home
You commented that they got in through WordPress. Not that supricing, WordPress never had a good securityrecord, but exactly what method did they use to get in? Was the fault on you because of outdated software, or on WordPress? Also, have you considered replacing WP with something with a better record like Drupal or maybe no cms at all to reduce the attacksurface?
Ok I started downloading it via torrent, but now stopped it until things are correct.
I am concerned about sites I maintain via wordpress hosting, however my servers are on 1and1 so I think 1and1 keeps them pretty safe and I have security plugins, but my wordpress have been hacked before also, but not since beefing up wordpress security, 1and1 is good in shutting down the site if it is under attack and alerting me.
Do you have your own server or is it hosted, maybe you should go to hosting that has more security ? Idk, now I must check my wordpress sites.
Yes linuxmint still down. Ok I will wait until you fix it.
What about updates via my linux mint pcs are these effected, I noticed some posts about that .??
What is the timeframe for this shutdown? Is there another way to download it (like a torrent or something)?
I’m asking because trying out Linux was supposed to be my sunday activity this weekend
What a scumbag thing to do to such a benevolent project. Appreciate you quickly making the right decision to inform the public, Clem. Mint has a great reputation for a good reason.
by the way i notied when submitting my comment, you have wordpress on this blog below, not good for hackers.. also different table names instead of the default wp_ and not using admin as a username, and also once hacked recommend malware and virus scanning all files on the server, and if you are not sure, go way back until you know a file on the server was not compromised.
I have over 100 sites I manage, this happened to several of them 2 times, until I had more beefed up security.
do you use bulletproof security, ithemes security, wordfence and other plugins to protect ? I would also recommend googling for stronger wordpress security, I read these every month and continue to make my sites stronger
this is a good one, https://premium.wpmudev.org/blog/keeping-wordpress-secure-the-ultimate-guide/
if you need more advice you probably can see my email, i can recommend some things for you
please use GPG and sign the releases from now on! checksums are good for download verification but GPG Signatures are the real deal!
I hope from now on Clem and Linux Mint developers will take privacy and security a lot more seriously in terms of not just the website but more importantly the Mint OS as well as applying security and kernel updates.
Security has to be moved to high on the development agenda and not just the basic implementations like it is now.
Fred Barclay – I still have copies of those ISOs – How do you want me to get them to you?
Clem – That’s OK I understand the problem and all the extra work that is involved.
If your sentence starts with “I know it is unrelated but”… then is it really worth finishing?
Clem, thank you for your vigilance, it’s appreciated. As for the crackers: may the fleas of a thousand camels infest these miscreants’ armpits and groin regions.
Sorry I didn’t get it, the torrents were not affected and direct http version was not affected either. So what was actually affected?
Edit by Clem: The website itself, i.e. the MD5 and the links pointing to the mirrors (they weren’t pointing to the mirrors but to the hacked ISO).
That sucks so bad man! Total support for you Clem and the whole team . I am not using mint at the moment but i love it and i have used it for many years. As soon as everything is up and running again and i’ll make a donation to support you guys.
Where we can download 17.3 Cinnamon now?
Or when we will be able?
I want to install it on my PC for some work, and I want to know when it is safe
Are mirrors affected? Or only the links on the website?
Is this clean?
http://mirror.telepoint.bg/
Yesterday I downloaded linuxmint-17.3-cinnamon-32bit.iso.
According to the file properties it is from Sat 20 Feb 2016 09:48:42 PM CET
Did md5sum it checks-out ok.
Jumped the gun! :-S
Website must have been compromised after that time
Good luck with resolving the issue!
Facebook is even offering the Hacker side of this issue in its “People Also Shared” list showing how to compromise the Mint ISO (the blog appeared to be from the Mint 15.x days).
my MD5sum is ok.
But please clarify:
“Once in the live session, if there is a file in /var/lib/man.cy, then this is an infected ISO.”
Is the live session directory /var/lib and the infected file man.cy?
Dear Linux Mint team,
I´ve downloaded my ISO file on the 19th. Should I be affected by this unfortunate occurence, that happened to Linux Mint Website?
Does this include all of the mirrors whom hosts Linux Mint downloads also? I get all of mine from the James Madison University site, because in my area, it’s the fastest.
On the other hand, do have a couple of MInt 17 (no point release) & MInt 17.2, which is usable, yet don’t like, as it takes away much of cpufreq. The answer after I filed a bug, was to disable Intel_PState, and this would make Mint act as the older versions.
Just scared to do something that may mess up my new CPU, the i7-4790K.
Cat
I did download the ISO, and found the man.cy
I installed it to a new partition next to win8 on my secondary laptop with a USB drive.
However, I think I’m lucky because even though I did connect to the network, I was not able to access any websites due to the DNS service not working (due to a bug?) I was able to ping IP-s but not able to access any websites.
So didn’t login anywhere on the net, and found this blog post while searching for a solution.
Could you confirm that I’m safe this way?
Thanks,
Gerry
Edit by Clem: Afaik the backdoor couldn’t create the initial connection without DNS resolution (it tries a list of domain names), so you’re probably safe. Make sure you wipe that install and destroy that ISO though if it’s not already done.
Maybe torrent is an option, as it is harder to hack. As long as the server is down, you cold publish the torrent files here on the blog so that people who need it can download the ISOs.
bananabob: I’d like a copy of the backdoored iso as well, there seemed to be quite a big size difference between the legit and backdoored one that wasn’t explained by just that script. Unfortunately I could’ve grab a full copy from the attackers server before it got taken offline. Could you upload it to mega or torrent/etc somewhere where we can grab it?
Be careful with attribution. The link with Bulgaria is far from obvious. First, the IP address 5.104.175.212 is registered to an ISP in Belize, Verdina (the code BG – Bulgaria – is probably a mistake since it does not fit the city). The contact (Lyubomir Bambov) is mentioned with an address in Bulgaria but we all know Internet databases are purely declarative so the Verdina client could have say anything.
Second, the domain absentvodka.com does not have public data (hidden behind a proxy) so you cannot really tell.
Third, this domain went (in january) to another IP address in Belize, 82.118.233.119 (Verdina, again) but now goes to 127.0.0.1, not convenient for remote access.
Could you please detail the way your website was hacked?
I think this would help other admins alot from not experiencing the same situation.
Please don’t use md5 for this kind of integrity check anymore. It’s possible for an attacker to craft a modified ISO with the same checksum as the original.
Do use SHA2-based sums.
Maybe it would be good to have an internet standard for automatic checks of MD5sums in general. Something like they’re trying for Tails (https://tails.boum.org/blueprint/bootstrapping/extension/).
On a dutch tech-site I’m reading about the forum also beïng hacked. Is this true and do we need to change our passwords?
Dear Clem,
Thank you for your great work on this Linux distribution and for informing the community right away. You have my sympathy, I would not want to have to go through what you are going through right now.
I have a few questions though. First, why don’t you immediately involve the authorities? It seems the right thing to do; You have been attacked and a potentially large amount of users could have been affected.
Second, I politely suggest you to read .
Third, could you link the shasums you provided in the comments more prominently in the post itself? (Also, the mirror server you linked supports HTTPS.)
Fourth, however, I know that this is not your first priority currently, have you looked into letsencrypt? That should be a safe and quick way to get HTTPS running on the linux mint websites.
Best regards,
jwi
Clem, regarding:
‘As far as we know, the only compromised edition was Linux Mint 17.3 Cinnamon edition. If you downloaded another release or another edition, this does not affect you. If you downloaded via torrents or via a direct HTTP link, this doesn’t affect you either.’
I’m afraid this is not right. Friday the 20th I downloaded 3 iso’s.
At first a 17.3 64bit XFCE via torrent. Checked the MD5sum: faulty result. Deleted the download.
Secondly tried a direct download for again 17.3 64bit XFCE. Same problem, incorrect MD5sum – deleted.
Couple of hours later I downloaded a 17.3 64bit Cinnamon, directly from Heanet. After checking the MD5sum and getting bad result I deleted and gave up.
I probably should have informed you guys (earlier), which I unfortunately didn’t. Sorry for that.
Hello Clem, as a friend and promoter of Linux Mint, I am a bit surprised that in your reply to Fred Barclay’s Post (#11 ITT) you don’t react at all to his constructive suggestion of using PGP signatures for download verification, but instead fully ignore it and talk about the oh so great security of duplicated md5sums.
Cryptographic signing with PGP is the global de facto standard for secure verification of digital data, which can’t be stressed enough.
On the contrary, posting (known insecure) md5sums on the same (hacked) website (wordpress!) as the download link itself and not even providing secure https connections, is IMHO for the very least *grossly negligent* and hard to not interpret as a dead canary.
I am well aware that 100% security is an illusion – and the closer we get, the harder they fight. But the tools to massively improve it are at our fingertips.
Nevertheless thanks for this great distro!
Regards,
Florian
I tried to install Linux Mint 17.3 with a USB installer (pendrivelinux) on the 19th, but it gave an error with choosing a partition after which I gave up installing it. I tried to redownload it on the 20th, however again the same error occured, after which I gave up again and today read this. So I did start up Mint 17.3 (using the USB stick) but when I wanted to install it on my computer the installer failed me. Should I really reset my entire windows OS for this or is there no damage done to me? Isn’t there any other way?
Please do not refer to checksums as signatures, it’s misleading. If the user verifies the (real in meaning) signatures she can instantly know that bad things happened and keeps safe.
Are you sure the md5 values in this page did not have been modify?
Hey team,
I would like to thank you for being open and transparent on this.
This event should be an eye opener in general how important it is to keep the “our basement safe.
Moreover, I would like to point out that you have reacted extremely fast. Such hacks generally run through undetected for months. Thank you for this!
I know that you are passing a very shitty time for the moment, even more since you are doing all this work out of passion for FOSS. Please keep in mind that your are the victims here and not the wrongdoers.
Please keep the process as transparent as possible and do not hesitate to ask security people for help.
Good Luck!
I’m new to linux, so I have some rather dumb questions. I downloaded the affected iso on my windows 10 pc. I wanted to install Linux Mint but I haven’t done anything with the iso so far (neither opened or burned). Is my windows 10 now contaminated as well?
Edit by Clem: No, the ISO file itself isn’t dangerous. What’s dangerous is the backdoor that is run within the OS included in the ISO when and after it is installed.
Clem, if you still want to use WordPress after this, please consider spending a little time doing some security hardening of your WordPress installation.
The are several excellent plugins available that will assist in the process, such as iThemes Security. It may not be enough to keep a determined attacker out, but it will certainly improve your odds against random script kids and classic exploits.
Better yet, compartmentalize: don’t put WordPress on the same system as anything important.
To cat1092:
I address the cpufreq and Intel PState issues in my ebook.
Its in the Turbo chapter.
You can download it at my website.
http://bettyboopdatabase.atwebpages.com/book/
Maybe you should look into the advertisements on your page too. Is openofflice.padott.com a serious website or something else?
Good luck
Luuk
I have installed the hacked version alongside a Windows partition – is it likely that data / credentials were read from the Windows partition?
I’m curious if you have been able to narrow down exactly how the breach happened. I’m primarily interested if there was a wordpress core exploit, or if the attack was done through a vulnerable plugin.
For any good , I downloaded the direct file mint cinnamon 17.3 64bit edition .I have checked md5sum via terminal and it matches exactly with the value given above .Thanks to the developers for telling the problems to the user as soon as founding the threat.
Security and vulnerabilities can’t be compromised in this digital world.Take some measures and good luck for the recovery of our beautiful Os. Make the site up and be running soon.
Thank you once again Developers.
you’re doing a valiant job Clem and co., and your upfront honesty is refreshing, as indeed is your vigilance in responding quickly to this. You deserve a cold beer at the end of the day.
Are you still going to use WordPress? In this CMS, there are bug on bug.
Does this problem touch oder distro like KDE?
” Ken Says:
February 21st, 2016 at 10:43 am
my MD5sum is ok.
But please clarify:
“Once in the live session, if there is a file in /var/lib/man.cy, then this is an infected ISO.”
Is the live session directory /var/lib and the infected file man.cy?”
Would be very interesting. I got it in the same way.
In my case, I haven’t stored the image file, but installed Linux Mint. That means, if there is no file called “man.cy” my system is clean, right ?
Thx, Andy
Wow, that’s crazy timing… I started downloading mint yesterday (20th), but it was going slow so I swapped to a different mirror… turns out my download history shows: http://5.104.175.216/stable/17.3/linuxmint-17.3-cinnamon-64bit.iso
Wanted to download it to see how the backdoor worked, but it’s not there anymore.
Anyone had a look at the back door in question? Interested now.
Thank you for your segnalation and your control. I like this attention, I do not trust those who claim to never have problems.
Best regards. Eros.
Bad news here… One noob question: if the website is compromised, can’t they modify the ISO files AND the MD5 signature ?
Additionally, you should change md5 to sh256 or better gpg signature with public keys on an independent website.
Yes, I downloaded it from the Kent Uni site. It’s on a USB and I haven’t been able to boot into it for some reason (options are USB hard drive, USB superdrive). Just done a checksum check and they don’t match, so will download again.
Trying to breath new life into an HP 8510w.
Geoffrey
I hope you are able to figure out the issues. Mint is my favorite distribution. I guess since people are hacking Mint, you are now considered popular!
so did you bother to track the back door? where does the rabbit hole lead?
Edit by Clem: The fake ISO in Sofia, the OS backdoor in Sofia also, the guy accessing our server via the second backdoor from Russia, but when you look at a hole and see somebody looking at you, you need to figure out who knows more than the other, and if we’re reacting to their actions it was pretty clear we had to take everything down. The hacker from Russia (could be a VPN of course) even DDOSed my personal IP to prevent me from taking the site down. He also took down part of his set up since.
I DID download and install Linux 32bit Cinnamon yesterday, Feb 20th from a German server. The md5 checksum was valid. However, there was an error message during install that caught my attention:
“EDID checksum is invalid reminder is 45” (or so)
I downloaded, burnt and installed twice, I got the same error message each time. Might not have anything to do with the Bulgarians, but I still wanted to let You know.
I’m new to Linux Mint, and boy is this exciting. I just wanted to create an account on linuxmint.org to post this, but had to post here instead.
Of course I am wondering if my iso is corrupted, but I’ll probably reinstall either way.
Edit by Clem: Hi, it’s not related. The MD5 sum of the hacked ISO would not match.
What evidence have you got that the attack was via WordPress? If it’s something in core (extremely unlikely), then you should report it responsibly.
More likely it’s from a poorly coded plugin or theme, which should also be reported responsibly to the author concerned. Or, it’s due to lax file permissions or other server mis-configuration.
Either way, accusing WordPress (core) without any further details is detrimental to all.
Edit by Clem: We found an uploaded php backdoor in the theme directory of a wordpress installation, which was 1 day old and had no plugins running. The theme was new but most importantly I think we had lax file permissions on this. This was only set up hours before the attack but we were probably scanned for something like this for a while. Anyhow, we don’t know yet how it was uploaded but we know it happened there, and I’m certainly not pointing the finger at anybody. People just asked if we were running wordpress or if wordpress was used in the attack and I answered yes.
hope you will fix this mess up fast…
and hope you switch to joomla
🙂
(sorry, bad english)
Why only the links to the ISOs are changed and not also the displayed MD5 numbers?
Edit by Clem: They could change anything in the database, so both md5s and links to mirrors.
@plata : might come to have a need for encrypted ISO’s, not just checksums…
Hope these guys didn’t hack he update-servers as well. Guess I’ll have to suspend update-checking for a few days.
Hi, sorry to hear this happened
I downloaded a linux mint 17.3 xfce 64 bit, and wanted to verify the checksum just in case, however your site is down at the moment.
Is there a way you could get it from somewhere else?
Edit by Clem: Yes, http://ftp.heanet.ie/pub/linuxmint.com/stable/17.3/
Hi,
First of all – thanks for managing this incident so well. Looks like an paid attack. What kind of hacker could have the motivation to hurt Linux in general? Linux is the number one OS for hackers. I would suggest you install some kind of a guardian-service that shields your downloads completely from the rest of your web-presence. Only allowing access through a “manager” that sits within an virtual network that only can be accessed from within the virtual network, implementing a background-check for the downloaded files and issuing some kind of download-tickets. Another service could check the extracted ISO files (something similar to RKhunter) each hour for file changes.
Edit by Clem: We’ve a bit more information about it now and we think it’s a single individual with no funding behind the attack. We’ll pass the relay to a security firm now.
Are you sure it was the 20th? I have 2 different hashes of 17.3 cinnamon ISOs that I downloaded 19th morning. I didnt check hash until today.
Edit by Clem: What hashes do you have?
Clem, are you aware of this? (Found via Slashdot firehose)
http://news.softpedia.com/news/linux-mint-website-hack-a-timeline-of-events-500719.shtml
“Someone with the peace_of_mind username was selling the “Linuxmint.com shell, php mailer, and full forum dump” for 0.1910 Bitcoin (~$85)”
Edit by Clem: It’s very good. I disagree with the origin of the attack, we found the first backdoor and it was possible to access the forums database from there. The information about tsunami is very interesting (not that it’s the time for an evening read, we’re ultra busy as you can imagine but it’s important we understand as much as possible and this helps). Regarding the modus operandi I agree as well, we’d spend much more than $85 to stop that data but without trust nothing can happen. We’re getting ready to purchase 2 or 3 additional servers so we can split the services and we’ll probably also contract a security firm to look into the bottom of this for us, we’re software developers not intrusion experts. In the end it’s going to cost much more than $85.
Dirk: See comment #3. Clem says the repositories (the update-servers) aren’t affected. So, no need to suspend updating.
In some ways it might be good that this has happened. I’m a bit of a newbie to Mint and I like it a lot. However, I was, and still am, amazed at the attitude to basic security that is often seen on Mint forums.
Every now and then someone posts into the forums asking why the GUI firewall controller (GUFW) isn’t installed and activated by default in new installs of Linux Mint. The response, and this is from people that are real gurus when it comes to Mint, is that this isn’t necessary – Linux is inherently secure. (This, more of often than not, is stated as a “relative to Windows” point of view.) This attitude, often expressed by experts, never ceases to amaze me.
Installing and activating GUFW as part of a new install of Mint, as best as I can see, at the least enhances security a little bit and is certainly not detrimental to security – on that basis alone, I would take it as a better than good argument for installing and activating it at the time of install of Mint. By doing that one thing an additional layer of security would be added to Mint at the time of install. So why isn’t this done?
I would suppose now that Mint developers will be hardening security for its own servers – all to the good. However, please don’t leave the end users out of this equation. If Mint can (now) see the point of hardening its own security why, oh why, can’t that same courtesy also be extended to the end user as a matter of routine.
Install and activate GUFW at the time of a new install, it makes sense. And maybe, going forward, do some serious development on GUFW so that it is readily configurable by (relatively) naive users (like myself). GUFW could be greatly improved just by allowing or blocking of connections on a per-program/per-process basis.
P.S. I do understand that on the surface this looks like I’m not actually suggesting anything that is related to the situation with compromised ISO’s. However, I would argue that it does – there is an attitude that exists in the Linux community that leads to lax opinions around the area of security. That attitude relates to both these issues and, I would say, really does need to be addressed. Now would be good time to address it.
Hope this helps.
I decided to give Linux a try yesterday and downloaded the mint 64 bit. I verified the signature and it seems I have a hacked copy 🙁 I hope my personal informatiom wasn’t compromised.
Edit by Clem: Afaik downloading it isn’t dangerous. The backdoor opens when you run it or after you install it.
Would have compromised any my other computers on my network? Or only the one that I installed it on?
Edit by Clem: By itself it only creates a backdoor. But from that backdoor, the hacker can issue commands run by your computer so it’s hard to know what he might do, how much efforts he might put into hacking you specifically etc. If a computer was hacked on your network, check what that computer is able to do on other computers on the network.
Hey Clem, as a Drupal site administrator I feel your pain. Thanks for the transparency.
Have you considered using a static site generator such as Hugo (https://gohugo.io) or a similar tool? They are very easy to use and have some fantastic site templates. The advantage is that all of the CMS features happen on your desktop computer, and all you have to do is rsync a bunch of automatically generated HTML and CSS files to your server. Practically impossible to exploit that.
Edit by Clem: That sounds cool, we’ll still need dynamic server pages for the forums of course but we can look into that at some stage.
I remember clem saying in a discussion about security on IRC that you will lock your door but not secure it against someone who fires an RPG at it. Maybe the real lesson out of this will be that Linux Mint has become important enough to fire RPGs after all.
Why are you still using MD5 to check the signature?
Hi,
you should make a redirection from linuxmint.org/.com to this post, so everybody can see what happened.
At the moment I got an error of an unreachable website.
Did the hackers also have access to password data? Even if it was hashed you probably should warn users.
Edit by Clem: Yes, I made a separate post for this after it was confirmed as it affects different people than the hacked ISOs.
Thank you for responding to this security issue.
Here are some suggestions to improve security, which can hopefully be included in the next LTS.
-always show security updates and mark them as trusted;optionally let them install automatically
-remove flash from the list of default packages
Please clarify if the (man.cy)is a file or folder.
The only available in my live ISO is (man-db) but no (man.cy)
Thanks
Edit by Clem: It’s a file, it’s the source code for the backdoor.
#11 is right: having a hashes file signed is the way to go, as long as the signing key is trustable (meaning, signed by well-known keys in the community).
In this attack, hashes weren’t affected but if they were, it could’ve been a lot harder to detect!
Also, consider using other hash algo rather than MD5, which has been deprecated for years… SHA256 is the minimum standard, and the change affects nothing. Even cellphones can quickly calculate a 2GB SHA256 hash in 1 minute or less.
Of course multiplication and decentralization works, as Clem says, but having an extra check doesn’t hurt at all…
Cheers and kudos for addressing this quickly, I’m sure many of you didn’t sleep last night, and many other might have been awakened w/ an urgent bad news… thx to you, guys!
Can´t you use MintUpdate to push an update to infected computers that removes the backdoor?
Edit by Clem: We’re still looking into that backdoor. We’ve got the code for it, we know what it does, we think it portrays itself as being apt-cache and we don’t know everything about it just yet. It’s important we do before messing with it remotely.
Hi Clem.
Consider watching this video from late-2013. It says that MD5 is broken. SHA2 or SHA3 were recommended instead.
Hashing Algorithms and Security – Computerphile: https://www.youtube.com/watch?v=b4b8ktEV4Bg
I’d like to hear your thoughts on this.
could you at the very least post legitimate torrents of the iso I need it…
“second intrusion”?
If I updated to 17.3 from the update manager yesterday, should I be concerned?
Edit by Clem: no.
@Radish
Adding a FW does not help if you need to interact with a box through network protocol like http AND the software (wordpress) has a breach.
However enabling a firewall is a smart move in case you run software that isnt suppose to be exposed (outside your box or LAN), and I prefer to let ’em hang when I drop the packets (pun intended).
No housewifes (read newbies for whom Linux Mint is friendly) never watched and never will neither MD5 nor SHA*. It should be clear to those who just wants to say something about security. Eeepic fail was inevitable.
Hi guys,
I’m sorry to hear about the issues you’re having now. The Mint project has been a great way of getting people onto Linux and I’m sure it’ll keep being that way.
I’m not sure if you’ve heard but letsencrypt.org is a good way of getting https setup with free ssl certificates. (Brought together by our friends at the Linux Foundation.)
Also it might be worth having a static page in place of the main linuxmint page with a message. Startup a free instance of AWS to put the page on.
-P
https://ftp.heanet.ie/mirrors/linuxmint.com/stable/17.3/ for those wanting it, I checked the md5 of the 64 bit mine cinnamon iso. Use a md5 checker to verify your download. 🙂
Is there a way to check if my installed Mint is compromised? I no longer have ISO to check MD5, I downloaded it on Friday around 21:00 CET.
Edit by Clem: If you see a file in /var/lib/man.cy then it’s definitely not right and you need to wipe the OS. If the file is not there, then it’s VERY likely to be OK but we can’t rule out the possibility of the hacker using the backdoor to remove that file. To be honest, considering it’s been just one day and even though it might sound like an excessive precaution, why take a risk? I’d recommend you wipe it.
Any chance updating current clean installs can get infected?
Edit by Clem: It’s not easy to be or sound confident after you got hacked. That said, we didn’t find any trace of hacks affecting the repositories.
I just made a contact with the owner of the network 5.104.175.0 (pointing to this article) and he told me that he will see what is the case and will take measures.
Could you give a detailed description on how they managed to get in via WordPress?. I’m curious whether it is a 0-day exploit due to bug in WordPress core or whether it was caused by plugins that you’re running. If it’s due to core WordPress bug then every WordPress websites out there is in serious problem.
Edit by Clem: No plugins, latest WP, but a custom theme and lax file permissions for a few hours. The security experts will probably find the exact cause. At the moment there’s no indication it’s related to WP core (we’d probably see a lot more sites being hacked right now, this seems to be targeted specifically at us).
Hello, Clem!
I’ve downloaded and installed Mint x64 alongside Windows7 on the 20th Feb, but couldn’t get access to the internet that day, after what I decided to reinstall Mint x32. And today I’ve found that there was a hack of the server. I’ve checked both ISOs and it turned out that they are poisoned. Here is the question: is it enough to remove only Mint from my PC or it is better to remove Win7 too? Thanks.
https://scrot.moe/image/Jk80 – here is our quick conversation … if someone needs translation – I’ll provide it
Edit by Clem: Please do, he’s one of the 3 people on our list, it would be nice to rule him out and if his server got hacked as well he should be able to provide extra information about the attacker.
Hi,
took this, while the MD5 ist not correct!
linuxmint-17.3-cinnamon-32bit-de-20151231.iso
It is from 13.02.2016
I have got: 117ebb18ed163fe5488a8b5de8c958c2 as MD5
The other one is OK
linuxmint-17.3-cinnamon-64bit.iso (16.01.2016)
e71a2aad8b58605e906dbea444dc4983
Got 2 verifier Programs therefore.
The good thing is that if Linux Mint was hacked, it means they admit Mint Popularity among Linux users. Linux Mint staff should be proud after all.
I’ve had projects hacked dozens of times over the years. Good luck getting everything sorted, I feel your pain.
MD5 is not secure, a home computer can make files colliding MD5 sums.
please use SHA256 instead.
Edit by Clem: I know. We use both, we’ll probably default to showing sha256 for upcoming releases. Note that in this attack, the fake ISO fails to match with all sums, including MD5.
I downloaded and and installed linuxmint-17-mate-64bit-v2 on a laptop Friday night around 10pm EST. Do I need to be concerned? If so, what is the valid signature for that ISO so I can compare? Thank you.
Edit by Clem: You can find all of them at http://ftp.heanet.ie/pub/linuxmint.com/stable/
@negthom yes, i’m interesting for a translation!
Hi, Clem-
I updated my linux mint rosa last night from my windows pc, didn’t go to a website. I’m a noob, and not sure how to check the iso steps listed. What I found was initrd.img 3.19.0-32-generic Gzip archive dated 2-20-16, seems to be my update.
Am I ok?
As a tech support agent for a mobile carrier, I understand how exhausted you must be from troubleshooting the intrusion. Hope you have beer, and are able to get some sleep.
Best wishes!
Edit by Clem: Yes. This is one of these rare moments when sleep sounds better than beer.
Is it still safe to run updates?
there is a file in /var/lib/man-db, is this an infected ISO ?
Edit by Clem: No, that’s normal.
@bananabob Something like dropbox would probably be a good idea (unless you have a server I could wget the iso from).
Would you like to discuss this over IRC? That way we don’t clutter the comment section and also (if we use private messaging) not as much info would be publicly visible. 🙂
Hi,
i have downlaoded the linuxmint-17.3-cinnamon-64bit.iso on the 9th of February and the Hash does not match either?! oO
Edit by Clem: It could be a bad download too. You can make sure by running it in a virtual machine and checking to see if /var/lib/main.cy is present or not.
regarding post 79 from me:
i do also not have the folder /var/lib/man.cy after booting from the image?? I thought the folder should b there but no file in it?
If I don’t have the ISO with me anymore and I have installed on my machine. Is there anyone for me to check? Will the file man.cy still located at /var/lib?
REALLY ??
If you installed this ISO on a computer:
Put the computer offline.
Backup your personal data, if any.
Reinstall the OS or format the partition.
Change your passwords for sensitive websites (for your email in particular).
er…you might want to format all your partitions,
and consider what else on your lan might have been compromised.
….Not exactly setting a good example and inspiring trust are we?
#75 – Here it is:
Me: “Man, look what is discussing here:
[link]
The address from where the attack is coming is within network, which has you enlisted as owner. And because I believe that isn’t you, I’m asking you to see what exactly is happening.”
He: “Hello, thank you I’ll take a look and will take measures”
Me: “Thank you”
He: “I thank [you] for the signal”
Me: “:)”
Edit by Clem: Thanks.
LMDE 2 iso from 20.febr. no funciona live session & install 🙁
I don’t know this guy personally. I just made some search earlier today just to find wtf is going on here. He has public profiles in FB and LinkedIn, which suggest that he is the most reliable person at least to stop the traffic to the source.
https://bg.linkedin.com/in/lyubomir-bambov-15493316
ty for the blog, i had no idea linuxmint was attacked. im glad also that you provide torrents thou i only use mate 17.2 and 17.3. prior to this attack i was not able to download any torrents on linuxmint.com for week or two. everyone should make the habit to check the md5 checksum. thats the way to go!!! viva mate!!!
Interesting on Feb. 12 between 4:56pm C & 8pm Central, I attempted to dl ISO. Would not connect to let me DL, kept timing out. I ended up installing 17.2 from an old DVD. Upgraded to 17.3…point being; I wonder if they were messing around with servers before the 20th.
Thanks for the transparency, it shows professionalism. Will support financially the project after the “crisis” has been solved (wouldn’t want to give money to the hackers :). Good luck Clem!
Mint is by far my preferred OS ever!
I d/led 64bit cinnamon on the 20th. Verified checksum. It would not install. The auto-login kept looping. If I tried mint/no password, login failed.
Apologies if this has been asked already, but since Linux Mint website is currently offline, when can we download a clean copy of 17.3 in the meantime? Thanks 🙂
Hi,
are older isos completely safe, or should I wipe the system just out of precaution? I installed 17.3 Cinnamon on my girlfriends laptop like 3 weeks ago…
I’ll take the opportunity to say that Linux Mint is really a superb distro, keep the good work!!
Thanks.
Hi. Yesterday I installed Linux Mint KDE 17.3 (64 bit) version. Upgrading the system after the installation was successful. Do I have the upgrade yesterday could damage your own system? Today my system reports that no updates.
If I now installed the system, whether these technologies upgrade and whether it is safe to do the upgrade until the problem is solved?
wow just reading zdnet, they say forum was stolen also ( Quote=It’s thought the Linux distro’s website and forum was stolen in the breach.
CSO’s Steve Ragan found an ad on a dark web site claiming to have a “full forum dump” of the site, with a going rate of about 0.19 bitcoin, or about $83 per download. (We were able to verify the listing exists, but could not speak to its authenticity.) Is this true????????
Clem,
Will you be getting an HTTPS cert now? Adding PGP and SHA1 signatures? Not using passwords of 6 letters containing the word “mint”? This is honestly extremely upsetting to me, as someone who loves Linux and recommends this distro to anyone who might want to give it a shot. I don’t think you should just go after these guys. I think you need to seriously reevaluate your security strategy here. Linux Mint is not a tiny indie project anymore. Another vulnerability at this scale would be devastating. Not only to mint, but to the greater Linux community.
Thanks for listening,
Jay
So any downloads of Cinnamon we got a few weeks ago is safe, correct?
Are regularly performed system updates (i.e. no fresh installations) safe or are chances that they are compromised/hacked too?
My last update of 17.3 “Rosa” (Cinnamon) was done on Friday, Feb. 19th.
Thanks,
Juergen
Well done on such an early discovery of the problem. I don’t envy you the cleanup job… I also downloaded 17.3 Cinnamon 64 bit on the 19th and had an infected side-by-side installation with Win7. I’ve now got to check other computers on my network.
You might like to be informed that that the infection in the hacked Mint 17.3 also appeared to kill my Win7 network connections to local user requests. Seems too much of a coincidence on a previously good working installation….. so I may have a second OS to reinstall!
Any thoughts on this?
#76: A home computer can make two files with colliding MD5s. A giant supercomputer still can’t make a file with the same MD5 as an existing, published, known-safe file. Different attacks.
I upgraded from 17.2 to 17.3 on the 20th using the Update Manager, any risks from that? It looks from the comments that the repositories weren’t affected, so I’m 95% sure I’m ok, but still…
Clem – why was the site not protected by SSL/TLS certificates? LetsEncrypt.org is free and would have helped. Just seems like a very amateur mistake.
linuxero:
Arquivo corrompido com malware. Você pode salvá-lo para a ciência forense?
Versões corrigidas foram postadas.
(através do tradutor on-line)
1742 hrs right now. Linux Mint site still down.
Had downloaded Linux Mint Cinnamon 32-bit (version 17.3) from Softpedia and ran MD5 linuxmint-17.3-cinnamon-32bit.iso (on a Macbook Pro – so not MD5sum).
MD5 (linuxmint-17.3-cinnamon-32bit.iso) = 6e7f7e03500747c6c3bfece2c9c8394f
Which matches the MD5sum stated by Clem. Upon finishing download however the ISO was moved straight to trash.
Presume safe or perhaps “dodgy” until the Linux Mint site is back up and running?
Hi guys..
I made a download of the 17.3 mate version 3 days ago..
Yesterday I made a download of LMDE2 mate too..
When I make a refresh in mintupdate(LMDE 2), this are the links it connects..
sudo lsof -ni{4,6}{udp,tcp}
http 4901 root 3u IPv4 45665 0t0 TCP 192.168.10.41:35253->91.189.95.83:http (ESTABLISHED)
http 4902 root 3u IPv4 45664 0t0 TCP 192.168.10.41:44987->213.13.27.81:http (ESTABLISHED)
https 4903 root 5u IPv4 47140 0t0 TCP 192.168.10.41:33392->185.26.183.130:https (ESTABLISHED)208.77.20.11:http (SYN_SENT)
http 4905 root 3u IPv4 43631 0t0 TCP 192.168.10.41:52003->91.121.10.104:http (ESTABLISHED)
http 4908 root 3u IPv4 47138 0t0 TCP 192.168.10.41:55662->46.38.244.109:http (ESTABLISHED)
does any one see here any problem??
Does the system clock is connected well?
clock-app 3300 tuxd3v 15u IPv4 42955 0t0 TCP 192.168.10.41:60372->195.8.22.43:http (CLOSE_WAIT)
that link to opera hapens with opera clodsed..don’t get it..
Good Luck to All, and thanks to Clem, for sharing this with us.
regards
tux
WordPress gets pwnt like this pretty often. Especially through theme functions lately. Ever think about developing your own website system, or building something static with no input for the download page?
I tried to read through everything, only saw one mention of the man-db under /var/lib
Checking for the man-cy, I do not have but I do have the man-db folder.
New to linux here, found a distro that is pleasing, concerned about this hacked version.
I had two events though that concerned me, on the 20th, navigate to Google.com and the site was blocking me, too many attempts or too many connections.
Installed skype, was sending a file to my colleague and it indicated I was sending the file to two contacts, and further investigating this was showing to be the same contact waiting to receive, I figure this is a skype issue though.
I have the ISO and install went fine, I am as I say new to linux and still have to learn how to do the MD5 check.
Should I be concerned? ISO File date is from Feb 05-2016 so downloaded long before the 20th.
REALLY liking this distro 🙂 thank you
Harlan
This in effect could kill the Mint project.
Trust is a delicate thing and many will form the view that if the master ISO can’t even be protected then this is a bit sketchy of a project to base their entire system on.
I’ve gone back to OS X sorry!
Downloaded 17,3 KDE yesterday so I’m OK but just saying it’s a testament to the security of Linux that miscreants have to resort to such practices just to get a back door in! As for WordPress – seen way too many compromised sites to touch it with the proverbial barge pole. Maybe it *can* be locked down but it’s evidently something that too many users don’t consider important. Maybe getting hit in a matter of hours after installing is bad luck but it shows how careful you need to be when a compromised system can lead to such a problem as this!
The cat is out of the bag, censoring comments wont help the cause, twitter and reddit are eating this alive, dig in and fix this, get to the root, you have worked to hard to let this happen, and we have been faithful to the quest. Good luck…
P.S. Kudos for being so open and taking rapid action 🙂
I am running Linux Mint Debian Edition on 4 different computers and do all the updates as they come in do I have to worry? I use the Mate desktop.
Surely someone in the Linux Mint Community has a html/php compiler you can use to compile the webpages which would make such hacking far more difficult in the future. Many modern websites have switched over to Haskell compiled webpages to prevent similar attacks on their websites.
A page checksum test against the known index, page bytes and if those change alerts the administrator and restores the page by a archive might be useful to look into.
Adding Sha256 hash sums and Https seems to be what people have been asking for here over many years now. Would Https had prevented the hackers gaming the html/php coding, breaking into the site, probably not but it might have helped prevent Linux Mint Community victims from traveling to the hackers non-Https website via a warning the hackers connection was not Https supported and given them pause on continuing over a unsafe connection.
Given the circumstances, a mere “The valid signatures are below:” seems a bit short to be absolutely clear. Please add something like “If the md5 hash you have matches one of the values below, then you should be fine. If you don’t get a match, then your ISO file is compromised.”
When you are done fixing the issues at hand, please don’t head back to “business as usual”. Take this incident as a reminder that this project has grown to the point that hackers start targeting Linux Mint. Re-evaluate server security accordingly.
Regards
Blue6
Hi
I’ve installed Cinnamon yesterday through the package manager in MATE…could I be affected???
Hi,
Thanks for informing the community so promptly, could I suggest the next steps…
Rent another host, take the current host off-line and preserve as much evidence as possible. Contact the authorities, this is no time to play amateur detective.
Hi Clem and everyone,
I was just thinking, regarding the $85 thing above, Linux Mint has given my computers a whole new lease on life and saved my bacon when the upgrade from Ubuntu 10.x to 12.04 caused my quad-core to run like a snail, and I probably should have donated some money back by now (If I were working I would have already but anyway). I know now’s probably not the right time, but personally I’d be happy to put £10 or whatever in to help with this clean-up and I imagine that most of the people here probably would consider doing that so if it’s going to cost a lot and take money away from the normal development and running costs, maybe a little fundraiser would be in order.
Thanks for all your relentless work, I imagine you all must be going through a pretty stressful time right now so it’s really appreciated that you’re doing all you can to make everything safe again.
Regards,
Stellarpower
I have the same question:
“If I don’t have the ISO with me anymore and I have installed on my machine. Is there anyone for me to check? Will the file man.cy still located at /var/lib?”
Also, are there other symptoms, signs, or checks we can make on our currently installed Mint to further see if we are compromised?
Thanks!
This would probably be a good time to update this website to HTTPS, HTTP is too vulnerable.
I downloaded Mint 17.3 a long time ago. Is there any other way to find out if I’m safe? I got worried now. I also got some upgrades I’ve never seen before. It said it was due to some changes I’ve done in some scripts. But I haven’t changed any scripts. But I answered ‘no’ for ‘standard’. But if the only infected version was 20th February, I’m probably safe, right? I’m all new to this, and chose Linux for safety. I’m planning to give a friend Linux Mint, so I hope I can do that now, when this is fixed!
Hi Clem. Thanks for being open about this issue.
If you need system hardening advice later, let me know personally by email. I’m the original author of rkhunter (malware) and Lynis (security scan). I also can offer you our security guidance to the Mint Linux distro, free of charge. A great option to give back to the distro and community.
Good luck with the incident response and follow-up.
Hey Clem, I have been using Mint for a very long time now and it is time that I support you in hopes of helping speed up the recovery/information gathering process of this situation here. I know you have links somewhere on your site for donating but with the site being down, I have no way to find that information. How can I donate to you / Mint?
Finally getting serious and using Lastpass. Going to each site I have an account on and using Lastpass’ “Generate Secure Password” feature on each one to generate a random, unique password for each. Even I won’t know what each site’s password is. As for my master password, I made up a phrase and took the first letter of each word of that phrase to make the password. The master password won’t be used anywhere else.
Also, what would be really good is a third-party (in the sense of being separate from the browser rather than unaffiliated) download program. Like if I get a link for a torrent in Firefox, I can open this with Transmission, what we’d want is a small file that opens in a downloading application that downloads the disk image from the location in the file and then downloads a signed checksum, decrypts the checksum and performs the hash, and then outputs the disk image to its intended destination, or renames it from a .part to whatever it should be.
Ins’t it a good idea to sign the MD5 hash? What if an atacker changes the MD5 hash shown on the portal? And I think a lot of user dosn’t know how to check a signed txt or how to check their MD5 iso, probably show the users how to do this should be a good idea.
If you’ve just downloaded the compromised ISO and burnt it to a CD/USB, can it still affect the host OS (Mint XFCE)?
Was this a known, patched WordPress vulnerability that was ignored, or a 0-day? I think that’s pretty important to know
80 – It is safe to update. Only the main linuxmint.com and the forums were hacked
Is is possible other versions are hacked with backdoors? We caught this but my main concern is other versions before Feb 20th.
I love Mint but am nervous and feel like maybe switching to Ubuntu unless someone can explain why I should not be concerned. I am not trying to cause panic but looking for reassurance.
94 – Backdoors in old versions are unlikely, but just in case check for man.cy
I said it would happen, guys in the forums said no worries, not need for an antivirus (which would find and disable your infected system). Linux has been to laid back when it comes to protecting the end user. Tell people to use an antivirus and stop giving them false hope about how safe Linux is.
As Linux of all flavours gets more popular, more hackers will write for it. Mint and Ubuntu are leading the way in making Linux as easy to operate as windows which means more users. More users attracts more hackers.
Sorry, but now it is time for me to leave linuxmint. I do not feel safe anymore with your great distri. For now I am back to latest Kubuntu LTS.
96 – The distro is perfectly secure, not much less than Kubuntu. The website was the problem.
My quick two cents:
– Please use SHA256 by default, even if the checksums mismatch with MD5 too.
– Always publish the checksums on another media (pinned tweet for example) for cross validation.
– As mentioned above, consider using PGP for signing. Pin your PGP key on another media (keybase).
– It’s 2016 and Let’s Encrypt is now public. Takes 10min to set it up. No excuses.
– Set proper CSP/XFO/XSSP/XCTO HTTP header.
– Keep Apache updated. You are 4 versions late.
– sudo chmod -R 400 on your webdir root. Exception: /wp-content/upload
– Out of curiosity, would you please post a link to man.cy file.
I can provide time and resources to help.
I hope ya’ll get a better password for the site this time. “Clem’s Site” is obviously too easy to hack.
I downloaded and installed KDE edition around 17-18 of February.
So I should not worry, right?
Hi, Clem… I have never tried Mint release but after what has happened
I definitely will. Right after your server is up and operational.
This is the type of honesty and transparency that we need in a community. Ignore all those TROLLS, never know what their intentions are. Cheers…
How do we know the checksums published on this non https site are true?
Comment 93 still waiting for moderation, is this a joke on people commenting information and suggestions here?
Not sure why are still using MD5 for hash as it’s been broken for years. SHA256 or even SHA512 should be used.
I use a tool called GtkHash (available in package manager) to check the hash against the files and it’s very easy to use. It can even generate hash on several files at once in easy to read output.
Glad this was caught early on but we should take a closer look on updating the security measure for the ISOs. I have noticed on http://ftp.heanet.ie/pub/linuxmint.com/stable/17.3/ is that it’s using older version of GnuPG to sign the hash text file. I know Clem have no direct control of that FTP website but suggestion should be made to have them upgrade to version 2 of GnuPG. I use GnuPG to encrypt or sign my e-mails which is a breeze to use via plug-ins in Thunderbird.
Someone suggested encrypting the ISO. That is not the answer. We need better mechanism to protect the validity of the hash text files. GnuPG is the way to do that long as the PGP key is trusted and valid.
I remember using ISO burner that automatically generates the hash before it burns to CD. But GtkHash offers alot more choices to which hash to generate.
I know the package updater or apt-get are using PGP keys to verify the files before installing so it’s not an issue here. It will even warn you if there is a mismatch before installing.
Hope to see the website back in action soon!
Hello,
I am sorry this happened, but to those who think that moving to another distribution is going to make you safer, I have to say that is totally madness. You cannot stop anyone from hacking a website or server or computer. You can however control the situation by keeping your personal information off your computer. Put it on a ext drive and disconnect the drive when not needed.
I appauld the mint team for being up front, and I expect that people should hold that with respect because it shows character. But as usual there are those that want to make the situation worse by putting their 2cents in. It’s one thing to have valid resolutions to provide, but totally out of place to say that someone isn’t taking their security serious or imply that they are wantonly creating headaches for themselves and others.
Please stop shooting from the hip and provide help to the mint team to send this to the proper authorities so this person can be caught. As far as WordPress is concerned, That peace of software is known to have serious code issues and downright horrible security. So doesn’t surprise me that anyone can hack their software.
Clem I’m sure has learned what to do, and what not to do and will make changes accordingly. If it is easy for us to jump ship, Well that shows that character may be lacking even when it comes to one’s personal relationships with people.
I just installed from an ISO I got several days ago, but when trying to configure my system, I’m trying to add a different search provider (Google) to my Firefox but it won’t let me. When I click “Add more search engines” I get an error page “Failed to connect”. Is this because your site is down? Is there another way to add Google as one of my search engines in Firefox?
Bad Luck! Why I’ve had the Idea to remove Xubuntu and to download the new Linux-Mint version17-3 Rosa 64-bit Cinnamon exactly on February 20th! I’m not a Expert or Tweaker, but was convinced of the safety of the Linux-Mint site to Download Mint Rosa…
It took some time before I’ve found te bad file man.cy in the /var/lib map. It stands alone and not under “man-db”. It is a textfile (probably WordPress as I read the notes from the experts here above.
So I’ve downloaded the ISO, copied it on a DVD. I didn’t install Mint but wanted to view it without installing. There were several “wrong-messages”so I haven’t enjoyed it.
This afternoon (EU-time)I’ve heard from the hack. I’ve removed my documents etc from the infected laptop and did an installation of Win7. A virus-scan showed nothing and I hope, that I’ve been on time to prevent big troubles thanx to your quick information.
Two questions:
1-Is there more I can do with the infected notebook?
2-Does the infection attack my other hardware (PC, tablet smartphone)?
Thanx for the speed of your information, Hope to receive a reaction!
Kind Regards from NL.
Was this just related to Cinnamon 17.3? What about the other variations?
I can’t believe anyone is seriously still using MD5 digests in this day and age.
You should be using GPG to _sign_ your ISO releases and code. Generate a 4096 bit signing key (or higher). If you care about quantum computers, more bits means they need more qubits to crack it so it buys you some time.
Now publish your public key to a keyserver. Now get other people to sign your key. Now add your public key to onename.com, namecoin.info, keybase.io, your twitter and your Wikipedia page. If people check the signatures and check the public key from all these blockchains and sites then that is orders of magnitude harder to subvert.
Hi,
in the case of the ISO installation in a virtual machine, I have to format the entire hard disk?
Thanks.
When did this begin? I made a mint vm about a month ago but have no idea where the ISO I used is.
I downloaded a linuxmint-17.3-cinnamon-64bit.iso around Jan 29th, but its md5sum 00e611ad8e0eda6d24244da684cef627 is different with the one you published. Is it a good one?
Would the donations information also be compromised?
Gonna put Mint on a laptop when it’s available again. Can’t wait to be able to donate $$, again, to the Minty cause. Bummer about the hack. Thank you for being open and reactive. I hope you get some sleep soon!
I have to ask this, but will the Linux Mint team now re-consider their choice of web-app software for hosting the main site? wordpress and even phpbb to some extent are not renowned for being super robust and secure, from what i’ve heard over the years (And some experience working with it as an admin)
If it were up to me personally, i would opt for plain old static HTML, with some php where it’s needed, but nothing that could open up flaws such as the ones which allowed this to happen. maybe keep forums and if you really have to, WordPress blogs on physically separate hosts with their own set of keys and passwords, so incidents like this are at least less serious.
I’ll continue to use Mint, but I do hope the Mint team treat this as an opportunity to look for ways to try and improve security throughout their project. Mint always delivers an outstanding & well polished desktop that most any user can get to work with immediately; however, I do think a stronger emphasis on security would eliminate their one weakness. I certainly see Fedora and their work on SELinux as one of the bigger innovators in this space, & Mageia offers their MSEC tool the help users improve their system security quickly & easily. After Mint gets their website/download mirror issues fully under control I hope they start looking at such security tools & for other ways to improve security both for themselves & their websites, as well as for their users. I’m not sure which sorts of security tools would best fit the Mint desktop & their ease of use goals, but I would like to see the project better secured at both the end user desktop level & the up stream level where the project hosts forums, down servers, mirrors, etc. It is sadly a very rough world out there & there will always be security issues regardless of what OS or Linux distro you use.
P.S. Thanks to Clem & the team for being open & honest about the problems & good luck to you in handling these issues. I do seem to remember something about one of the BSD projects being hit with similar issues as well, so it can easily happen to anyone. As long as this gets treated as both a crisis & an opportunity for improvement I think these problems will only cause Mint to be stronger in the long run.
LinuxMint.com to HTTPS when?
Should be easy with the LetsEncrypt project out now.
I had recently downloaded Linux Mint last week (I am not sure it was Friday). One thing I noticed when I installed it, when the OS started, I had a badge warning (bottom right) stating the APT cache was corrupted. Since I am a Linux newbie I did a search and from what I was supposed to do was to pick new repositories and update. This Mint that I downloaded would not let me change the repositories. I do not know if that means I downloaded the altered version. Needless to say, the processor burnt out on the laptop (it was a 6 year old laptop). i GIVE Mint CREDIT FOR AT LEAST POSTING ABOUT THE HACKED DOWNLOAD SITE. Thank You. I will get a new version and try on my other laptops.
Bad that this happend, but hey it could be anyone/server/. hope you can fix it. (no doubt about that)
will increase my donation this month and i hope everyone reading this should donate at least a small amount of money to help this great distro. becouse it will be become much greater.
so guys if you love this distro donate a few bucks..
Hi all, Hi Clem
Can someone provide me a link to that ISO?
I want to check what changes they did make.
Your wordpress website should install the premium version of wordfence. check out http://www.wordfence.com.
I downloaded linux Mint 17.3 with Cinnamon on Friday, Feb 19, 2016 and the md5sum doesn’t match any of those listed above. Therefore, the hacked must have happened sooner.
Clem, your point is good one that duplication and the community was an effective cross-check and instrumental in spotting the compromise quickly. But (and you knew there was a ‘but’, right?) the people on this thread suggesting improved gpg-signing of checksums also have a valid point.
You said ‘You can find them at http://ftp.heanet.ie/pub/linuxmint.com/stable/17.3/ also along with signed sha256sums’ and ‘we’ll probably default to showing sha256 for upcoming releases’ — which is good news. However, please note that primary download pages such as http://blog.linuxmint.com/?p=2947 have for a long time (and still) listed md5sums and gpg signatures of sha256sums, but not included gpg signatures of md5sums, and not included sha256sums. So, unless a member of the public thinks to also look on http://ftp.heanet.ie, he/she could not easily check gpg signatures at all.
I would like to politely suggest that you good folks take a careful look at the published means of verifying authenticity, and make sure everything works even for half-clued outsiders, and that this include care to make sure signing keys are publicised and able to be vetted using the gpg chain of trust.
Thank you for Linux Mint, and for your good work.
Best Regards,
Rick Moen
rick@linuxmafia.com
Did you submit the bad ISO’s hashes to VirusTotal ?
Am I safe if I close ALL ports?
I am writing this on the infected OS.
Edit by Clem: First, make sure you’re offline and on an isolated machine (live session with no access to data or virtual machine). Unless you’re experimented I would suggest you ditch that install though.
It sickens me to see this attack. I agree with Fred Barclay’s comments at (11) above and was always impressed with how tails.boum.org handled their signings in a clear way. Their site explains very clearly how their own web of trust is set up and makes it more difficult for a site hack to compromise their ISOs.
All the best for a quick recovery.
Прошу прощения что не оставляю почту для комментария. Просто захотелось поддержать разработчиков! Желаю скорейшего поиска хакеров, и их наказания самым суровым образом! Таких козлов надо мочить в сортирах! Простите за излишние эмоции. Страх правда от мысли что вдруг как-то репозитории тоже взломали? А как быть владельцам Мате? Я например установил 16 февраля систему. Не мог ли быть прецедент того, что хакеры ещё раньше начали проводить своё зло, и в более ранних числах взломали сайт? Разработчикам быстрее восстановиться. А этим мерзким уродам руки вырвать надо. И в жопу засунуть!!!
I see so many talking crap about linux because of this, and my comment to them is” How long do you think it would have taken Microsoft to find this back door, here it has been less than 20 hours and it is contained”. You don’t get that kind of response from microsoft.. Thanks guys and gals, and a thank you to Clem for having a place to go to to see whats happening. VIVA LA LINUXMINT!
Why don’t you write a script to look for visitors coming from the same source IPs as those in the Feb 20 access logs that (may have) downloaded the infected ISO? You could present them with a warning/popup about having an infected install..
The same IP or even same subnet for most dynamic IP users….
As I stated above, I have a hacked version and I did install it on my computer (as a dual boot). However, I was never able to connect to the internet using Mint. Apparently, I had a connection, but I couldn’t actually load a web page. Is there any possibility that anything on my computer or any of the computers connected to my router was compromised?
I installed several distros from late-20th to early-21st – including LMDE, both versions. In the end I installed plain Cinnamon 64-bit – however that iso was the only one I downloaded previously: last year! Phew!
I noticed the LMDE installer screens proudly proclaiming that Mint is the 3rd most used operating system, behind Windows and Mac OSX. Sounds like a motive?
Clem, are you aware that the Forum database might have been available a month ago?
See https://twitter.com/ChunkrGames/status/688346150622081024
Check mint mate x64 .ISO
Admin password work with all (i hope all..), except “Finestra di accesso” (i think in english is logon screen) on Control Center menù!
i have downloaded from swiss server in 21/02/2016, 16 pm approximately
If you would like your WordPress install hardened to prevent this from happening again, please contact me. I’m one of the founders of CodeGuard. I use that tech plus a few other simple steps to make WordPress much tougher to penetrate. If you are non-profit I don’t charge.
I have complete trust in the Mint Team. Nevertheless, it worries me that the things that are so obvious and so visible and so easy to track could be designed as a mis-direct to divert attention from other compromises. I know virtually nothing about the “hacking” world, but I do know that if I want to conceal something over here I need to get you looking over there.
No the distro ist not perfect secure!
The Linux Mint team philosophy says: Stability has preference over security, an this is unacceptable in any ways.
Safety packages are even retained and hidden, just for flimsy stability reasons. Unacceptable.
Security you will never to back, certainly not for user-friendliness.
WordPress is the most vulnerable thing on earth, why use this insecure software? I can not understand this.
MD5 Hashes? Really? Its 2016 and you use MD5. Use GPG always!
You have a very large user base, Linux Mint in this position has to set an example
Linux Mint plus the website really need a change.
No the distro ist not perfect secure!
The Linux Mint team philosophy says: Stability has preference over security, an this is unacceptable in any ways.
Safety packages are even retained and hidden, just for flimsy stability reasons. Unacceptable.
Security you will never to back, certainly not for user-friendliness.
WordPress is the most vulnerable thing on earth, why use this insecure software? I can not understand this.
MD5 Hashes? Really? Its 2016 and you use MD5. Use GPG always!
You have a very large user base, Linux Mint in this position has to set an example.
Linux Mint plus the website really need a change.
Heard the bad news and got an associated mental image. Wish I could post it here. See graphic and story http://nc3.mobi/t1602/#21 and keep up the good work.
Jonathan @NC3mobi
Hang in there, Clem & company… your efforts are appreciated.
It’s a shame this happened. Mint is my favorite distro. But this is the sad reality of our time.
People should take this as a wake-up call, and improve the procedures they use for downloading and verifying an .iso:
1. Get the hashes from several places (eg. mirrors), and on different days, in case the distro’s website was compromised.
2. Get the hashes through several different routes (eg. VPNs & torbrowser) to reduce the chance of a man-in-the-middle attack, by having several different “middles”. Use https wherever possible. To be even more certain, try to avoid DNS leaks. If you use a VPN, test it on dnsleaktest.com or a similar service. Do not use your router/ISP for DNS. Use your VPN or Google or other public DNS you trust.
3. Wherever possible, verify the hash with a GPG signature (eg. http://ftp.heanet.ie/pub/linuxmint.com/stable/17.3/ has this available for Mint).
Practicing good internet ‘hygiene’ like this will help protect you from installing a compromised .iso
Is this the kind of thing bit defender virus scan would catch?
It sounds like you have some expenses ahead, so I think it’s about time I finally sent a donation to Mint. With the main website and the forums down, though, I’m not sure how to send it. Somehow I did find a Bitcoin address, “https://blockchain.info/address/1PQCrkzWweCw4huVLcDXttAZbSrrLbJ92L”; is this legit? (Then I have to figure out how to get a bit of a Bitcoin…) Or would PayPal still get to you? With much appreciation and best wishes!
Neither synaptic nor Software manager working at this time. Anything to do with the hack?
First, thnxs for the transparency – honesty is why i left windows for linux.
2nd, are updates, etc. affected? I updated and added some apps during the time frame of the second breach.
Fred Barclay – Looked for you on Linux Mint Chat – What is a good time in UTC (if you can)
I am sorry to hear this happened to the beloved Linuxmint site and team Any idea on what your plan at linuxmint will be to prevent being hacked like this in the future or? I am a long mint user for about 8 years now and I love it especially cinnamon and kd. I was wondering though has this made any problems with any other ISO like KDE,MINT,XFCE and so on or? also How have things at mint been since the problem that is currently going on?
Looks like I got an infected ISO. I fortunately only used it to build up a Virtual machine which was on long enough to build the machine.
/var/lib/man.cy exists
/var/lib/man.cy: C source, ASCII text, with very long lines
Any need/reason to keep the ISO and or VM for the mint team? or am I good to just clean house?
@bananabob: how about 1700 UTC tomorrow (in 13 hours)?
linuxmint.com the official site is still down …
you are aware of that . right ?
Breached?
https://www.fireeye.com/company/incident-response.html
I added Cinnamon to an existing Ubuntu 14.04 install via a PPA. Is there any way this could’ve affected them. I don’t think so, but others may have the same question.
If the file does not exist /var/lib/man.city means that the iso on the pen drive is clean or compromised?
Edit by Clem: If it’s not there, it’s clean.. it’s /var/lib/man.cy though. Check the MD5 all the same, it could be corrupted (i.e. bad download).
Gentlemen:
What I would suggest is adopting the same strategy as the Tor developers and the Tails and GnuPG developers. I’m referring to publishing a PGP key, and signing your releases with that key.
You could also use that key to PGP-clearsign a list of hashes; the reason for doing this is because if an intruder can change an .iso file, they can also change any associated hashsets as well. However, what they CANNOT do, is to duplicate or forge a valid PGP signature.
MD5s are not signatures! You need a DSA 1024-bit (minimum) or Elliptic Curve 384-bit (minimum) PGP private key signature for each ISO. That is the only way to combat this problem in the long term. Also, you may have to attend a key signing party to enter the highest level web-of-trust. Once a public key is signed by others via web-of-trust, it should be listed in the http://keyserver.pgp.com database. This is all pretty standard protocol and should gain the trust of many security-minded folks such as myself.
Cheers.
edit to 103, that should have been https://keyserver.pgp.com
Clem (and team)
What a horrible situation to be in. I feel for you all, and I cross my fingers that you’ll get everything back to normal (and patched!) soon.
Take heart, though – I think the OS you have worked so hard to put together is GREAT. I’ve played around a little with Mint in the past, and last week (not the 20th, natch!) I installed it on a spare Intel NUC. Wow. Everything worked, out of the box. I was blown away by how quick & easy it was.
I’ll be donating again after this, that’s for sure. A worthy cause. Your efforts are most certainly appreciated here.
Sorry for the temporary email address — I won’t receive a reply — not on a trustworthy computer & out of town. I do forensics on stuff like this and would be glad to help. I’ve always been a fan of Mint. If you’d like to take me up on this, let me know and I’ll pass along a secure way to get ahold of me (and we should exchange gpg keys to discuss details).
To those still getting bad sums — especially on mirrors — some of your problems have to do with syncing, others have to do with DNS caching, which doesn’t necessarily mean there wasn’t still a problem — it just may not be the problem you expect.
I’d like to know more about the backdoor mechanisms and help if I can. Did they rebuild the ISO from scratch? Kind of a strange way to backdoor considering (and I assume they didn’t go to the trouble of mucking with the repo tools and sources) it’d likely break due to signature verification if anyone tried to update. Bit of an amateur job, complicated/compounded by the fact that it looks like due to how it was ‘acquired’ and then posted online, you’re likely facing multiple attackers. I hope you’ve forensically imaged your own server and made sure it wasn’t also serving the iso in memory. Either way I’m willing to bet you kept getting boinked because your remote access apps were backdoored before that ISO was ever uploaded — perhaps by the original ‘hacker’ and then replaced by the newer ones.
Anyway, if I can be of assistance let me know. I have a few hours and I can probably offer you some insights (even if I’m not a Cinnamon user 😛 — XFCE ftw!). I don’t, unfortunately, have time to dig apart the ISO from scratch (or download it) due to some personal obligations right now but I would like to help.
Good luck. And don’t just pull the machines or wipe them — image and put aside those machines. Stat. Also anything you may have connected to in any of your .ssh keys dirs should be thoroughly investigated.
Cheers, and good luck.
PS: Interesting they chose Cinnamon — I don’t keep track, but is this the most popular spin currently?
@ av8r0023 Says:
Not a good mechanism for this particular sort of problem, though I agree that signatures are needed. If they had access to the boxes, chances are they either immediately or would have eventually gotten access to the pgp keys to sign things themselves. When the source is spoiled, one has to assume other things can be spoiled (in memory or on disk — doesn’t matter).
@banababob: just realised I can’t do it then. 🙁 I’ll be on a network that doesn’t (if I remember correctly) allow IRC…
Maybe the next day at the same time? Let me know what you think. And thanks!
Sorry, last message — and reiterating what someone else said — get off of wordpress (and/or at least do something about all those trackers (and I assume plugins). Lower your attack surface.
And get the blog far far away from anything serving anything. Never ssh from the blog to the servers serving the distros, too, if that’s being done. And please fix your passwords (though if it was exploited, that wouldn’t have helped; are you sure it was a run of the mill wp exploit and not just being disguised as one? I’m not going to look at your site — is your wp up to date?).
But please don’t go to disqus or anything centralized for comments. It’d make the baby sheezus weep.
Also, for the love of all that’s secure, do NOT go to joomla… or anything dependent on javascript, plugins, and third-party stuff that opens you up to worse than this. At least you caught this quickly (<3 the OS community. :))
@Fred Barclay:
Shouldn’t be IRCing that way anyway (no offense). Set up a VPN and ssh to a remote server then use a text-based irc like irssi with the otr plugin for a bit more safety and security.
Hope I’m not coming across as pushy. Just trying to be of help.
I know you guys are being swamped. I don’t think there is as much reason to panic as some people are showing. Have faith in Clem and the group. I’ve been without net for 9 hours and just checkin back up on this. The fact they jumped on it so fast should be encouraging people not dissuading them. It was one thing affected. Their sleep deprived. They are working on it! Feel secure at both the transparency and the fact they are reacting quickly to it and taking measures! The guys have made a great Distro. I love my KDE Mint.
I know you’ve had a lot of concern and stress guys. I just want to make sure you know that a lot of us understand the stress you’re going through and supporting you. THANK YOU for what you’re doing to fix this for both yourselves, and the Community!
Edit to @av8r0023:
Elliptic key crypto is not a great idea.
*they’re in my earlier comment. *grumbles at self for typos.*
1. Assume nothing is safe, especially your hardware.
2. Buy a throwaway keyboard, mouse, raspberry pi A+ w/noobs 4gb sd card, analog television with composite video-out.
3. block all on inbound/outbound except inbound port 80.
4. use netcat to send us links to torrents / mirror downloads.
5. …
6. Brace for the cyberpocalypse.
1. Assume nothing is safe, especially your hardware.
2. Buy a throwaway keyboard, mouse, raspberry pi A+ w/noobs 4gb sd card, 2A 5v power brick, analog television with composite video-in.
3. block all on inbound except port 80.
4. use netcat to send us links to torrents / mirror downloads.
5. …
6. Brace for the cyberpocalypse.
@Ilija: VM and virtual network breakouts and crossovers are not unheard of, especially once an attacker has made it in internaly. Any distro site should be kept totally separate from anything customers or staffers/developers can write to or post to (or wordpress and its ilk); it should do NOTHING but distribute and have NO unnecessary ports open (not even ssh on a standard port, and all ports should be filtered and that machine should be strictly iptabled; not a total panacea but will stop most attackers that lack a lot of sophistication or access from the maintainers’ boxes themselves).
Think dev network, content network, and distribution network, all on separate nets and boxes, not just separate virtual networks, and no ssh’ing from one of the others to the dev network; that should be strictly controlled in case of an sshd/pam/etc backdoor or sniffer (even tcpdump). Right spirit, but not the best way to go about privsep.
Should also be using rsyslog in realtime to a machine where logs can’t be changed/wiped easily, have ssh logins/suspicious entries on the distro box emailed/smsed to you along with details (<30 minutes to write a script like that), and a host of other precautionary measures on any machine serving a distro. Be also a good idea if you automate checking on a regular basis from a remote box that the sums match the sums they should match. This too can be scripted, easily, and hidden from the attacker unless they know to look for it. Locking all this down shouldn't take more than a few hours, generally speaking, plus maybe a couple hundred for the cert. I'm sure that'd be easy enough to convince people to donate to if money is an issue (and don't use one of the ones known to be duped by state sponsored or contractors using certs to manipulate users; that might take a few minutes of research but it's worth it).
In other words, YES, GET HTTPS with a real, certified, bona-fide cert that's properly verified; actually I wouldn't even offer regular HTTP as a download mechanism (or rsync). Not even this blog is https. ;).
If I may make a suggestion – Clem is right, this is going to cost the Mint team – heavily.
Mint is a great distro – arguably number 1 for ease of use and stability. One rogue cracker (I’m glad Clem used the correct term and not ‘hacker’) should not be allowed to take Mint down.
When this is sorted, I suggest as many Mint users as possible make some donation to the project – just $5 or so. I admit to being dreadful on donating to Linux project but, I live in Indoneisa were wages are low, and it’s hard to get credit cards (and it has to be a credit card) to carry out transactions abroad. I have recently solved this problem so I will try and persuade the wife to let me use the credit card!
I would suggest the next piece of news on Mint should be “Mint users rally to support Clem with record number of donations” to show our faith in the project. That should do a lot for Clem and co. and clean out some of the bad taste on the web world.
Credit to Clem and co. for total transparency on this.
I will repost this when the forums are back up.
Promise, final post: I know it’s a pain on Mint, but I’d highly suggest you consider looking into grsec/PaX.
@Jedinovice: In the longer-term I doubt it’ll have much of an impact on trust, especially considering the transparency, the fact it was caught quickly, and the plans to lock down the systems. In fact, most users probably won’t even remember this incident or find out about it unless they’re really into the open source community (or someone goes twitter crazy; I can’t say I care for twitter enough to find out more than the one or two posts I saw if that’s happening). Either way it’s not a disaster, it’s not the first time a distro or popular app or whatnot has been backdoored, and I think most people are generally not as unforgiving as all that, especially in this day and age.
As long as he locks things down, remains transparent, and does what’s necessary to satisfy the community and so forth, I’d be disgusted if Clem were ostracised at all; if he were I’d PERSONALLY be ashamed of our community. I did mention something about donations to get SSL properly set up in my post while you were posting, and I still think that’s a good idea. Note, I said properly set up. And of course if hardware or something else is needed to make things more secure, we should be willing to contribute to that too in whatever way we can to meet the basic requirements and not cross over into the funding category (things get ugly often when that happens).
” The infected Linux ISO images installed the complete OS with the Internet Relay Chat (IRC) backdoor Tsunami, giving the attackers access to the system via IRC servers.
Tsunami is a well-known Linux ELF trojan that is a simple IRC bot used for launching Distributed Denial of Service (DDoS) attack”
Just saw this elsewhere. Definitely sounds like an amateur job from someone not very familiar with linux internals/backdooring/etc. That’s a *good* thing. You see this sort of (if not even exactly this) software floating around on linux apps on untrustworthy torrents occasionally. It’s not the nightmare I expected — it’s even not hard to clean (though you really should reinstall — who knows what else might have been modified). Overall, though, not sophisticated at all. Nor were they likely to have ‘gotten’ many people. That’s a good thing.
@Clem:
“Edit by Clem: It’s planned and I’m hoping it’ll happen soon. Please note that this wouldn’t have helped here though. You’d be served the exact same hacked information via HTTPs.”
This may be true for this particular instance, but since a lot of people download or otherwise access ISOs on public wifi or shared networks, it opens things up to a very ugly man-in-the-middle or man-on-the-side attack (one reason I suggested torrents; not perfect but they do bother with quorum-like checksumming). If someone injects anywhere along the way because the pathway isn’t made secure on both ends (putting aside SSL attacks), then you’re not protecting your users, just yourself. 🙂 That’s not an insult; please don’t take it as such. But HTTP leaves people open to exactly the sort of thing, at any point on the network chain, as just grabbing a backdoored ISO does from the source itself. It should be a priority, not something to get to.
Sorry for the tone; been up all night, and this didn’t even affect me or anyone I know — just want to make sure it gets dealt with properly. 🙂
(edited to add: it also allows people to inject false checksums and modify what *appears* to be your page and addresses and so forth extraordinarily easily, sans SSL — that includes any actor, not just a local network one) — and via things far more easily available to people that even the WP details were available for sale.
Did packages.linuxmint.com or any other subdomains get compromised too?
Edit by Clem: The compromised sites were the main website, the forums and the cinnamon website.
Within the last days, I got offered an update for the “nss” package which was unsigned. So I rejected to update. I tried the update process the next day. There was no claim about missing signatures anymore, but “nss” was still offered. So, I took the update.
…maybe this was related???
I’ve been running version 17 happily for at least a year, along the way upgrading from 17.1 to 17.2 then 17.3 with kernel 4.2-027 and the proprietary Nvidia drivers. All upgrades went smoothly! But when my SSD crashed on Feb 19, it became necessary to reinstall. As part of the troubleshooting process I had this bright idea that maybe a fresh install of 17.3 would do the trick, so on Feb 20th I downloaded 17.3 amd64 Cinnamon. I was able to connect to the router wirelessly, but not the internet. Tried disabling Ipv6, changed my DNS servers, some other tricks but nothing. I was able to duplicate this, what I thought was a “bug” with two different PC’s and three different wireless adapters. A recent wind storm with winds up to 115mph knocked out my wired connection so I was kinda stuck. Today my ISP restored connectivity and guess what? Same problem with my cat7. Router connection, no internet. I didn’t know about the hack at the time, I thought it was a 17.3 bug so I nuked the install and reinstalled 17.1. Poof! Internet works great. While spending the rest of the day reinstalling updates and software to bring me back to 17.3/4.2-027 only then did I learn about the hack. I have four questions: 1. Does the trojan write anything to your hard drive(s) when Mint is run as a live disk? 2. If installed, does the trojan compromise your home partition (my home partition is on a separate drive) or just the OS? and 3. when run as a Mint live disk, can this trojan attack my Windows machines/partitions? And finally 4. can this trojan attack Macs or Windows machines on the same network? I’ll be spending the next few days trying to track these answers down.
Props to Clem and team for being proactive and transparent about this attack. I’ll be sending some BTC soon as I know my wallet is safe to restore on the affected PC.
Fred Barclay – 1700 UTC is not good for me. I can see this time difference is going to be a problem. Do you have a G+ account – I am on there? Maybe that will be better.
Hi Clem, My question: Is it possible that if you have a wrong ISO installed that the first time that you do a Mintupdate a pop up appairs with the message: Youre PC is made from a not valid Iso, Please reinstall’?
@banabob: Mint is a very important project for me (I put it on computers left and right) so I definitely agree with the rallying stuff and will donate as soon as the website is up and the donation button available again.
@Clem and the Mint team: Hang in there and know that we appreciate your hard work.
@103 av8r0023 Says:
“MD5s are not signatures! You need a DSA 1024-bit (minimum) or Elliptic Curve 384-bit (minimum) PGP private key signature for each ISO. That is the only way to combat this problem in the long term.”
Correct me if I’m wrong, but doesn’t the user still have to check the signatures? That is, if they don’t bother to check MD5SUM or SHA256, will they bother checking a signature?
i have Linux mint 17.3 or 17.2 KDE edition and i believe that i am unaffected by this i don’t get why LinuxMint needs to be hit by this now i used Linux mint since version 7 Gloria edition and this is uncalled for
For purposes of checking the integrity of ISO’s, MD5 is sufficient. Engineering a file to have a specific MD5 sum is still a non-trivial problem to solve.
https://www.reddit.com/r/linux/comments/46xwla/the_perils_of_checksums_verify_your_installations/d0912gr
Also, it is much, much simpler to check MD5 than to fire up PGP or GPG to check. I know that I will not do so.
I’m just as lazy as the average computer user, and just paranoid enough to still check MD5 sums. It’s not like I can verify the PGP/GPG signature anyway, since I don’t have the necessary web of trust. So MD5 it is, or sha1 or even sha256 if that is available.
Anyway, I still have perfect confidence in Mint. I’m going to install Xfce 17.3 64-bit that I downloaded yesterday via torrent. I calmly downloaded it at the same time that the website was taken offline and everyone else were running around in complete panic like headless chickens.
Keep up the good work!
Does a md5sum on the burnt DVD give the same md5 as on the ISO file it came from?
having 935d 5a83 60f7 f0d0 b196 8273 4b3a e9ae for the md5sum /dev/cdrom
Linuxmint cinnamon 17.3 32bit
98 – Lecter: It was the flakiness of the latest Kubuntu that drove me to check out the Mint KDE version and have to say it’s been a big improvement. Don’t throw the baby out with the bath water please 🙂
You may want to clear up in the blog post that
“Links to the malicious version of the ISO were added, detected, and removed on the same day, February 20.
If you’re already running Linux Mint, this doesn’t affect you — all files installed or updated using the package manager are digitally signed and the signatures are verified.”
as reported at micahflee. com/2016/02/backdoored-linux-mint-and-the-perils-of-checksums/
I wondering if a fake iso would be detected when you first run the live-dvd or live-usb with “check the iso for defects”, before you run it live and install it afterwards ?
You need to be a special kind of bastard to hack an open source project. Shame on the hackers!
I downloaded a german version of Mint 17.3 on the 20th from Heise.
Is that currupted?
How do I check the iso in win7?
Well, hasn’t mint come a long way…it was only a matter of time before some parasite pulled shit like this. This is an example of how mint is evolving into something much bigger.
The experimental specimen of a human who attacked our community is a small parasite. A parasite that escaped from the bag of human waste and found a place in the darkness waiting for a vulnerable host.
My company runs on mint cinnamon with a total of 5 computers. I have the same desktop on all machines..proudly displaying the mint logo and more importantly, “from freedom came elegance”. I’ll be dammed if some parasite is going to push me to another distro. I have donated to this project and will continue to do so. I encourage all to do the same. Guys you have my support and I will continue to promote and convert the vulnerable. Change the locks and lets move on.
I just check the md5sum of my Linux Mint XFCE 17.3 x64
got this: 729c92e3ef247bbc12104e6c14a2b95e
Does this mean the xfce version has been compromised as well?
Clem
Feel for you and well done for taking swift action. Unexpected website changes are one of the most common vulnerability exploits but it’s totally preventable if you were using ionCube24 as it alerts and blocks unexpected changes from execution. We’re more than happy to get you setup with ionCube24 for free (https://ioncube24.com) if you’re looking to harden your system going forwards. Just get in touch so we can help.
Good luck!
Nick
After site of Linux distro developers (Linux based site by the way) can be hacked there is no cense to speak much about user’s actions – what is right way for them or what not. At first place right way is a good sysadmin.
Hi guys, is there someone who install this hacked version on virtual in other virtual have another linux (kali, backbox or another pentest linux) and try catch comunication from virtual with hacket mint? Good choice for https on web is let´s encrypt https://letsencrypt.org/howitworks/technology/
I don’t know if because of the iso hacked but I installed Mint Cinnamon 17.3 64 bits as a guest in VirtualBox 5.0.14 and the virtual machine have no access to the Internet. The ISO was discharged on 20 February and it seems ok, md5 it’s ok
I tried configuring the network interface as NAT on virtualbox or bridge connection (setting an IP range of my LAN) but I can not go on the internet guest machine.
Instead I tried with ubuntu 14.04 install as guest system and I have internet access.
Can anyone guide what’s happen ?
Thanks a lot.
You should probably issue a level 1 update that attempts to locate and delete the backdoor file and alerts the user that he should format his system, re-download the ISO and install again.
Hello
Where can i download the Cinnamod 64bit iso?
Ok, i found this in the opening post Written by Clem:
[quote]Once in the live session, if there is a file in /var/lib/man.cy, then this is an infected ISO.[/quote]
I can access some pages of linuxmint.com through Linux Mint, but none through Windows 10 (both Opera and Edge browser. I’m aware that the site is generally down).
Is that weird?
Clem how can I contact you via email? The webiste is down so I can’t see the contact page 😉
Sorry. This shouldn’t be a case of “we’ll think about reporting it”, but rather “we WILL report it”.
Regardless of the reason, the individuals involved should be found and prosecuted to the fulling extent of the law.
I would like a copy of that man.cy file to be mailed to olarupaulstelian97+security@gmail.com . Just for seeing how the backdoor works…
#112: The site is down, but the blog is separate from the site and is working. Linux Mint x64 uninfected (installed quite a while ago and messed with it – I might have to redownload it though)
Comment written at 201602221510+0200
Hi Clem,
I note there is some more information on http://www.zdnet.com/article/hacker-hundreds-were-tricked-into-installing-linux-mint-backdoor/ that may or may not be accurate…
N
I wanted to take a look at Mint on saturday.
So I downloaded the ISO (turns out it’s infected — MD5 7d590864618866c225ede058f1ba61f0), rufus’d it onto a USB stick and booted the live system but did not establish a network connection. I was on wifi and was too lazy to type the password.
Is there a chance that some of the underlying systems — i.e. the Windows box where I created the USB stick or my Macbook (FileVault encrypted) booting the live system — could have been compromised, even without having been connected to a network?
Maybe a silly question. But this issue is able to make me paranoid.
Just this morning, after having made a svn up and svn log, all of a sudden svn asked for password when doing svn log -vr6056. The .subversion/auth file for that repo was changed and did not contain gnome-keyring any longer, as the others do.
Any relations to this hack?
Linux Mint 17, last updates on Feb. 18.
@106 and @108 -I’m in total agreement with you both.
It makes me sick to my stomach that this happened; and for no good reason but to show off, cause distrust of the most wonderful distro?
Not gonna happen! Clem and Team, we’re with you all the way!
Vive le Linux Mint!
Hi Clem,
I really appreciate your efforts to keep us informed. I was not affected by this, but as a fan of Linux Mint I’m certainly following along with everyone else. I know this must be a hard time for everyone right now, and I just wanted you and everyone else on the Mint team to know that I still love your work and support you 100%. I’m sure the same is true for many others. It’s sad to see some people bailing over this; this should be a time for solidarity in the Mint community. Like Jedinovice, I plan to donate money to the project as soon as this is resolved, you guys certainly deserve it for all that you do for us.
Keep up the good work, and I wish you all the best in resolving this issue.
Like Fred Barclay and av8r0023 says, use OpenPGP!!! Do it as the „tails“-guys!!! (https://tails.boum.org/download/index.en.html#download.verify-the-iso-image-using-the-command-line)
I’ve got a confirmed copy of the bogus ISO downloaded the afternoon (EST) of FEB 19th. You need to expand your window a bit.
As a sign of my good faith in Clem and the mint team I’m pledging 5$ to mint right now (on top of my monthly 1$ support).
Go mint! I know this is probably a hard time, but you’ll pull through, and I’m personally not going anywhere. 🙂
I tried to check with the instructions given.
I entered md5sum linuxmint-17.3-cinnamon-64bit.iso
And it said “No such file or directory”.. Must I have the ISO in a specific folder?
Thanks 🙂
Clem, it would be super beneficial if you could send an email to all of the mirror maintainers with the correct sha256 hashes so that we can check them independently of the ones above. I’d like to be able to verify that what I have on my mirror is legitimate via an out-of-band channel. Maybe tweeting the hashes would be a good idea, too, for yet another verification avenue. Unfortunately I feel very wary of trusting MD5 hashes residing on the same site that was compromised, SSL or not.
Thank you!
“Lecter Says:
February 21st, 2016 at 8:16 pm
Sorry, but now it is time for me to leave linuxmint. I do not feel safe anymore with your great distri. For now I am back to latest Kubuntu LTS.”
What happened and how it is handled by Clem&Co is exactly the reason for my to stay with linuxmint. Kudos!
Ah, wait. I just realized that the sha256sum.txt file is signed with GPG. I have verified that that file, with a date of Jan 6, 2016, has a valid GPG signature. All of my ISOs’ hashes are correct.
—————–
$ stat -t ‘%Y-%m-%d %H:%M:%S’ sha256sum.txt*
1075 121457096 -rw-r–r– 1 _mirror _mirror 485072102 1406 “2016-01-07 03:53:21” “2016-01-06 11:03:41” “2016-01-07 03:53:21” 65536 16 0 sha256sum.txt
1075 121457097 -rw-r–r– 1 _mirror _mirror 485072103 181 “2016-01-07 03:53:21” “2016-01-06 11:09:59” “2016-01-07 03:53:21” 65536 16 0 sha256sum.txt.gpg
$ gpg –verify sha256sum.txt.gpg sha256sum.txt
gpg: Signature made Wed Jan 6 11:06:20 2016 EST using DSA key ID 0FF405B2
gpg: requesting key 0FF405B2 from hkps server hkps.pool.sks-keyservers.net
gpg: key 0FF405B2: public key “Clement Lefebvre (Linux Mint Package Repository v1) ” imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 5 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 5u
gpg: next trustdb check due at 2016-09-29
gpg: Total number processed: 1
gpg: imported: 1
gpg: Good signature from “Clement Lefebvre (Linux Mint Package Repository v1) ” [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: E1A3 8B8F 1446 75D0 60EA 666F 3EE6 7F3D 0FF4 05B2
$ sha256 -C sha256sum.txt *.iso
(SHA256) linuxmint-17.3-cinnamon-32bit.iso: OK
(SHA256) linuxmint-17.3-cinnamon-64bit.iso: OK
(SHA256) linuxmint-17.3-mate-32bit.iso: OK
(SHA256) linuxmint-17.3-mate-64bit.iso: OK
(SHA256) linuxmint-17.3-cinnamon-nocodecs-32bit.iso: OK
(SHA256) linuxmint-17.3-cinnamon-nocodecs-64bit.iso: OK
(SHA256) linuxmint-17.3-mate-nocodecs-32bit.iso: OK
(SHA256) linuxmint-17.3-mate-nocodecs-64bit.iso: OK
(SHA256) linuxmint-17.3-cinnamon-oem-64bit.iso: OK
(SHA256) linuxmint-17.3-mate-oem-64bit.iso: OK
(SHA256) linuxmint-17.3-kde-32bit.iso: OK
(SHA256) linuxmint-17.3-kde-64bit.iso: OK
(SHA256) linuxmint-17.3-xfce-32bit.iso: OK
(SHA256) linuxmint-17.3-xfce-64bit.iso: OK
—————–
Sorry, I’m a noob.. :/
linuxmint-17.3-cinnamon-64bit.iso is what I have.
Once I checked, I got the following signature which matches what you’ve posted above. So that does mean I’m OK, correct?
e71a2aad8b58605e906dbea444dc4983
I’ll be topping up my donation as a show of support and appreciation.
I certainly won’t be leaving!
I just joined the list of Linux Mint users this past Friday, and must say not only have I been impressed with Linux Mint as an OS, but I am very impressed by the responsiveness to issues and the transparency of the Dev team.
Keep it up! I look forward to continuing being a part of this community.
I was trying to install mint on 19-20 feb. I’m not sure if this is useful but I still have a webpage open for installation and on the infected iso md5sum. I can send a screen shot of it. But here is the details on the page:
url: http://www.linuxmint.com/edition.php?id=204
Linux Mint 17.3 “Rosa” – Cinnamon (64-bit)
md5sum: 7d590864618866c225ede058f1ba61f0
So if I am not mistaken the did change the md5sum on the website. I had trouble with installation and when I did the md5sum I got the correct value above (e71a2aad8b58605e906dbea444dc4983). I downloaded it again and I still got (e71a2aad8b58605e906dbea444dc4983) I suppose the mirrors I downloaded from where not infected.
I am not sure when did upgrade my Linux Mint OS, but it was few days ago. Is it possible to check md5 on upgraded system? Just wanna to be sure that´s my system is clean. Thanks.
@ bananabob: I do have a g+ (well, I have gmail so I think I’ve got g+) but don’t want to post it publicly. 🙂
What would be a good time for you to chat? I can probably work around it–I’ve got weird hours.
Keep up the GREAT work, we all still LOVE our Linux Mint! Good luck sorting out this little hack, Mint will be back stronger and better than ever.
Hi,
I truly believe that we must not leave Mint at this point and we must support. They handled very honestly the whole situation and this should be credited. It is true that this hack indeed revealed severe security policy violation, like e.g. ridiculus passwords but I hope a lesson is learned.
Besides I would advise Clem to escalate to authorities immediatelly and not to take it lightly, as it seems from the Zdnet article that this person(s) won’t stop.
So im in the clear if i installed mint a week ago?
There were some level 3 and level 4 updates which appeared in the updater just the other day; it may have been the 20th but I can’t be sure. Anyway, since then, VPN connection has been very erratic and is now not working at all. I’m mentioning this just in case updates have been compromised or the attack has somehow affected VPN.
Dox these dirt bags and feed them to the white hat & grey hat community! Make their life hell!
Hi
I downloaded via the Mint hp, sunday 21.02.2016 the 32-bit iso file “linuxmint-17.3-cinnamon-32bit.iso” and did today the md5sum check as proposed in this blog. The result was goood, the right checksum appeared! So, I’m happy, no harm is present!
Supportix, Switzerland
TL;DR version: STOP shipping MD5 sums with .iso files, RIGHT NOW.
I’m a CISSP; I hate to see people making grievous security errors. As others have already hinted at, reliance on MD5 for security is improper. As a hashing algorithm, it has been obsoleted a number of years ago because of its weakness to artificial collisions.
Google “md5 collision generator” … I’ll wait.
Back? Ok, so now you know how bad it is. There’s plenty of space in an .iso file that can be manipulated to recreate whatever MD5 checksum an attacker desires. Using tools already in the wild, it is possible for an attacker to compromise an .iso image with a backdoor and keep the same MD5 sum and size as the original .iso.
There are two problems to address when copying large files like ISO images: integrity and authenticity. This is a case of solving the wrong problem.
Integrity: If a single person controls the entire path of a data transfer (e.g. copying a file from a thumb drive to a local disk), integrity is usually the right problem to address. Using sha256sum(1) for this is currently considered cryptographically sound; MD5 is not.
Authenticity: If you’re obtaining the file from a system you do NOT have control over, and need to verify that it came from your intended source, this is the problem the Mint maintainers need to focus on. This can be solved with public key crypto tools like GnuPG.
The Mint maintainers need to create a GnuPG key pair and widely distribute the public key, prominently feature the fingerprint on the official website, etc. Each .iso should have a corresponding .sig (outboard signature) signed by the official MINT key.
The signing command for the distro maintainer would look like:
gpg –output foo.iso.sig –detach-sig foo.iso
Users can verify a downloaded image with:
gpg –verify foo.iso.sig foo.iso
Note that if you’re verifying the authenticity of a file with gpg(1), you are also automatically verifying its integrity as part of the process. Unauthenticated checksums like SHA and MD5 should NOT be present in the mirrors because they offer no guarantee of the file’s origin. Their presence can mislead users into thinking files are legitimate when they are not.
@Clem:
Some idea to prevent such problems in the future:
Please run a Raspberry PI at home (and a second at the home of a friend) with a little script, that runs every five minutes, and checks the critical parts of the website. If it finds some irregularities, the script can automatically shut down the site, and send you a message. It could also check the ISOs every hour or two (depends on your bandwidth).
Yes, the Raspberry PI could also be hacked, but with running nothing on it beside of the script, the attack surface should be minimal.
And at first, the attackers have to find both personal IPs…
Hi Clem,
Were all the mirrors affected?
I downloaded Mint 17.3 Cinnamon 64 from James Madison Univ. on 20 Feb at 08:03:45 PM EST. The ISO shows it was modified 20 Feb at 03:38:58 PM EST.
My ISO has the correct hash and the burned disk does not show the bad file. Is it safe then to use? I have had it installed since yesterday, but turned off my network connection.
Best wishes in getting things straightened out.
@Clem:
As a long time user/tester of WordPress installs I can tell you from experience that running a WordPress install without a decent security plugin that can protect not only core files but the folders and files in the “content” directory is leaving you wide open to attack. The “Wordfence” security plugin is an excellent choice even in the free version which I’ve been using successfully on my sites for quite awhile now.
Just a thought.
If I updated to Rosa via the update manager in the mint OS itself, is it possible that I have been compromised? How can I check? Thanks
downloaded 64bit iso on February 19, burnt DVD (on Win 10 computer) ran it but did not install it (on another Win 10 computer)
could any of those computers, network be infected? (shows infected MD5 signature). How to check in Windows if computer is infected?
A name for the trojan to detect it?
Hi Clem,
I downloaded 5mn ago Mint Mate 64 and 32bit ISOs from Gwendal and Ircam… Is there any danger to install this ? Is there really only Cinnamon corrupted ? And these servers are they also corrupted or cleans ?
thanks in advance 😉
I was downloading on the 21th and there was also another odd thing as although I tried to select the Mate version the but dl was the Cinnimon version. Tried twice with the dame results so that’s what I went with and did get the hacked version but it doesn’t have the hack file.
Hello, kenetics.
Provided correct MD5 checksum means the checksum(s) published at the top of this blog page, then your downloaded ISO might be OK and not infected by the trojan.
The MD5 checksums on the Linux Mint webpages had been manipulated to match the manipulated ISO image file(s). So they cannot be trusted.
Karl
Domain Name: ABSENTVODKA.COM
…
Registrar URL: http://www.enom.com
Updated Date: 2016-01-22T12:37:28.00Z
…
Name Server: 127.0.0.1
Name Server: 127.0.0.2
Basically killed any lookups to that domain.
Hi i think I was affected by this. I downloaded and booted a copy from a USB stick. Is the entire laptop compromised? I typically run windows on my computer. Do I need to be worried about all files including the ones I access through windows typically?
Time for hardening your worpress:
http://codex.wordpress.org/Hardening_WordPress
http://www.acunetix.com/websitesecurity/wordpress-security-top-tips-secure-wordpress-application/
And especially upload folder:
http://www.acunetix.com/blog/articles/wordpress-security-prevent-php-files-from-executing/
I avoid to be compromised this saturday by using a mate edition…
Great to know that you have detected it so quickly and to be transparent about this intrusion.
Great work and keep it up !
I updated from an already installed 17.2 MATE to 17.3 MATE through Mint’s download manager on that day. Is there any way that could have been affected. How could I check if I did not download and burn an ISO image for that update?
Thank you so much for your hard work!
Dan
I don’t recall having registered on the forums…but is there a way to be sure, Clem?
Edit by Clem: Yes, please check https://haveibeenpwned.com. They have knowledge of all the emails breached during this attack, and it will also show you if you were breached from earlier attacks.
Hello,
I have downloaded Linux Mint 17.3 on 19th february…
My MD5sum is d5d99960f64f71b9f16b5d424dfe146c
that’s not match with the md5sum on this page….
it’s a valid or hacked md5sum :s ?
@Clem,
I dont know if its true or not check this http://www.zdnet.com/article/hacker-hundreds-were-tricked-into-installing-linux-mint-backdoor/
Why its on Mint Linux? These people don’t know the importance of open source and its hard work behind..
GOD DAMNED looked on my Windows 7 machine, on my Firefox history: 19th 13:06, the download link is http://5.104.175.212/stable/17.3/linuxmint-17.3-cinnamon-64bit.iso
******* 🙁
I think I’m OK. I downloaded and installed around 12:00 pm CST on 2/21. MD5 checksum of image I used matches correctly and I do not see the man.cy file in /var/lib.
I downloaded the .iso from a mirror, but forget which one. So if the mirrors WERE affected, perhaps they were corrected by 2/21.
There can be a pir sensor accessible for controlling cameras,
VCRs and DVRs. It supplies the most significant quantity of denim inside country which is one
in the largest exporters of gemstone and jewelry in India at present.
Cctv certification Există trei tipuri principale de camere de supraveghere – se ia.
Another advantage concerns the clarity in the images which is often captured.
First of all it truly is important to spell out
why having some sort of Cctv ubuntu is unquestionably a wise decision.
Is there anyway to check an existing install?
I created a bootable USB on 06Feb2016 and should be safe but get this :
cd /drives/e
md5sum -c MD5SUMS | grep FAILED
md5sum: can’t open ‘./pool/main/b/bcmwl/bcmwl-kernel-source_6.30.223.248+bdcom-0ubuntu0.2~lp1415880~1_i386.deb’: No such file or directory
./boot/grub/grub.cfg: FAILED
./boot/grub/loopback.cfg: FAILED
./isolinux/chain.c32: FAILED
./isolinux/isolinux.cfg: FAILED
./isolinux/vesamenu.c32: FAILED
md5sum: WARNING: 12 of 117 computed checksums did NOT match
./pool/main/b/bcmwl/bcmwl-kernel-source_6.30.223.248+bdcom-0ubuntu0.2~lp1415880~1_i386.deb: FAILED
Some files were modified by the installer but I don’t know about the others.
Does anyone have any suggestions? Since installing, I have spent 4-5 hours on configuration. Do I have to start over?
Good thing they did not create a md5 collision ISO. sha256 can be found here : http://ftp.heanet.ie/pub/linuxmint.com/stable/17.3/sha256sum.txt
I’ve downloaded the ISO on 02.20.2016, today checked MD5 sum and was incorrect.
@gunvolt Re Post#93 – Thanks for clarifying that.
As a very-longtime Mint user (actually since its inception) I wanted to express my utmost heartfelt thanks to Clem and his team for having made Linux Mint such a wonderful instrument. Coming from the Unix world of the 70s I know what a monumental task it has been for the GNU and Linux communities to build these formidable platforms. It’s disheartening to see that mint has been targeted by hackers, but I am confident – based on Linux Mint development team’s track record that they will put this incident behind and come through with flying colors.
Clem,
Since MD5 was compromised several years ago (https://en.wikipedia.org/wiki/MD5), I am wondering what measures you can take going forward. These sorts of attacks are only going to increase. I upgraded to 17.3 MATE several weeks ago, but have had an ongoing issue with Update Manager (often takes up to twenty minutes before the download begins). I now have to wonder if there might be problems as yet undiscovered. I considered migrating to the Cubes OS recently, but it would require some new hardware. I suppose I’ll have to revisit the question now.
Edit by Clem: Well, to be honest, we could switch to showing sha256sums by default, but the problem would have been the same. MD5 isn’t perfect but it plays no role here. The hacker would have replaced our sha256sum with his and performed the exact same attack. HTTPS is another thing we need to get done, and it protects against man in the middle attacks, but like MD5, HTTP isn’t perfect but it didn’t play a role in this attack.
Can we get an updated blog post? The site is still down. Any ETA or what’s going on to get it up. I know you’re busy.
Update Manager is saying there is an update to cpio. I don’t know whether to install it. More guidance would be helpful.
Edit by Clem: I can’t give an ETA yet, there’s still a lot we want to get done before we come back online. The repositories are functional and they were checked so you can apply updates.
Clem and Mint team;
First – Thanx for the “heads up”. I was unaffected (no D/L recently) and I use unique, complex passwords for all things that require passwords so I am not worried about compromised access elsewhere… but I will change my PW on the forum when it comes back up…
Second – Congratulations on being worth the effort it takes to be hacked. This is a back handed compliment from the hackers of the world… Congrats Mint Team – you have arrived!… 😉
Best,
– Reorx –
Great! I downloaded AND installed it on my laptop. Have had issues with it because it wouldn’t connect to the internet (connected to router but no internet access whatsoever). Maybe that explains why the forums pages wouldn’t load (trying to access via desktop) so I couldn’t get any help.
Now that I have it on my laptop, how am I supposed to get it off? You say “reinstall your OS,” but I don’t have a windows installation disk. When I try to restore computer, it only recognizes the partition that was set aside for Windows when I installed Mint. Now what?
Bad timing for me to reinstall and move from KDE to Cinnamon!
I downloaded the iso yesterday 21 February 22:16 CET, but I did it directly from this server: http://ftp.portlane.com/pub/os/linux/linuxmint/stable/17.3/
I checked the MD5-sum and it matches the one on the top of this blog and I checked the man.cy file is not present either, so it seems I’m in the clear?
…but man, I’m still a little nervous to start using my freshly installed Mint…what if other stuff is compromised and we don’t know yet…I’m sad now…
Is there any way to see if there’s a backdoor once the OS is installed?
Frank Barclay – 2100 – 2230 UTC most days
When will http://www.linuxmint.com/ be back online to download a non infected Version?
Edit by Clem: You can download from https://ftp.heanet.ie/mirrors/linuxmint.com/stable/17.3/
I know this is a little nerve wracking for everybody concerned not least Clem and the team but lets think of how the “big” boys might have handled this.
Can anybody here imagine the likes of MS, Apple, Adobe etc reactions to something like this happening to them? Perhaps waiting a few weeks while they decided to make it public never mind trying to fix it?
I for one am extremely pleased to watch how Clem has dealt with what must be a worrying and somewhat embarrassing situation.
Total honesty about what has happened, immediate action to mitigate and correct the problem and an attempt to keep us all in the loop despite my suspicions that Clem et all are at the point of exhaustion due to lack of sleep.
As soon as the donate page is up again I am going to hand over some of my hard earned money. A night or two less in the pub this week won’t kill me!
This is the best dist by far and I have been running it since I think version 3! At least I think it was 3 but my memory isn’t as good as it used to be.
Keep up the good work Clem and team. It is very much appreciated.
I have no doubt this “hit” was contracted for the express purpose of discrediting what has become the greatest alternative OS for people who are fed up with Microsoft spying and who also cannot afford an expensive Mac.
To the Mint team: take it as a compliment. As the saying goes, the higher you get, the more of a target you become.
Also, when you handle problems well like you are now, it actually ends up benefiting you in the end. Your users will trust you even more than they already do.
Keep up the good work!
+1 for Jerry’s post (126)! Clem, you did extremely well handling this, and I appreciate your honesty and hard work. 🙂
If something like this had happened to MS, etc… we might have never heard of it.
@ bananabob: that works for me. Actually I’m on irc right now if you want to try to connect, otherwise I’ll try again tomorrow.
Man I’m glad I’m a MATE user…
That said, I feel for you and your team, Clem. To be hacked like this right when you’re gearing up to build 18 must have you madder than a blind pervert in a strip club. As a Mint user this does have me a bit worried, but your prompt handling of the situation does much to put me at ease. Thanks Clem and team. Your efforts do not go unnoticed.
Getting all of the typical Debian vitriol over this on sites like Ars Technica. Good luck, Mint dev’s, on catching this and repairing things. I’m a Mint convert and will continue to donate to the cause. Hang in there. Look at it as a bad day in school where you at least learned a lot :). Thanks for a great distro!
Well, it’s about time the hack happened. There’s no such thing as “good” security, and it’s about time our community woke up to the problems we face. Security is a fluid. WordPress sites, while easy to setup and use, also pose problems – it’s a trade off between convenience for ease of access. As Linux Mint grows, so do the security issues – and frankly we might consider adopting some more of Debian’s methods. I love Linux Mint and the hack caught me by surprise, but rather than panic like a flock of hens, hopefully this will cause the team some pause to update our woefully backwards policy to protection. I think while a WordPress is an alright platform for news and blogs, for downloads and other services, we ought to migrate and adopt better tools to ward off attackers. The best foe of an enemy is a community capable of responding to attacks and mitigating damage and halting hacks when they occur.
All you people complaining about md5sums need to give it a rest. The infected ISO files FAIL the md5 check, so the md5sums are doing exactly what they are designed to do. Verifying a corrupt ISO.
Everyone looking for a “safe” download, use the torrents. They were not affected. I always use official torrents to download, and seed them 24/7 to help others. Since the Mint site is down at the moment, you could check linuxtracker.org or tuxdistro.com for the torrent files.
Looking at the heanet mirror link from above, it appears their md5sum file is still valid (as of this post). They match the values I have and verify with the clean files on my server. Hopefully that means their mirror is still okay. If you are looking for a clean download and don’t want to use torrents, then get them from heanet and use the signed sha256sums to verify them. I checked the 64-bit Cinnamon ISO and it verifies with sha256, and also matched my ISO which was downloaded well before the attack.
http://ftp.heanet.ie/pub/linuxmint.com/stable/17.3/
@Clem,
Wow! So sorry this happened. Thanks for the quick response and announcement. Hopefully you’ll get this all sorted soon.
Try not to stress too much. Take some time to catch your breath and relax a bit. We’re all anxious to see your site back online, but not at the expense of your sanity or health, so take a break if you need to.
Aloha, Tim (aka Lolo Uila)
Guys i dont understand…
So looks like i have downloaded and installed a linux mint 17.3 Cinnamon x86_64 iso from 5.104.175.212
But:
– On Virtualbox i’ve checked on Live DVD image from man.cy in /var/lib: not found (same thing on my laptop with that Linux Mint iso installed today)
– I have checked with Wireshark: no connection to absentvodka.com or others suspicious website
– I have downloaded that iso on 19th february, not 20.
– and that strange MD5sum.
anyone can help me to understand ?
Jedinovice says: “Mint users rally to support Clem with record number of donations”. Thinking along those same lines–and I like the idea!
I pledge a donation to help when that link securely returns. Members and users should be thankful for the dedication of the Mint team, and for their expertise.
Hi, I downloaded on the 20th, please could you confirm whether this download URL was potentially compromised?
http://www.mirrorservice.org/sites/www.linuxmint.com/pub/linuxmint.com//stable/17.3/linuxmint-17.3-cinnamon-64bit.iso
(I had already deleted the ISO after briefly installing it, so cannot check the signature hash.
Thanks
Count me in! To stay with the distro, AND to make a donation. I’m liking Mint so much, and I don’t want it to go away.
Those crackers can suck my toes. They’ve not scared me away from Mint. Let’s not let the bad guys win!
Kudo’s to Clem & his fellow “minters” for saddling up. THIS LATEST HACK s/b a wake-up call to EVERY distro builder/maintainer/etc. If Mint’s .iso’s can be sabotaged/hijacked in that fashion, what is the propabilty of other distros’ live-CD/-DVD images of being compromised? Especially the live images of lesser-known, not-as-well managed distros? @ Clem & his troupe: i am in awe of your integrity, honesty AND diligence! Thank you sooo much …
Journalist claims to have met “peace_of_mind” hacker.
http://www.zdnet.com/article/hacker-hundreds-were-tricked-into-installing-linux-mint-backdoor/
Wow, this guy/hacker is a terrorist. This isn’t hacking this is cyber terrorism, and Peace_of_xxxx should be treated as such.
We were recently informed about your website being hacked.
We are a dedicated servers/web hosting provider (www.verdina.net) and the IP mentioned here belongs to us, it’s a customer who rented some servers.
Do you have any other IPs from our networks?
The servers were all suspended and we are investigating the matter as well.
We wish you a fast recovery and a fast identification of the person(s) responsible.
Edit by Clem: Hi, many thanks for getting in touch with us. We contacted the Bulgarian authorities and they’ll probably want to know who rented them. We don’t know for sure if the people involved were victims as well or involved in the crime yet.
Hi All,
First,tops for Clem@Co. Second i am staying with LM too. Its a great distro and after 3 months of use,i can say it works like a charm. No way back. And more important,the hack will not scare me away from LM. The way the team handled this crime,is reason for a big thumbs up and a donation,which i will make when everything is back to normal. I hope there will be more donations to come. Its worth it! And a way to show the appriciation for the team and Linux Mint. Hang in there folks. Don’t let it get ya down……
im not happy with this hack, but why is comment 133 from ‘wow’ allowed to stand? Do you really want the “C” word on your site? Ladies dont like being called that.
[i]”The hacker from Russia (could be a VPN of course) even DDOSed my personal IP to prevent me from taking the site down. “[/i]
In USA that’s when you take laptop and cruise to local McDonald’s to bypass the IP denial of service, or a friend that lives more than a few miles away and preferably on another ISP.
As a recent convert from XP I ask myself why i did not switch over years ago…This distro is the best by far over the other choices. Ive had trojan and malware issues with windows…nothing is bullet proof.
Clem and his team do a great job i will stay with mint and fully support them. In the end the bad guys won’t win.
I responded earlier… it was “pending moderation” for a long time & now it’s gone.
Yes, I was effected! You said in this blog post to let you know if we were and this is the only way I know how to let you know.
I had the same thought as Jerry… Can you imagine what the “big boys” would have done if this had happened to them. We’d most likely never have known about it AND would have had to pay them to provide support for the remedy.
Do I have great timing or what? 🙁 I downloaded it Saturday (even did the md5 thingy), installed as dual OS on family laptop… and stayed up past 1am trying to figure out why Mint couldn’t access the internet but Win7 could. Took a break yesterday & got back to it today… only to find I have a corrupted version.
Truly grateful that you’re on top of it and taking a hard stance to remedy the problem. Couple of questions:
The question still remains: How do I get the corrupted Mint off the laptop? I tried to restore Win, but it only recognizes the size of the partition that was allocated to Windows during the Mint install (300 GB hard drive, but restore only sees the 90GB that contains Windows). Do not have a Windows installation CD. Considered the WinX upgrade, but that’ll only recognize the 90 GB allocated to windows, too. Even willing to wipe the hard drive and start over… if I knew how.
I know you’re swamped and truly feel for ya, but could I get some help? Please? Keep checking your FB page, this blog, and my email for a response, and so far the only one I’ve gotten is that my comment on this blog has disappeared.
Edit by Clem: Sorry, we’re just fighting this on so many fronts… the ISO, the servers, the new servers, purging the backdoors, hardening, and so many comments and press queries, we can’t keep up. I moderated this one in a hurry to let you know it’s not lost (your previous one is probably out there as well). We’ll moderate it all and reply as much as possible in due time. I hope you understand it’s taking more time than we’d like. We’re doing everything we can on this.
Clem, you can count on me for an extra donation or two to help offset the costs of this TOTALLY UNDESERVED attack.
What scumbags the crackers must be to attack the source of software that has made and, after recovery, will continue to make a real contribution to the world!
I’ve been trying to migrate from windows for a long, long time..
tried linux a few times, have had good experiences & am now ready to take the plunge, 100%..
been comparing distros & desktops & decided on Mint, just this past weekend..
i **LIKE** the way Clem & Co. are handleing this! THANK YOU!!!!
this is EXACTLY WHAT YOU WOULD ***NEVER*** FIND FROM THE CORPORATE INTERESTS!!!
after the dust settles, i’m donating $50.
xx ‘piece_of_xxx’..
good work, guys.. this actually makes me feel *safer*, because it *informs* me…
Edit by Clem: Thanks, please do not swear though.
In response to #135/Danni63:
Get a copy of GParted, either the standalone live boot version or a Linux distro that includes it (like Mint if it’s possible to download it right now. I’m pretty sure GParted is included on Puppy Slacko, and I expect there are several others that have it.). Install to a CD/DVD/USB drive as you did with Mint when you installed it. Boot it live, and use GParted to format your Mint partition(s). If you want to resize your partitions, you can do so now, just be careful about shrinking Windows any more, it may not like it. Install a clean copy of Mint when you have one.
I am considering switching to Debian or Fedora now.
Thank you Clem and your team for being so honest to us. As was mentioned earlier the big boys would of kept quiet about an intrusion. I raise a glass to you. cheers
sorry about that..
sorry about that.. not even a *little*.. ; )
I’d like to donate now, if possible, using paypal.
the donation page is down, so is there a am @LinuxMint.com I can send to?
thanks!
Danni63,
You could use Windows disk management to delete the Linux partition. Or you could download a 3rd party alternative, like GParted or any other partition manager.
Your best bet, however, would be to wipe everything off the system and reinstall, even Windows. When you were running the corrupted Mint, you were vulnerable to attack, so it’s possible the hacker could have compromised your Windows install as well.
Your Windows install may very well be fine (and it’s likely it is), but it’s better to be safe than sorry (especially where Windows is concerned).
You should probably change passwords for sensitive sites as well.
Sorry you got caught up in this. 🙁 Good luck.
Aloha, TRP
I have 17.3 cinnamon 32 bit and I do not have a /var/lib/man.cy folder/file only a man-db. Am I affected? I downloaded the 32bit on 2/15/16
Hello I downloaded linux mint on 19 feb.I had a few issues-
1.system settings was not opening and crashing
2.nemo was not opening and crashing
3.i could not shutdown my pc.Got only black screen when trying to shutdown.i had to manually shutdown by pressing the power button.
4.when i was trying to restart it would logout and won’t restart.
Was my iso compromised?i deleted the iso out of fear and i did not check md5 please any help would be appreciated by this newbie.Hope everything gets sorted out asap.gd luck to mint devs.i know 20 feb iso but these strange problems i never faced in mint 17.2.
I have been posting a lot of recommends about Mint with Cinnamon. I am not even a Linux user, Windows is my preference. I am really even more impressed with you after this. OMG! A Linux guru who is not afraid to admit to being hacked however it was done. I hope they catch the guy.
I was going to download Mint today but got sidetracked then saw this on Threatpost in today’s mail. I will monitor this and download when I see it is completely clear. The reason I was going to download and learn it is that I do tech fixes and disinfecting/tweaking computers for friends and acquaintances since my retirement. Many have boat anchor old XP machines and I wanted to see how it ran, and then how easy it is to install and maintain. Then I can load it and return the computers working with a little help on using it.
Keep up the good work! I will never switch to Linux for everyday computing, I don’t get infections and frankly don’t see any BSODs. I am convinced lots of folks who rave about how bad Windows is haven’t run it seriously for themselves in a few years. That not said to try to get them to switch, only to ask that they check their premise first. And you have gotten a Windows guy to recommend your distro based on user comments and ZDNET articles about it.
Huah.
I appreciate the honesty, in regards to what happened. I don’t think anyone needs to be assigned blame for the community to move forward. What happened is spilled milk, and might help bring greater attention to security going forward.
This incident shouldn’t lead people believe Mint Linux is any less secure than any alternatives. Logically that just doesn’t make sense.
While you can make Linux become anything, there are limits to the amount of time and patience one has. Mint Linux, looks nice, has a nice feel, and has most of the general use cases for an OS covered out of the box. Mint is by far my favorite for these reasons.
While I have already sent a donation already this month, I will be sending another one after the page comes up to help cover the additional costs this incident will have likely generated. As some people have already said, I encourage more of the community to do the same.
recently moved from Windows to MINT and was amazed how slick it is! sick of Microsoft forcing apps on you, constantly changing your settings back, and tracking everything you do – so yea they must be worried about the popularity of MINT! – I would imagine many hours are being spent sorting this out, and will also be donating when site is back up – good luck! – thanks again
First of all. Great distro.
It’s a shame people do this kind of damage. Wasting time and resources.
I am quite sure most people using this distro agrees you are handling a big problem which you are not responsible.
Once the donation site is up again. I’m going to donate.
Qbertopp,
You should be okay, but to check you should verify the sha256sum hash of your ISO against the ones on the heanet mirror linked above. I also posted the hashes for the clean ISO images I have on my server below.
46b8a14826a53f4cacf56d1132a5184c2132f274aef8103e5e8e8cae9e1cfde0 linuxmint-17.3-cinnamon-32bit.iso
854d0cfaa9139a898c2a22aa505b919ddde34f93b04a831b3f030ffe4e25a8e3 linuxmint-17.3-cinnamon-64bit.iso
506a8e88c83cddc7fadd2b7c5bf25b7e6a15f028e1628004dcd6470084430f17 linuxmint-17.3-mate-32bit.iso
d02bfaae749db966778276a8ae364843c1ffb37b3e1990c205f938bda367ad2a linuxmint-17.3-mate-64bit.iso
be64bf240a47df03fedca1b8aeb9357896e3dedd55446a0f87eca4f638c9d28c linuxmint-17.3-kde-32bit.iso
aa33bf286e92556163c335b258fe5cbd9f65f4ab8490e277fed94cf20d3920e4 linuxmint-17.3-kde-64bit.iso
cebff34e99b071d7237d2cfd2e24719f5a72e9e499a82d424007e850befc755b linuxmint-17.3-xfce-32bit.iso
83c1796a37582bdea74117193cef369582d72093fd0b5278ae03016bd8685b04 linuxmint-17.3-xfce-64bit.iso
Is the linux mint 17.3 Rosa 64-bit infected??
So again I ask, as my email address is now showing up on pwned…
If I upgraded to Rosa via the upgrade manager on the 20th and subsequently have no checksum to verify, how can I tell if my system is compromised?
Thanks
Clem, I am 100% stepping into a linux distro “seriously” for daily computing and not just for sh.. and giggles off a flash drive… for the first time. I did a little comparison over the last 2 months and decided on Mint. I had my new SDD arrive today (literally about 6 hours ago) to give this ordeal a whirl… plug it in, go look for a download and “hacked” oh snap!!
I’m glad you are on this, honest about it, and providing alternatives in the mean time. I’m not giving up, I’m still going to install the “safe” copy you’ve linked here numerous times.
I’ll check it against the known bad checksums (simple task) and going for a linux box finally. Wish me luck!
Clem (when you have time) – I have emails showing I had a forum account back in 2013. But today when I try to log in so I can change my password it says it does pot recognize my username.
I even did a search in the members page for my username and email address and it did not find it.
Any chance you started a new forum after 2013 sometime so I don’t have an account in the “new” forum – or did my account disappear somehow.
Trying to just wait till you all get some air so I know how to proceed. (Also need to know when it’s settled down as I’m rolling 17.3 out on MintBox Mini’s for our manufacturing plant (yeah! What an amazing piece of hardware!)
Thanks.
Edit by Clem: Check https://haveibeenpwned.com/
LM all the way!
(LMDE2 that is) 🙂
Clem & the team thanks for everything you do!
First of all, thanks for this amazing distro! I’ve been using it as my only operational system for about 2 weeks now, both at home and at work, and I’m very satisfied ^_^
I installed Mint in February 10, way before the date in which your site was compromised, but something is bugging me…
In Ubuntu help site, they say that root login is disabled by default. Since this distro is based of Ubuntu, I assumed it was the same. But when I tested it, root login was enabled after installation. I could open a terminal, type “su -” (no need for sudo), enter my regular user password and gain root access.
I’m pretty positive I didn’t enabled root login. Was my computer compromised? Or does Mint come with root login enabled by default? If Mint does enable root login by default, is there any rationale behind it? I disabled root login and I didn’t noticed any negative impact on the system.
There is one more thing I would like to ask.
This week the updater has been giving hashfail errors nonstop. Most problems seem to came from “extras.linuxmint.com” amd64 stuff. I tried to switch mirrors many times, but the errors persist.
Is this in any way related to this invasion?
Best regards and thanks for everything.
For people who are left wondering if they have an infection:
Correct me if I’m wrong here…
The threat was stated to be “tsunami”, which is pretty old, so pretty much any virus scanner should pick it up?
If someone cannot verify their ISO file, and the above mentioned thought is correct, then someone could just do the following to get peace of mind:
Open a terminal window
install clam anti-virus by entering:
sudo apt-get install clamav
update the virus definitions by typing:
sudo freshclam
scan the computer by entering:
sudo clamscan -r /
wait for your results..
Emails to users to warn them would be nice, but that requires knowing an email address for everyone.
I found out because the site was down and I did a search.
The sha256sum hash of the infected download did not match, which should have stopped anyone from installing the download.
The site was infected about 8 years ago, August 15, 2008.
http://blog.linuxmint.com/?p=235
Both times Clem acted as soon as the problem was discovered, and was honest and open about it.
This happens. It will happen again. Eight years between infections seems like a reasonable history.
Thanks.
Yes I’m just wondering is it safe to update my Linux Mint? I downloaded and installed Mint awhile back so I know I have a good ISO. I just don’t know if I can safely update my system or not.
So are the the iso files at http://ftp.heanet.ie/pub/linuxmint.com/stable/17.3/ are ok to download? I need to install… what should I do.
I am a long time MS DOS & Windows user and got back into Linux recently as I decided XP would be my last MS OS. My previous Linux experience was with Mandriva 2008 which was very good. This time I decided on Mint 17.3 cinnamon (it was a DVD package on a Magazine). Things have certainly moved on!
I thank all the people who gave us Mint – it is superb. Please do not feel the need to react to this episode by changing the fine balance between stability, security and function in your distribution because I think it is just right.
Like others who have commented here I pledge to donate some money as a new user. I have been so impressed by this flavour of Linux. Maybe it’s too good, if it’s become a target 🙂 Best wishes.
>I am considering switching to Debian or Fedora now.
Well, you can if you like but they are MUCH harder distros to work with. Plus…
a) This was nothing to do with Mint per say. It was the *website* that was cracked.
b) I more than suspect that FUD regarding Mint was the crackers intended. Dropping Mint would be aiding the loons who did this and encouraging them to do such again – maybe to other distros.
>”Sorry, we’re just fighting this on so many fronts… the ISO, the servers, the new servers, purging the backdoors, hardening, and so many comments and press queries, we can’t keep up.”
I think I speak for the vast majority when I say we understand and are behind you. Take your time and get it right.
Remember the programming adage, “First make it work then make it fast.”
Did this affect LMDE? Downloaded on 20th and unsure whether to install.
What happened to Linux Mint website? It’s down!
JM,
The only thing OS related that was compromised were the ISO images (Cinnamon versions), and only for one day. If you did not install from a hacked ISO then your OS should be fine.
However, the forums database was also stolen, so your email likely ended up on pwned from that. The hacker got usernames and emails, along with an encrypted (but crackable) password. If you use the same username, email and/or password anywhere else you should change them ASAP.
Richard,
Did you not read the subject of this entire blog post?
Scroll up to the top and start reading.
(hint: yes, it’s down due to being hacked)
In Saturday i do upgrade my mint and on Sunday the system going to unstable state (my terminal background color changed and my working programs are closed and network was disconnect), after that i lose my personal data on my drive all of that are removed. Is that related to this hack?
I didn’t use compromised ISO but upgrade system.
I really don’t understand why people point out that the website should use sha256sum when either way, sha256sum or md5sum – WILL ALSO CHANGE BECAUSE THE FILE HAS CHANGED. -_- It really doesn’t help Clem and Co. What are they thinking? Automagically, sha256sum will protect everyone because it’s updated? c’mon. -_-
Best of luck Clem, Mint is still. <3
Hi. I downloaded Linux Mate 64 bit with codecs early Friday morning and burned it directly to cd. The Acer was fine till I restarted it Friday night and it crashed. I have some of my data backed to an external HDD, but the Acer won’t “accept” it. All recovery and restore functions are crippled. The ironic thing is this: this was the very first time I’ve ever tried a Linux OS. However, when I get this repaired, I will still try a Linux OS as I feel you were victimized and see no carelessness on your part.
Website is hacked and this happens to all organisations, including most secure ones, Banks, Goverments, big ecommerce sites etc. Nothing related to product (Linux Mint). More related to PHP Scripting Language and lots of amateur applications built on top of it.
Hello, I’m pretty sure I’ve installed all my Linux Mint 17.3 either in December 2015 or early January 2016. But I’ve not keeped the ISO and I’ve formatted the USB stick I used so I can’t be sure. There something I can do to be sure I didn’t got infected anyway? Some tool is can run?
I’m using a newly-installed 17.3 LMDE 2 (cinnamon) and found the following file in my downloads dir on feb 19:
Plugin-Message24328972347532.scr (possibly an executable related to mono runtime, which is an ECMA script interpreter ? )
I did not d/l this and don’t know how it got into my d/l directory.
Any thoughts ? Searching yields some Steam-related victims of related malware, but I don’t use Steam . . . and haven’t done much of anything with this sys since recently installing it fresh.
Thank You
Hi, I’m new to linux.
I downloaded and installed 17.3 cinnamon 64bit on February 17th.
I just checked the MD5 signature of my ISO and it doesn’t match with the official signature.
My ISO MD5 signature is : b934f21d9a7ef1212ca5a9519e97e5cb
I saw that some people who weren’t download the ISO on February 20th also have the same issue.
Is it fine?
Thank you.
Re: Post 172
Hi Lala. That’s very concerning.
Linux Mint is the first choice for many Windows users, because of the easy learning curve and adaption.
Since Qiana (17) I use Mint and everyone without exception is very happy and use Windows only if necessarily. Regularly maintenance as the tiresome Windows update, register/file cleaning, AV updates/upgrades, defragmentation are no longer required.
The update manager is efficient & fast.
I will continue to use Mint as I regard the situation as a wake-up call. I am glad that the news spread wide over the net reminding that security is always important.
I think it is time for mint to collaborate with others like Fedora to understand better the strong and the weak of each other.
As I have read from above, a fundraising might be a good idea to make Mint even more professional and become acknowledge to the public.
@lumberjack,
I checked one ISO from the heanet mirror a few hours back and it was okay. There are signed sha256 hashes on that mirror you can use to verify the ISO you download. I also posted the sha256 hashes from the clean ISO images I have on my personal server (which should match the ones on the mirror).
46b8a14826a53f4cacf56d1132a5184c2132f274aef8103e5e8e8cae9e1cfde0 linuxmint-17.3-cinnamon-32bit.iso
854d0cfaa9139a898c2a22aa505b919ddde34f93b04a831b3f030ffe4e25a8e3 linuxmint-17.3-cinnamon-64bit.iso
506a8e88c83cddc7fadd2b7c5bf25b7e6a15f028e1628004dcd6470084430f17 linuxmint-17.3-mate-32bit.iso
d02bfaae749db966778276a8ae364843c1ffb37b3e1990c205f938bda367ad2a linuxmint-17.3-mate-64bit.iso
be64bf240a47df03fedca1b8aeb9357896e3dedd55446a0f87eca4f638c9d28c linuxmint-17.3-kde-32bit.iso
aa33bf286e92556163c335b258fe5cbd9f65f4ab8490e277fed94cf20d3920e4 linuxmint-17.3-kde-64bit.iso
cebff34e99b071d7237d2cfd2e24719f5a72e9e499a82d424007e850befc755b linuxmint-17.3-xfce-32bit.iso
83c1796a37582bdea74117193cef369582d72093fd0b5278ae03016bd8685b04 linuxmint-17.3-xfce-64bit.iso
Another way to get a good image is to use the torrents. Check linuxtracker.org or tuxdistro.com for the Mint torrent files. Oh, and make sure they are torrents from before the hack in mid January, just in case the asshats try to seed a fake torrent. You can then use the above sha256 hashes (or the ones from the mirror Clem posted a link to) to verify the ISO image before installing it.
To use a signed sha hash download the ISO(s) you want along with the sha256sum.txt file as well as the sha256sum.txt.gpg file, then open a terminal in the folder with all those files and enter:
gpg –verify sha256sum.txt.gpg sha256sum.txt
You’ll get a response like this:
gpg: Signature made Wed 06 Jan 2016 08:06:20 AM PST using DSA key ID 0FF405B2
gpg: Can’t check signature: public key not found
The key ID at the end of the first line is the key you’ll need to verify the integrity of the sha hash sums file. So now you need to get the key (we’ll use the Ubuntu key server to be safe).
gpg –keyserver hkp://keyserver.ubuntu.com –recv-keys 0x0FF405B2
Note the hex number after the 0x is the ID of the key we got with the first gpg command (0FF405B2). You should see a response like this:
gpg: requesting key 0FF405B2 from hkp server keyserver.ubuntu.com
gpg: key 0FF405B2: public key “Clement Lefebvre (Linux Mint Package Repository v1) ” imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1
Next, you’ll want to verify the signature of the hash file to see if its bee altered, so enter:
gpg –verify sha256sum.txt.gpg sha256sum.txt
And look for “Good signature” in the output.
gpg: Signature made Wed 06 Jan 2016 08:06:20 AM PST using DSA key ID 0FF405B2
gpg: Good signature from “Clement Lefebvre (Linux Mint Package Repository v1) ”
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: E1A3 8B8F 1446 75D0 60EA 666F 3EE6 7F3D 0FF4 05B2
This tells us that the sha256sum.txt hash file was signed by Clem (linuxmint.com). The warning below that can be ignored (it just indicates your current GnuPG trust database does not have trust information for that signing key).
So now we can check the ISO image(s) you have downloaded.
sha256sum -c sha256sum.txt 2>&1 | grep OK
After a moment you should see the name of each ISO file with its status.
linuxmint-17.3-cinnamon-32bit.iso: OK
linuxmint-17.3-cinnamon-64bit.iso: OK
Which, hopefully will look like above.
Aloha, TRP
If any one wants to download ISO’s:
linuxmint-17.3-cinnamon-32bit.iso
linuxmint-17.3-cinnamon-64bit.iso
via p2p torrent file then that can be done from here.
http://linuxtracker.org/index.php?page=torrents&search=&category=347&active=1
I permanently seed these two ISO’s myself and can confirm that those ISO’s from that site as source for the torrent check out fine against MD5 and SHA256 checksums given at this Mint webpage:
http://ftp.heanet.ie/pub/linuxmint.com/stable/17.3/
(I can’t comment if the “OEM” and “No Codecs” torrents for that site check as okay as I don’t have those ISO’s on HDD. However, I would assume that they are unaffected by the problems being discussed here. Just if you do download them remember to check the downloads against the MD5 and SHA256 checksums given at the Mint website.)
FYI: I did download and test the two files in my post above and they passed. So they are good images on the heanet mirror that you can use.
http://ftp.heanet.ie/pub/linuxmint.com/stable/17.3/
But you should follow the procedure and verify them yourself.
If you are really paranoid and want to verify the procedure itself, look here:
https://help.ubuntu.com/community/VerifyIsoHowto
And now the roosters are crowing outside because it’s morning and I have been up all night. So good luck everyone, I’m going to bed.
Hi fellows! sorry about the hacking, i’m sure it’s producing some headaches. Is there any way to download the last version of linux mint while the server is down? i’ve just got a new computer and i was looking for it.
As I have read on comments above, a fundraising would be good to help you cover any expenses you may have in making this more secure. At the end, we benefit from this great distro, and it’s only fair to donate something for it. You may publish something in your site asking for a donation to improve security, I guess everyone who uses this distro will be glad to help. I’d definitely do, even though it’s not too much, but it’s something.
I mean the last LTS version of linux mint
@Clem
Thank you Clem and team for the quick response, transparency, and making the community a part of the team.
You have my continued support and donations…
will be the server fixed soon?
Hacker explains what happened on ZDNet: http://www.zdnet.com/article/hacker-hundreds-were-tricked-into-installing-linux-mint-backdoor/
I downloaded linuxmint-17.3-cinnamon-64bit.iso January 19th 2016. The server I don’t remember. The md5sum of the iso is 0327715c713369bedf52cd9c7d933226 i.e. invalid.
Since I already installed Mint 17.3 I looked for the infection. There isn’t any “/var/lib/man.cy”. Of course I will format the disk and reinstall older version.
Are you interested in the iso file or can I shredder it?
@359 chanchullero
You can download and get checksums files from here:
http://ftp.heanet.ie/pub/linuxmint.com/stable/17.3/
If you would rather download via p2p torrent then that can be done from here:
http://linuxtracker.org/index.php?page=torrents&search=&category=347&active=1
In both instances you should, of course, check the downloaded ISO(s) against the checksums information (MD5 and SHA256) available at the first mentioned download link.
To check them use the following in a terminal:
md5sum linuxmint-17.3-cinnamon-64bit.iso
sha256sum linuxmint-17.3-cinnamon-64bit.iso
(Obviously you would need to provide the correct path and filename for the ISO you actually want to check.)
@chanchullero: Comment #357 and #358 above have the links to both the iso images (direct download) and torrents.
@jake
I believe that ZDNet article is considered “erroneous” as in the “cracker” that was interviewed was a wannabe, not the real culprit.
Could anyone please send me a copy of that “man.cy” file? Email: yo_victor_00@yahoo.com, thank you!
I also confirm the MD5 for the Linuxmint Cinnamon 17.3 64 bit ISO, as per Clem, at http://ftp.heanet.ie/pub/linuxmint.com/stable/17.3 hashes correctly to:
e71a2aad8b58605e906dbea444dc4983
Continuing with installation.
if any other noobs like me need a hash checker (scanned with Comodo) can be found here:
http://compressme.net/ (Set MD5 from the SHA1 default)
Thanks again, guys.
There is also the possibility that the hacker in the article is providing a “red herring” to distract from any possible corporate involvement. He might or might not have anything directly to do with it.
Given that there were two breaches, the second after you became aware of the first, and the second one also compromised the mirrors, what assurances can you give us that the repositories and non-cinnamon desktops were not effected?
Sorry to hear about the hacking. Count me in to help in funding for upgrades to servers
+
To the cracker: nice shot, but you failed miserably, you POS.
To all the rats abandoning the ship: Good riddance.
The Linux Mint ship is far from sinking, it is alive and well, and flourishing.
Kudos to Clem and his team for transparency and quick action. That only strengthens the already mighty confidence I have in Linux Mint. I switched to Mint years ago and will continue using it, will NOT leave it because of a slimy POS cracker.
Hope the website is back up soon, much safer and improved, so I can also make a donation.
Thanks again Clem for all the good work.
I updated my other computer from 17.2 to 17.3 cinnamon over the weekend and now when it boots up cinnamon crashes then get an error cinnamon crashed do you want to restart cinnamon then its just a cycle of crashes.
Tried to go to the forums to ask for help and discovered the hack thing is my problem related to the hacking?
Thought Linux and phpBB could not he hacked, what did phpBB say about the forums being hacked and the user info being compromised ?
Thanks.
If January forum hack will confirmed then those who interviewed is really hacker himself or at least well informed.
Thanks for the great job. Success always attracts bad people who want to abuse it.
I updated the linux mint cinnamon 17.2 to 17.3 via terminal, it will have some security risk at being hacked mint cinamon 17.3?
Hello, I’m truly just some old geezer who has become and more worried about what Windows 10 was doing, and what Apple is actually sharing. So I thought, ok ,I’ll try it – so Linux Mint, here I am, and I like it! But there has to be an easier way for me (an old geezer who is totally new to mint) to check the veracity of the file I get from you folks. How can a recovering windows user learn about PGP sigs and MD5 stuff? Shouldn’t this operating system have an easier way to do this? I want to tell my friends about Mint but…well, this virus thing worries me a little.
LTL
Now is not the time to panic, in fact its time to put your money where your mouth is and show your support for the best distro out there! Help Clem pay for the new servers! Donations sent!
TA
@TRP –
Thank you!
– JM
Donations page is back up guys. Lets show Clem and the team some support! Donation sent.
I updated from 17.2 to 17.3 over the weekend and the computer keeps crashing when it boots up.
Tried to get help on the Linux Mint forums but they are down, stumbled onto this hacking thing by a Google search for Linux Mint
@Clem
Thanks for expanding the ‘open’ from software to communication…
You guys are doing a very great job.
Da page is back up!
I dood my duty!! 50 of ’em!
take *THAT* crackers!!
Donations sent. Keep up the good work!
Thanks Linux Mint team for dealing with this in your usual stable and efficient way. Which is no surprise, since that’s what people love about the software.
Donation sent! Keep up the good work.
Woo Hoo! Donation Sent will show from ‘solent’ – Many thanks
@Long Time Listener First Time Caller….In truth there is nothing to worry about, at least in the way you would have worried when you were a Windows user. I am a good ten years into using Linux and I have never had a virus or any other type of malware attack my machines in all that time. This is really a very isolated incident.
Thanks! You’s guys are amazing.
R
Clem : please take a look at this http://www.welivesecurity.com/2016/02/22/linux-mint-hacked/
“Sadly, the problems do not appear to end there.
Fox-IT threat researcher Yonathan Klijnsma tweeted that he had found a hacker going by the moniker of “peace_of_mind” attempting to sell a phpBB forum database stolen from the Linux Mint server on an underground website.”
!!!!!!!!!!!!!!!!!
So aside to cheking an ISO there isn’t a single way to know if my computer is infected, I cannot even be sure that the date of 20 is right for all we know Mint could have been messed up long before. How I’m suppose to trust Mint and Linux when this thing happen and you are basically left on guessing by using an Magical 8 ball?
Donation sent!
As I said on the other side, One Love. One Heart. Linux Mint can’t be beat! It’s called FRREEEDOMMM!!
I downloaded the cinnamon 64 edition on 23 feb through torrent. MD5 was ok. Should I be worried?
ElisaMasah: Check for the file man.cy, and see whether it’s present in /var/lib . If it cannot be found, your install is clean. It it’s there, you’ll need to reinstall.
Clem has already said that the malare can easily remove the file once is istanlled so that man.cy is not a proof at all, you can still be infected even if you don’t have it.
Is the Iso from Heise in its german version also corrupted or does this concern only the isos from the linuxmint website.
Edit by Clem: The hacker didn’t hack the mirrors, he hacked our website and made it point to his ISO instead of the ones stored in the mirrors. In any case, no matter where you download it from, please check its hash before considering it safe.
Okay, sorry. In that case, someone who knows better will probably weigh in soon.
@ElisaMasah
If you like you can reinstall from a fresh ISO.
there is a virus checker called ClamTk in the software store
I downloaded the Rosa update exactly on the 20-th from the Update Manager. Checked for man.cy, the file is not there, also don’t seem to be connected to the malicious ftp’s. Should I just re-install or am I safe as long as I updated from the Update Manager? Hope the repo was not compromised as well
Got a security update just now, saying it will detect Tsunami and warn the user? Confirm?
Just checking….
I know the web site is up, and donations are able to be sent. But has it been confirmed the only the ISO links were hacked, and that the information to make the donations through the website are safe from this guy?
Dan
Sjur – didn’t get that update. Just libssh and cpio
Clem, I suggest you have a look at Sucuri, they have a very nice WAF (and many other features.)
I hear the hackers compromised your WordPress installation?
Sucuri specifically focuses on protecting WP websites, but they can cover pretty much any website design, they’re much like Cloudflare.
Their WAF is a lot more accurate and has way more sophisticated “Virtual Patching.” The graphs and statistics are great too…
I wouldn’t suggest this to you if it wasn’t worth checking out.
Sucuri was founded by Daniel Cid, he made the OSSEC HIDS.
🙂
Edit by Clem: We joined Sucuri during the week-end, and I had a chat with Daniel today. I’ll talk more about this soon, but we’re going towards a partnership and using many of the services they provide.
My donation sent as well. Time to come to arms to help our team
Wow. I hope the guys who are doing this get in BIG trouble.
why still http no https website ?
Edit by Clem: It’s coming.
Sjur: same here, just saw an update to mintupdate, claiming it will detect Tsunami & warn the user. Just now.
So far, the only changes I can see, compared to the earlier build, is a quick-and-dirty check for the tsunami malware files, and a new warning. Everything else looks pretty much the same, so far.
@Clem, is this update from you, or should we be worried?
Edit by Clem: It is.
I did a live upgrade from 17.2 – 17.3 during the time in question, would this have affected my system and if so how can I tell?
Thank you for being so upfront, honest, and quick to respond.
Welcome back,LM-team. Donation is made,hope there will be many,many more donations to come. The force is strong with this one……
Hello,
I just upgraded to 17.3 (from 17.2) through update manager. This was a safe upgrade?
Sorry for the dumb question here…but I searched for it and didn’t get any relevant hits.
Update Manager has one update: mintupdate
with a Change log of: “* Detect TSUNAMI and warn the user!”
Presuming this to be valid, but didn’t see anyone talking about it other than Sjur at comment 388.
Edit by Clem: Yes, please take the update.
I just reinstalled my system with Linux Mint MATE 17.3. No problems so far.
I wasn’t affected ISOwise -email, perhaps but,
updates cpio and Level 5 linux -Linux Kernel Header for development, old: 13.3.0-77.121 to new: 13.3.0-79.123 are good to go then?
I’m quite grateful for Mint and the Mint Team. My donation is my small way of saying thanks and hang in there guys. This too shall pass.
Clem, I just noticed I neglected to thank you for getting on top of this situation so quickly, and keeping all of us in the loop! Yet another reason I keep Linux Mint on my main boxen, and I hope it stays that way!
Keep up the great work!
Well done for being open and transparent about this.
Am I right in assuming that anyone who has been checking sha256sums that are signed by a consistent long-term GPG key (in this case E1A3 8B8F 1446 75D0 60EA 666F 3EE6 7F3D 0FF4 05B2) should be safe?
If so, maybe this is a good moment to educate people in the importance of doing those sort of checks, while LM has the spotlight in the wake of this hack. It could also be a chance to publicly shame those distros that STILL don’t provide GPG-signed checksums.
Thanks for sharing. I just installed a Linux Mint Rosa XFCE distribution at those days and am happy to know that everything is okay. I did still the m5 check, because why not and all is good 🙂
Adding to that I remember a case in Germany like 1-2 years ago, where the government had known that a lot of e-mail adresses have been stolen. They did inform everyone about it in November and made a site public to check your mail adress in December. Then people found out, that the adresses have been stolen already in April/May and it took them 6 months to make it public!! There was so much bullshit involved and I am really happy for the Linux Mint team for making this honest blog post. Adding to that I agree with the way everything is being handled right now, as well as hoping for the correct decisions being made for it not to happen again.
Asking the community for some kind of advice might also not be a stupid idea. More heads can figure out more stuff.
Is everything fixed yet? Best advise currently for those wanting to download Linux Mint?
Edit by Clem: No, forums are still down and there’s much more we decided to do. Best advice: Check the MD5, no matter where you get the ISO from.
Also, as LTL points out, maybe we could do a better job of documenting (in a user-friendly way) how to check GPG-signed checksums?
You should send flowers to whoever did this.
They created a big free marketing campaign for you with this event and lighted up the security issue with website.
I wish you the very best!
an update is proposed for mintupdate 4.9.9 to 4.9.9.1
Please, is it safe?
Thanx
Edit by Clem: Yes.
Today I received this security update mintUpdate 4.9.9.1.
A description of the update reads as follows:
Help installing security updates and new versions of packages.
TSUNAMI detect and warn the user!
What does that mean?
It’s all quiet now? Concerned about the last invasion.
Someone who received already updated and the system is normal?
The Iso I used is from 01/23/16, is not about the hacked.
Clem force and staff.
We can count ourselves lucky I guess. A few years back, the official Linux kernel got hacked with malware. The infected code wasn’t distributed, but it took them 17 DAYS before figuring out something was wrong.
Forgiveness only now read the update mintUpdate 4.9.9.1 is confirmed in the above comments.
Even so, thank you.
For all those yammering birds who scream about “big bad WordPress” – that certainly could have happened with any other kind of CMS or content organization software as well.
As the Linux Mint folks point out, its a faulty theme and lax file permissions. Eg. older versions of TimThumb, which was always a very helpful tool in the past, are known to be too lax with their access restriction. Or an outdated version of the rev slideshow, or just a misunderstanding on how to implement AJAX requests in the frontend ..
.. could have been anything.
But let’s see it from a positive point of view: If you don’t make any mistakes, you can’t learn from them. And even worse, if your mistakes never come to light, you will continue making them, until something worse happens.
So hopefully the Linux Mint website division is going to be much, much more careful in future, of what they do with the website and how they implement new features 😉
BTW: Dear Clem – WP has been supporting threaded comments for ages, and watching this editing orgy of yours has always been giving me headaches – why not help yourself to that feature? But better let it implement by s/o who knows his/their way around WP; maybe just ask the folks at Automattic politely 😉
cu, w0lf.
Edit by Clem: It’s another thing on my long list of todo things. But yes, I agree. Don’t be too quick to blame the theme though. There’s no indication that it was at fault.
Why didn’t I get the Detect TSUNAMI update?
已经安装的linux mint会受影响吗?
@Jerry
Excellent point! Far fewer malware instances, so far.
Thank You
@Clem
What would be the down side of encrypting the Linux Mint ISOs with GPG against a public-user, whose public and private certificates would be made available on your server, so that anyone who wants to decrypt your distribution can first acquire the user certificates (once and for all), and is 100% sure that it’s coming from your team and nobody else? This way there will be no “option” to check signatures, or checksums, etc. This is something that I’ve been doing for quite some time for my documents, albeit they are far smaller than your ISOs. But computers are fast enough nowadays and it’s a one time thing for each user. Plus, the file needs to be “scanned” in its entirety for the checksum anyways, so it probably makes little difference in terms of creating additional burden on the user’s hardware.
“Detect TSUNAMI and warn the user” – i downloaded this but got no warning at all…how am i supposed to see the results and see if i am safe??
Hi gang. I posted at 374 already, but forgot to mention something. After I unknowingly downloaded the infected ISO, I received a perplexing phone call from a call centre identifying themselves as “Microsoft Tech Support” (an obvious bogus moniker), but he warned me that I had just downloaded a malicious virus. I laughed at him and hung up. Later that day, I started my Acer and the C: drive crashed. Could this call have been from the same hackers trying to cash in with some expensive bogus “Virus removal” sceme? Did anyone else get this call?
Thank you for responding, Clem. Donation made.
I’m not much of a technical person when it comes to computing, but have been hammering at keys and tinkering since DOS was on a 5 1/4″ floppy for a Z-100. I have to say without a doubt, my recent transition to Linux has been the most comfortable and enjoyable experience I’ve ever had computing. It’s a learning curve, no doubt, but it does what I want it to do, and essentially without flaw comparatively. Many thanks to you and all the others for all that you have done/are doing. Much appreciated!
“Once in the live session, if there is a file in /var/lib/man.cy, then this is an infected ISO.”
sorry for the silly question, but in /var/lib i only see a folder called man-db, in /var/lib/man-db there is a 0kb text file called auto-update, is this what the quote speaks of?
Edit by Clem: No, /var/lib/man-db is OK.
Thankyou for the quick response, one other question, probably unrelated, but how come when I go into my account settings my camera light flashes on my laptop? I just noticed :S curious if it is normal. still hands down, Mint is an awesome distro 🙂 sorry if I’m waisting your time.
Thankyou for the notification. I did indeed download the hacked ISO. I recieved an email from google notifying me my email account had been accessed on a samsung galaxy s and also a windows PC. The same day I read your warning. I changed my passwords on another debian machine I have, then formatted and re-installed an older Mint 17.2 DVD I’d been using previously.
Clem and the crew – keep up the good work, good will overcome evil!
Will it affect us through the apps updating process? Thanks.
Wow, one guy or gal from Bulgaria caused all this? Sure makes me feel unsafe using Mint, and I am an 8 year user and donator. For now though I’m going to stay on my Debian 8 partition until I hear the “all clear” bell. Sorry.
@Clem: My update manager is showing a level 1 update for mintupdate 4.9.9.1.
Is this a scheduled update?
Hello, I am a certifi9ed green noobie to Linux Mint Cinimon…. I have been disgusted with MS Win for some time and thought my wishes were answered when I read about Linux MINT.
I downloaded both a 32 and 64 ISO as I have both types of machines. I don’t know how to check if mine is affected, sorry, I’m new. BUT….
I ran the 32 on my older Dell from the DVD. When I was on the web I tried to open a sight and a blue screen come up, telling me to call a number that there was a bad file on my machine…. Am I affected here or what the heck is going on.
I did run the 64 on my LENOVO from the DVD and did not have any abnormal operations.
So today is the 23 and I would have downloaded a day or two ago.
I am hoping to make Linux my new op sys and I have a friend that is waiting for a copy as well but I am waiting now until I know my ISOs are not affected.
Thanks for your thoughts….
Bob Says: “Correct me if I’m wrong, but doesn’t the user still have to check the signatures? That is, if they don’t bother to check MD5SUM or SHA256, will they bother checking a signature?”
Yes, they still have to check the signatures.
Smokey Says: “I’m just as lazy as the average computer user, and just paranoid enough to still check MD5 sums. It’s not like I can verify the PGP/GPG signature anyway, since I don’t have the necessary web of trust. So MD5 it is, or sha1 or even sha256 if that is available.”
We can ask Clem for both hashes (sha256 hopefully) and signatures (detached .sig files). They are not mutually exclusive. Also, the user/verifier doesn’t need to be in the web of trust, it’s only important for the signer to be in the web of trust.
As Clem mentioned earlier, switching MD5s to sha256 wouldn’t have prevented this attack. However, it needs to be done. Defaulting linuxmint.com to HTTPS wouldn’t have prevented this attack. However, it needs to be done. Authenticating ISOs with PGP signatures wouldn’t have prevented this attack. However… you get the idea.
Linux Mint could simply follow the majority of security practices of TAILS Linux as a start. It shouldn’t take more than a week or so to implement, and it would solve a lot of anxiety and heartache.
To the Linux Mint dev team, if you are reading this, we still have faith in you. Keep up the good work.
Just made a donation to help. Happy to see things are returning to normal. Forums will need some work but it’ll be worth it once it goes back up again and be better than ever.
To the entire Linux Mint dev team keep up the great work!! Looking forward to the next version of Linux Mint!
I noticed that the linuxmint site is back up, I assume by this that everything is back to normal and it is safe to download the latest version?
i just finished my first full install of Linux, other than Canonical Ubuntu, namely Mint.
This may not be the correct thread, but does anyone know how to reliably disable the admin password, so I can install packages without being driven crazy?
That was the breaking point for me & MS, in Vista.
I really & truly would like to use Linux, but this is a deal breaker.
Thanks,
JP
I read the part that said it was just 17.3 Cinnamon. Decided to check my 17.2 Mate installation disk anyway.
I’ve upgraded from 17.2 to 17.3 Mate
In terminal, inside the main directory of the installation disk, I entered
md5sum c- MD5SUM
Got a lot of Directory and file listings each followed by OK. Then I got
md5sum: WARNING: 6 lines are improperly formatted
ISO is long gone so can’t check that, is this related?
Squinty, welcome to Mint. You’re right, this is not the correct thread, and to be honest it’s not the right question either. If you disable Mint asking your password before letting you make changes to the system, you’re disabling basic security. You won’t find many users willing to help you break your nice new Mint install that way. So I hope you’ll reconsider.
Am looking to dual boot my windows 10 with Linux, looking at this thread am worried.
@ Clem : Can i go ahead and download and install it now ? or you suggest me to wait ? please and thanks.
Same answer I’ve heard repeatedly.
Sounds like microsoft.
Screw it.
good luck, people.
what a disappointment.
Just made a donation to help the Linux Mint Team.
I don’t understand the people who want to abandon the ship in the light of this: also the Adobe website was hacked, and it’s not that Adobe run out of business. Actually, in haveibeenpwned.com it’s at the top of the list, with 153 million Adobe accounts breached.
Said this, as Linux Mint is a distribution that ends up in the hands of grass roots Linux users, why not implementing as standard clamTK for example?
But one thing worries me: yes, there has been transparency, but to a certain extent. Given the fact that you should have the email accounts of all the people registered in the forum, couldn’t a mass email be sent to warn users? The website down or even this blog post don’t necessarily reach all the users… many (like me) use Mint because it works (brilliantly) straight out of the box, and for this reason they don’t need to go and check their distribution’s website every day, or to end up in this blog. Pretty much like any Windows user never went to the Microsoft website. Only difference is that if something similar happens to microsoft.com, it would be covered broadly by the mainstream news.
Hi Clem and others,
I haven’t read all 536 comments, so apologies if someone already mentioned this – I’m (infofinder.com.au) hosted by A2Hosting (a2hosting.com). They offer optimized WordPress and extra security features for WordPress. Could you take a look at what they offer? If you were hosted by them with all their extra security layer for WordPress (or an equivalent host with the same security) could the hacker have got in?
I’m not super tech and only average with Linux etc. but I thought this 2 cents worth might be a valuable alternative strategy. Good luck. J
Hi, I follow this distro from the start even if I use OSX/W7 combo last 5 years. Used to install it on old PCs for friends to avoid viruses and extensive use of CPU by AVs. MATE version served the best. Its a shame to see my beloved user-first oriented distro being the target of some bad guys. I appreciate your honest work and handling of this incident. My servers are targedet every day, some attacks were even succesful /aka Drupalgedon story…/. I am admin too, even a lame one, so hacker penetration is mostly my fail /permissions etc/. I donated small euros and I hope it serves well for you to recover. Keep up your good work Clem and all Linuxmint developers !
Is now sure download a Cinnamon release ISO? I downloaded a Cinnamon ISO on febreary 20th and I delete the ISO after installing, so I can’t verify if I have an infected installation.
So I want to known if is sure to download a new ISO. Thank you four your information.
Hi:
I’m Having the same update : level 1 update for mintupdate 4.9.9.1.
Is this OK?
@squinty
I’m afraid Mint (or any Linux distro) isn’t an environment for you if something as simple as entering a password for system maintenance drives you crazy. After logging in, I need to enter my password maybe once a day, if even that. I wish you good luck with Microsoft or whatever system you end up with.
Squinty,
The previous 533 replies were dealing with how to tighten the security of the system, not remove it!
“Same answer I’ve heard repeatedly. Sounds like microsoft”
Ouch! That hurts.
In windows8 at least, you can do it:
https://www.youtube.com/watch?v=RsEXTy9AqFU
In a linux system it is also possible, but usually a VERY BAD IDEA. Why is it such a deal breaker?
Hint: if you google [linux running sudo command without password]
you will find the answer on how to do it.
Remember that Free Will is like giving razer blades to toddlers.
According to this tweet (https://twitter.com/ChunkrGames/status/688346150622081024) the forums database has been on sale since January 16th.
Has there been any official acknowledgement of this from the Mint team? It’s extremely worrying, and I am starting to wonder how far the rabbit hole goes…
>This may not be the correct thread, but does anyone know how to reliably disable the admin password, so I can install packages without being driven crazy?
It’s done to you what you do but this is THE MOST BASIC security and what keeps Linux from being the sieve that Windows has been/is.
*However,* the request for admin password in Mint is FAR less intrusive than in Vista. It may also be that you are using the software manager to install software one app at a time and being asked for the password each time. I can see how that would get annoying But if you use synaptic – which I do, you can queue installs and only have to input the admin password once or twice. I also store the .deb files so I can install offline if needed. That will reduce the pain and maintain security.
Hello Clem
is it safe now to download the ISO’s or should we wait for your confirmation? i just want to upgrade to Qiana 17 now i have been using Petra 16 for quite a long time.
thanks
@sqinty, welcome to Mint. You can do it, right. You can log in as “root” instead of “squinty” or what user name you use. But then you are the Overlord. Root can do all. Even destroy the system and the data.
Microsoft has learned from Linux, not the other way.
Do you really wish to have a system where one wrong click let you destroy your system?
Wish you luck. But never blare in our ears, after you have destroyed your system.
No one will pity you.
HughW Mint user since Mint 4 Daryna
—
they said: “use windows xp or better”. So I installed Linux Mint
Is there any possibility that system updating through the update manager can affect the os? I have done a complete update on these days. I found a folder man-db in /var/lib.
@539 Curiousworry: You’re correct that this incident did not affect the MATE versions.
The MD5 (and SHA256) hashes are to verify the integrity of the ISO that you download prior to installation. If the ISO that you downloaded is already deleted, then nothing on your system will return the hash you’re looking to validate.
The -c switch (not c-) is for verifying a subsequent .md5 file of hash/file pairs, not for generating the initial hash you’re looking to validate.
MD5SUM will return a hash for any file. For an ISO, in the directory where the file exists, type: MD5SUM TheFileNameOfTheISOYouWantToValidate.iso
Doing so will return the hash/file pair for you to compare the hash that’s provided. SHA256SUM works similarly.
For the security of the general public, would it not be a better idea to publish SHA integrity checksums instead of MD5.
SHA-1 or SHA256 is far more secure than MD5
@539 Curiousworry: P.S. the actual command itself is md5sum (not MD5SUM). Sorry, it’s early here.
O My God
These people must headshots.To harm the sake of harm.
I love Linux Mint And who is behind this hacking is I will destroy them.
I am a new Linux user, and I do not exactly know how to check if I am in danger. I have the pendrive I used for install. So I connected it to my computer which is may be infected.
http://ubuntuhandbook.org/wp-content/uploads/2013/12/LinuxMint-usb-boot.jpg
Reboot, press F12, select USB, then I got this.
I have selected the option below the Default. I only found man-db folder with auto-update file.
Am I do everything well in checking the infection?
Is it mean I am in secure?
Hello, are updates as mintupdate 4.9.9.1 sure? I do not know what to do … am a little confused. Maybe you should have some information about the now following updates give until the situation returns to normal (relaxed) has. Thanks Clem and team for your fantastic performance! Greetings from Germany.
i have linux mint burnt to a dvd but i did way before this happened. but my question is the repo’s infected?
Would it help anybody to download the 17.3-64bit-cinnamon iso dated
Nov. 30, 2015 ? Here is my Dropbox download link: https://www.dropbox.com/s/hip6cpgep5g3sxd/linuxmint-17.3-cinnamon-64bit.iso?dl=0
Greetings, npap
Is Linux Mint 17.3 Cinnamon Edition safe to download now?
Downloaded yesterday,installed, and checked the ISO’s Md5sum: e71a2aad8b58605e906dbea444dc4983
Apparently my LM17.3 Cinnamon 64bit is fine.
Just made a small donation (investment). My faith is not shaken at all. Mint just gets better and better.
@554 david: Clem response to the question of, “…were any of the repositories affected?” was, “No.”
He has also said, “…we didn’t find any trace of hacks affecting the repositories.”, and “The repositories are functional and they were checked so you can apply updates.”
I used an old ISO and tried to upgrade i don`t know if there is some risk behind that too
@squinty:
any chance your password is too long and complicated?
Ever thought about changing it?
A short pw that is easily typed is still better than deactivating it completely.
The entry point was through WordPress, but not because of any code that is part of WordPress. After review of my copy of your server’s filesystem, I can conclude that all of the custom modules were was written by a monkey trying to figure out Emacs.
Jokes aside, you should know that there were two entry points. One of which you seem to have acknowledged, your custom WordPress plugins. The other is pretty obvious, the forum software you were running. I hope that this attack will open your eyes, and that you will think to do something reasonable next time.
I will also say that your website, unless Linux Mint is a commercial entity, should not have a .com TLD. Please use the appropriate TLD when registering domains, in the future.
I wiped all my Linux computers and installed Windows 10 Insider Preview. I’ve had enough of open source.
Hi Clem, my email was found on pwned.com would you recommend ditching it and creating another ? Or am I jumping the gun ?
Just to play it (BRUTALLY) safe I’m currently downloading Xubuntu 14.04.4 LTS, next on scrapping my freshly installed Linux Mint 17.3 XFCE and rea-dding the “Mint Flavour” through the repos later on ^_^
cu, w0lf.
I’m very sorry you had this difficulty. Welcome back.
Rothschild hates open-source and encryption.
-flek
Good day, my friends.
There is a problem: not updated mint update 4.9.9.1. Tap – Install the update, insert your password. Update Manager again offers me a package to update. The system was installed two weeks ago.
On the second computer upgrade was without problems.
Please help.
It was not malicious code so to speak, or hackers which compromised your site, and replaced the distribution of the ISO with a malicious one. It was law enforcement state agency. I am not at liberty to inform you of the entire scope of the operation. However, it was not done with the approval of the dept. of Homeland Security, FBI, or of the Department of Justice. It was however, done, as a means to prevent a so called “target of an investigation” from becoming totally anonymous. I can provide some of the reference material if interested. However, I would like to add, you can also contribute towards helping the world become a much safer place by your involvement in a proposed solution geared towards helping Law Enforcement with preventative technology, research, and newer, more efficient ideas. Contribute to an idea bank if you are willing to but do not complain about the outcome if you to not, since state law enforcement agencies do not have the resources to be capable of doing anything else, they are using software to track their so called suspects and that software technology is running forensics that target websites for overrides in particular – anytime a suspect of an investigation is using anything having to do with linux. However, according to the law of the United States Code, no one is supposed to violate the rights of others privacy, and it could be that what occurred to you was a violation of your rights. If that is the case, it would have to be determined by a Federal Judge, and if you would like to support our effort to get an injunction to prevent this type of technology and to warn the public of the right to vote, and again to support the effort of independent coders and programmers who want to help the department of homeland security fight cybercrime and prevent the usage of these type of software techniques that are in fact a violation of your personal security and freedoms. Then please jump on board the betteraskwatson campaign. I might not be able to provide you with that much reference material on the subject, but that is exactly what happened at the time alleged. The Trojan that you discovered and all of the rest of the forensics involved are just a part of the law enforcement software package. The user / field officer does not need to be trained in coding or complex networking because these softwares are packaged in a bundle and then just sold off to the nearest law enforcement agency. If the officers are investigating or in a field operation and their target uses something called “technology of anonymity which could potentially be dangerous because the suspect could become anonymous.” Keeping in mind that it is a federal crime to become anonymous during a federal investigation, “(obstruction of justice)” However, realistically a target would still be tracable and trackable using other methods.
But the state law enforcement agencies do not have access or training in those methods. In other words, a state law enforcement agency without jurisdiction did a “color of law” violation by overriding your server, and you caught it, you don’t have enough information to do anything about it legally, or at least you did not have enough. I’m sure you all would cooperate with the investigation had you knew about it. But you were not supposed to know about it because it is part of a so called ‘secret grand jury indictment” This has been placed on the public forum so that it could also become evidence against these officers and their practices again, its not the first violation but these violations of statue are in fact being done by this particular state, and it’s law enforcement practice which – using the latest technology made available by this particular company.
Here is the news reference material. This particular incident has not appeared on any news media, I am a journalist and I do have some reference material to allege that the exact incident you are referring to was in fact related to this particular , ;state law enforcement agency” however, I can only allege that is what occurred, since it could be possible that your attacker was in fact in pakistan and the entire situation could have been an attacker working for some other non-government agency. Since we can not prove without a reasonable doubt that this took place from law enforcement there is no charges that can be brought against the individuals rather they are law enforcement or not, without due process.
I would like to add, since I’m sure law enforcement will now be all over this forum, the only problem I have is that you state violators, did not salute, and obey the federal employees whenever they around.
What this means for me is that the democracy its o seems to become a problem at least from the perspective of what it means to be a proper citizen. We expect to see you followed the law in total integrity. We do not expect any law enforcement agency to encroach its way around the statutes protected by federal law. The officers who did this and are now facing charges, would not have been even facing any charges whatsoever had not their been other surveillance units attached to the situation that could have been appointed for reliable information on your so called “suspect”. And by the way that suspect had better receive all his or her rights, because you will not prevent freedom of speech either. And GOD BLESS AMERICA and the Homeland Security Department for at least trying to make this world a better place. Notice that its not the policy of the US Government to harm it’s citizens and so why the hell would I not want to participate in helping the government stop cyber-crime and terrorism and what the hell are the state law enforcement officers learning in their training if they can not cooperate with US CODE before they execute their training procedures. Extremely problematic and I am extremely bothered. By the way, notice that I did NOT reference your case, your indictment or what state it is, nor did I reference any material that would be problematic for law enforcement, I only referenced that violation so that the server administrators would know that they were in fact violated. If that doesn’t sit well with you, then file a civil lawsuit.
#betteraskwatson
github: betteraskwatson
https://www.youtube.com/watch?v=v1yb-wWwAEQ
Software related to this code and this leak was allegedly sold to law enforcement agencies under state agencies securities and could also be a part of the investigation itself. This securities investigation measure could either be legitamate or it could be a cover up if the state itself is being investigated for violations of statue, that’s all the information that I have
blog.malwaremustdie.org/2013/05/story-of-unix-trojan-tsunami-ircbot-w.html
https://www.fbo.gov/index?s=opportunity&mode=form&id=8224f3108e16ed637b1f68649faf7da8&tab=core&_cview=0
Crewp, Clem recommends changing your forum password and any other identical passwords; I haven’t seen him recommend ditching the email addres, and I’m sure he would not be too shy to say so if he thought that was necessary. Let’s not ask him too many questions, I’m sure he’s pretty busy.
The Adobe breach, which is comparable, resulted in one iteration of my email address being pwned. Every now and then I get some spam on that address. It’s really easy to filter.
Jedinovice @ #550
Removing the password prompts even on a sole-user system is more novice than Jedi.
may be a lesson and keep working Linux Mint
Thank you Moem, I know he must be very busy, and I only asked because not as much has been said about the forum hack. Thank you, for your reply, and I sent in a donation to help the Mint team with the expense of this recent trouble. See you on the forum, soon.
>Just to play it (BRUTALLY) safe I’m currently downloading Xubuntu 14.04.4 LTS, next on scrapping my freshly installed Linux Mint 17.3 XFCE and rea-dding the “Mint Flavour” through the repos later on ^_^
As I stated. There really is no need. Mint is not affected.
Especially XFCE.
A lot of people are getting the wrong ideas here and I suspect that was the crackers intention. Don’t give the bad guys what they want – a loss of faith in a first class distro.
[Clearly I need to submit this here- with typos corrected.]
To those worrying about Mint with fears that virus checking is needed, malware detectors, whether Mint Linux is safe, can downloads be trusted, etc, etc.
Calm down!
NOTHING HAS CHANGED!
Mint Linux itself has not changed. Mint was not even hacked!
Nothing has changed regarding virus, the need for virus checkers or anything else.
I am using Mint Linux KDE 17.0 and continuing to use it as before.
The Mint WEBSITE was hacked!!
That’s like Google being hacked. Any data you had stored on Google is up from grabs but it has no impact on the operating system you were using to access it, be it Windows, OSX, Android or Mint.
You can use Mint in the exact same way you were before – though it’s a lesson on having different passwords for different sites.
Yes, on the 20th Feb Mint Cinnamon 64 was ‘hacked’ in the sense the weblink to the ISO image was REPLACED and the user sent to a hacked version of Mint. But we’re talking about a REPLACEMENT ISO – not a bit of malware you pick up from an update.
Absolutely NOTHING was compromised on updates, software installs, nothing.
You would be infected if you installed SPECIFICALLY mint Cinnamon 64bit edition having downloaded the ISO image in EXACTLY the 20th February – which means 99.8% of Mint users are unaffected- including me. I am a naturally nervous person and even I am completely sanguine about this. I know I have no problem and odds are – neither do you.
*If* you installed SPECIFICALLY Mint Cinnamon 64 using an image from the EXACTLY the 20th, FEBRUARY get a new image, reformat the hard disk, re-install, problem solved.
If you used the same password to access the Mint forums and other sites, you should change the password on ALL sites that you used that password on. But, again, this has nothing to do with Mint itself.
Linux Mint remains as secure as it ever was. Nothing has changed. Now, the website is whole other matter and it seems deficiencies were found and exploited – but it’s damn hard to maintain web security. But, again, this has NOTHING to do with Mint.
There is a lot of FUD flying around Mint now which is completely undeserved. Let’s keep our heads – and donate to keep the A number 1 easy to use, “it just works: (and still works) Linux distro going from strength to strength!
^ Correct, luckily the percentage of people affected should be very small. If you’re ISO MD5 hatch matches a good key, you’re safe! No need to change distro 🙂
This situation gives me an opportunity I have been waiting for – to say something that needs to be said:
On the LM forum there are people who insist, over and over and over… ad nauseum… that Linux is so safe one should never even consider the notion of any issues in the areas of infections, hacking, and so forth. These folks sit behind their veils of pseudo-intellectual superiority and spew their moronic pronouncements. In my view, these people are practically as dangerous as the hackers themselves. Why, you ask? Because the messages they convey put people off the need to be alert. Folks hear this crap so often they forget to remain vigil (especially for ANYTHING NEW). The entire project’s level of security is compromised – even if just a little – because everyone adopts the notion that Linux is so safe. Wake up folks !! When the bad guys want something badly enough nothing is safe… someone will find a way to get what he/she wants. And all the faux-teckkies who constantly reassure everyone about the safety of Linux actually become allies of the bad guys. Their attitudes (and misplaced assurances), in reality, actually make the bad guys’ jobs easier. ‘Nuff said.
Also, this situation could be truly a blessing in the end. It has waked up EVERYONE. There’s no overlooking the fact that some bad things have happened, but the situation could be SO MUCH WORSE. I believe the LM Team will go forward with a new focus on security, and they will implement methods that make sense without going completely overboard. After surviving this crisis MINT should become an even better choice as a Linux Distro.
Lastly, as an old software engineer and tech-support veteran, I have been in crisis situations like this many times. Until this situation has been resolved life can be HELL. But, when it’s all over and order has been restored, the TEAM can sit back and “glow” in that feeling of having solved a MAJOR problem. Everyone involved can pat himself/herself on the back and enjoy a feeling of genuine accomplishment. And, in spirit, all of us Linux Mint users will be right there thanking you and congratulating you on your efforts.
Is there a way to check if installed OS is infected?
No one has answered my question yet, althought it may sound DUMB ?
can i go ahead and download Linux Mint now ? am looking to dual boot it using usb on my laptop.
@566 Red: Like Clem and others have said since the incident, you can find the ISOs at http://ftp.heanet.ie/pub/linuxmint.com/stable/17.3/, where you can also find the signed sha256sums.
Please note the genuine ISOs themselves were never compromised. It was the website which was compromised, by incorrectly pointing to other malicious ISOs elsewhere.
@Jedinovice Mostly because _I_ can. But it looks like the current edition of Xubuntu 14.04.4 itself is faulty. Might have pulled the wrong one in – siduction forum reports boot issues in Debian Unstable, and promptly, the freshly Xubuntu 14.04.4 LTS fails to boot properly right after installation ^^
When I installed 17.3 XFCE, it worked flawlessly, out of the box.
Ah well .. roasting my own Mint .. maybe when I got that 480 GB SSD somewhere around may or june this year (Thinkpad T520); some lovely BBQ with LinuxBBQ ..
cu, w0lf.
woof
R@563: You’ll regret it. I have both Mint XCFE and Xubuntu installed an a POS HP Pavilion 11-in touchscreen with an AMD A4 processor, and Mint is the ONLY OS I’ve found that makes the machine usable. (Don’t even ASK about Windows 8, which came installed on the thing.)
Everything looks on the up-and-up and I last installed a few weeks before the hack, but given the timing, I wanted to point out that I got a lot of ca-cert updates today. I don’t mean to be an alarmist, but DevOps experience is telling me to say something in case the first attack was the first step of a larger one.
Since about the 20th of February this yeah, yahoo mail has become progressively slower until it freezes the whole OS up. It may be a coincidence with nothing to do with the attack on the 20th. I searched for mention of yahoo in this but found none, so maybe it’s unrelated. However, if anyone can point me in the right direction, I’d appreciate it. Otherwise I’ll dump yahoo and use another service.
I got those CA cert updates too. Also:
glib-networking-common
glib-networking
glib-networking-services
ca-certificates
openssl
cpio
libssh-4
libssl1.0.0
libgnutls26
libgnutls-openssl27
In other words, all stuff that if compromised would be disastrous, or, equally, a critical update if legit.
We know you must be flat out but if you can say yes or no to if this is legit would be nice !
Just a follow up on the updates, I’m finding the very updates to these packages are listed on the Ubuntu packages database, so there’s a logical explanation.
For example, the ca-certificates package was updated – here are the different versions:
http://packages.ubuntu.com/search?suite=default§ion=all&arch=any&keywords=ca-certificates&searchon=names
I got the Trusty version: 20160104ubuntu0.14.04.1
So if you’re worried – you can check the ubuntu, and I guess ultimately the debian package dbs, to see if there’s a listing for these updates.
Is it possible to release a patch as a part of normal updates to check if people are affected and remove any malicious code?
i downloaded linuxmint 17.3 cinnanon 64 bit recently but after installation, realised the system starts but the mint logo dont display. the system in less than 24hrs became very buggy n slow. was that a characteristic of a hacked iso?
I got to know Linux Mint some year ago – in short words:
Its the best OS I know and I would not want to exchange it with any other OS. Linus and open source are the best things with ever happend to IT.
!!! You are making fantastic work !!!
Why somebody is so stupid to attack your projekt … perhaps somebody is paying this hackers for their work (from commercial side) ?
But keep on making the best OS of the world.
You have it already.
Best wishes and two thumbs up,
Marinus.
It’s a shame that some developers said that “Linux Mint is generally very bad when it comes to security and quality” instead of saying “Hold on tight, we are going to help you!”. Not only they bring discredit upon themselves, but above all upon the whole Linux project. I have never seen that Clément lefevre said bad things about the others distros. I think that he is an honest person and that LinuxMint fits me perfectly and that it is a great system. That is why I’m going to stay on LinuxMint.
For what it’s worth, I seem to have been affected, too. The checksum is 7d590864618866c225ede058f1ba61f0. I burnt this iso to a DVD, but was unable to use it since Firefox reported there was no Internet connection. I then switched to Mint 13, which works fine (otherwise I would not be typing this).
Cheers
Frank
What developer said “Linux Mint is generally very bad”?
I want to read by own eyes.
Thanks Clem and all the folks who bring us The World’s Greatest OS for dealing with this bit of criminal mischief in your typical calm, measured, open, and effective manner.
Calm down, guys… One single infected iso is NOTHING compared to the amount of virus bundles (AKA shareware) you can donwload and install on that Redmond Operating System. Yeah, it was a clever attack. But hundreds of sites are hacked everyday, and being Linuxmint such a famous distro, it’s of course a very nice target. Now the guys @ Linuxmint must do their homework, take the learned lesson, fix the exploits and do a damned good check on other possible weakness on their website. As for us users: in times where privacy and security are such an important matter, what about doing our share and double-check before downloading ANYTHING from the net? This hack was pretty easy to track: they just changed the LINK, making it point to a foreign server. So, checking the target before clicking on a link should keep you safe (at least from this kind of hack). “Oh, but site XYZ should be trustworthy!”. Really? Today? With guys fishing-scamming bank sites, XSS attacks and so on? Please, thrust no one.
@574 Big easy
see for example :
http://www.infoworld.com/article/3036600/linux/is-linux-mint-a-crude-hack-of-existing-debian-based-distributions.html
I just switched back to Ubuntu. Anyone else here do the same/similar thing?
@576 Guy Everaert
See no developers there in article.
How to know if the installed system is corrupted ? I don’t have the ISO anymore and my USB key has been formated since. And I don’t remember the day I donwload the ISO.
It really freaks me out, to know that your WordPress website is not secured as it should be. Mint is probably the most used Linux distro, security should be you first concern.
I have read many disparaging articles about the Linux Mint breach in recent days and find that many of them unfairly portray the efforts made by the Mint team.
I want to express my gratitude to Clem and everyone on the team. You are making the greatest Linux distribution so keep up the good work.
That said, security around the distro needs to be raised seriously to gain back the confidence of people waivering amidst the negative press.
Hi!
How can I check if my installed Mint version is affected?
Thank you!
BR,
Thomas
@sola of course we don’t trust Mint anymore. If they can’t secure a wordpress website, what could it be on a whole operating system ?
I’m not dev, I’m not an engeneer, just a user with no particular skills, and this is the question I ask : how the f* can I trust you after this ?
@squinty
You cannot disable the requests for the user password when you are performing administration tasks as a normal user. Without this, your system would be VERY-VERY unsecure.
You can configure your linux system to always login as root (this is disabled by default on Ubuntu based systems like Mint) but that is a VERY serious security risk since if you, say, get a virus or a trojan during browsing, that will have unlimited access to your system (including the capability to infect your executable program files). If the same happens while you are a normal user, your program files will not be compromised (unless you manually install them within your home directory but that cannot happen if you use the application manager for installations)
I don’t recommend doing user tasks as root on a Linux system, you would degrade your security to the level of Windows (possibly back to XP levels). One of the big advantages of Linux is that it is more secure than Windows, don’t throw this away for a minor inconvenience of needing to provide your password sometimes.
Hi Clem
Just heard about this on a podcast so wanted to wish you and the team well. I have had to deal with hacked servers in the past and it is extremely annoying, time consuming and in some ways…personal. One thing is for sure: which ever door these cowardly losers used to get in, you wont leave open again!
It will all be in the past one day 🙂 Still a fantastic distro, BTW!
Regards
James
@576 Guy Everaert and @577 BigEasy, this article is quite aggressive. Comments after the article are favorable to Mint, however.
Erm,
New to Linux, started this year, recently downloaded the upgrade to Rosa Cinnamon via the Update Manager. Did NOT use the ISO, as far as I am aware, but should I be concerned?
For what it’s worth, comparing Windows, Apple and Linux for any types of intrusion, both my PCs will remain Linux.
Thanks to Clem and all the guys.
@Clem
The database was being sold on 16-January last. https://twitter.com/ChunkrGames/status/688346150622081024
Why is this being overlooked?
@579 Tom
From Clem’s notes above:
If you still have the burnt DVD or USB stick, boot a computer or a virtual machine offline (turn off your router if in doubt) with it and let it load the live session.
Once in the live session, if there is a file in /var/lib/man.cy, then this is an infected ISO.
The forum must be hammered and overloaded. I got this error yesterday and today.
Sucuri CloudProxy – Backend Server timeout
What is going on?
I am sorry, but we are unable to connect to the page you requested. It seems that the hosting server (where this site is located) is down and we do not have a cached copy to give to you. Please try again in a few minutes.
What can I do to fix it?
If you own the web site, please verify with your hosting company if your server is up and running. They might be doing a maintenance or be overloaded. Please wait a few minutes and try again. If the problem persists, open a ticket on our support page and we will troubleshoot: https://support.sucuri.net.
If you are just visiting the site, just wait a bit and it should be back soon. We apologize for the incovenience. If you have any question, email us at cloudproxy@sucuri.net.
Error details
Error Code: HTTP 504
Error Message: Backend or gateway connection timeout.
Server ID: cp14008
Sucuri CloudProxy
CloudProxy is a Website Firewall from Sucuri. It stands between your site and the rest of the Internet and protects against attacks, malware infections, DDoS, brute force attempts and mostly anything that can harm it.
Not only that, but your sites get cached, speeding it up quite a bit. Interested? Visit https://sucuri.net
Copyright © 2015, Sucuri, Inc. All rights reserved.
Terms of Service | Privacy Policy Questions? Email us at cloudproxy@sucuri.net
@579 Tom: Unless you downloaded the LinuxMint Cinnamon 64-bit ISO on Saturday February 20th, via a compromised link on the LinuxMint website, then it is unlikely your system is affected.
Regardless, MintUpdate now automatically checks for this (as of version 4.9.9.1).
Damn, that’s not good!
+1 for being so transparent about it and handling it well. Hopefully not many users were affected.
Side Note: @Clem – I work with WordPress and IT infrastructure security for a living, if I can be of any assistance please let me know (free of charge, of course).
Just hint:
It’s a good time to turn paranoid and leave MD5 for a cryptographically secure algorithm like SHA256.
Hi,
Just a quick note about moderation. Some people saw their comments removed even though they were only trying to help, so I think it’s important I explain a little bit.
– I would probably privately agree with many of the adjectives used to describe the hackers, but please don’t curse. In many cases we just replace the foul language with xxx.
– Timing was and still is important. We’re still looking for the hackers, they might still be looking at us. Some info can help and we’re grateful but it can remain moderated or get deleted if it’s sensitive. We’ve a lot of info to communicate to you also, but in due time.
– There’s a lot of FUD going on. It’s a very human thing to do.. when somebody is hurt by someone else, some people will naturally try to help, some people will naturally try to attack the attacker, and some people will naturally justify the attack. This isn’t terrorism of course, but I can’t help but remember the attacks on Charlie Hebdo and the sickening debates that followed, on whether they had it coming or not. Let me make it clear, there won’t be any such debates here and there won’t be links to these debates here either. If a Debian user finds it appropriate to use this event to globally criticize Linux Mint, then fair enough, let him to that elsewhere. In other places on the Internet some similarly minded Windows users will
follow the same rationale and apply it to Linux and Debian as a whole. I’m not interested in this, it’s not productive and if it’s OK to criticize our project on certain points, then the timing isn’t appropriate.
– We don’t do pingbacks and trackbacks.
– Things are getting better now, but earlier this week we had about 400 comments in moderation. I wanted to reply to many of them also so we were very slow in moderating them, and this wasn’t done in order because things kept changing and questions were getting more accurate. Some questions also couldn’t be answered on the day, either due to uncertainty or the fact that our answer would be too sensitive at the time, so they were kept in moderation and accepted/replied a few days later.
– Last but not least, we’re fully aware of the limitation of the theme we’re using. The numbered comments with no hierarchy and the impossibility to reply to people… we’ll be changing that soon when everything settles down.
I’d like to thank everyone also. I don’t reply just to say thanks when you help us or cheer us up, but trust me, it does help and it’s really appreciated.
I hope we’ll soon be able to post about all the work that has been done since the attacks. Nothing was done on Mint itself (this completely halted our work there), but a lot was done on the server side, and we worked with some really awesome companies.. I’ll explain more on that soon.
>” I would probably privately agree with many of the adjectives used to describe the hackers, but please don’t curse. In many cases we just replace the foul language with xxx.”
I don’t think that’s unicorn good enough! Those rainbow-colored carebears deserve all the pixie dust abuse they get. I don’t dancing fauns care about rules about strawberry shortcake swearing; those sons of anime goddesses should be Aslan well caught, put up against a lemon cheescake wall and shot!
I thought I would show people how to it. 😉
Thanks again Clem. We will await more data.
Edit by Clem: Oh my, this definitely IS colorful language! 🙂
A quick word on the state of things also:
– We’ve hardened things
– We’re now behind a global firewall
– We’re now using new servers
– We’re now using https (which is forced for community and forums)
All of this is great but it introduces changes and so there are a few rough spots and some things don’t work as well as they did before. We’ll be fixing it all of course but I think it might take a week before everything runs smooth.
I also assume you have sent out floating daleks to the crackers residences…? 🙂
I use Linux Mint from 6-7 years. Someone enters the e-mail me and sends me letters on my behalf than 2 years. I did not know what his changed my password mail. The phenomenon ceased. Perhaps the hacker attack is by earlier. I use Google translator
I use Linux Mint from 6-7 years. Someone enters the e-mail me and sends me letters on my behalf than 2 years. I did not know what his changed my password mail. The phenomenon ceased. Perhaps the hacker attack is by earlier. I use Google translator
1) Why doesn’t everyone just routinely check the MD5 sum between the download and transfer to DVD or USB flash?
K3B by default calculates this for any iso it’s about to burn, displays it to the user, then with a menu selection, the user can paste the correct value from the download page (or just look until you find it) and if it’s a match, it flashes a green check-mark behind the input value.
You could be half asleep — you don’t even have the match the numbers by eye.
If people are willing to install an OS with a MD5 that isn’t what it should be, well … and then, to complain when the boots doesn’t look quite right? Or, complain they have an altered copy with a file that shouldn’t be there? What did they expect? OMG, what next??
2) The donation list is ‘stuck’ at February 9, before this happened. Would be interesting to see how many are showing support for the Mint team — in this way. Even if it’s only $1, as was the last donation on that date. Even that’s enough to show support, and of course more if you can afford it!
Does the backdoor affect the bootloader?
I installed Ubuntu 15.10 over Linux-Mint when I heard about the backdoor, because the Ubuntu DVD was the only thing I had at the time and I didn’t want to waste time downloading any other ISOs.
Anyway, does the fact that I still have the same bootloader mean that the backdoor is still in my computer?
Thank you. 🙂
Edit by Clem: The backdoor itself no, but on the other end the hackers could use it to run commands. These doors were quickly shut down by the hackers when they were found, but they could reopen them and they could have run commands from there.
Clem: thanks for your comments. you are a true diplomat.
you are my role model.
please, as you folks clean things up, don’t disturb the RSS feed too much. I really depend on it, but maybe I am just another dinosaur.
So if I had 17.2 ‘Rafaela’ and did upgrade to 17.3 ‘Rosa’ means that affected me?
I have installed linux mint in January, but I made updates regularly. Can this compromise my system?
hi- am brand new to linux and Mint. downloaded in the last few days. checked for the infected file- I do not see it.So I think I am good.
I am running 17.3 cinnamon from a usb drive I created thru LiLi.
I attempted to rum the md5 check sum. However, the iso file either is not on the usb drive, or that file the md5sum will not recognize. ( I think another poster here attempted the same with same result- the “yourfile.iso”).
Just to avoid future similar issues, it seems to me it needs to be made crystal clear how to do an Md5 or Sha256 check of the DLed ISO. I currently am still pretty in the dark on how to do this. I get the concept but not the actual method on how to do this and I do not see it very well layed out for the newbie.
Hello,
I have been very cautious and not used my pure Mint 17.3 home box (have shut it down and pulled the plug out just to be sure), I have not been using my laptop 17.3 partition (battling with my windoze dual booting bit (don’t ask…)). Your sites are back up, but forums.linuxmint.com looks completely different. Says ‘phpBB’. Just checking, is the above correct? Before I give it a new password?
TIA
Ed Z
@Clem I’ve used Linux Mint Forum a long time ago. I don’t remember which e-mail I’ve used for it and I don’t even remember which username I used.
In forgot password/Send password https://forums.linuxmint.com/ucp.php?mode=sendpassword it asks for both to recover my password. So I can’t find out if I am in danger or not. If it would only ask for e-mail then I can check some e-mails I might used.
Anyway since linux mint forum usernames and passwords are hacked/stolen and maybe some people won’t find out about it any time soon I think you must automatically send e-mails to all of them to inform them so they will change their passwords.
hey. can i ussualy download install? i need new linux mint, when this problem will be fixed? thx
594 Chaos. No, you are fine. The repos were not compromised.
#1) I install & use software a LOT.. on XP, if i want to take the time to clamp my system down to the near molecular level, I can.
The degree of granularity of control in XP is one reason I still run it. It may have taken 10 years of crashes & failures, but I manage well with it.
#2) IT IS MY COMPUTER! That sound familiar to anyone?
If i crash my machine, I don’t ask for pity. I ASK for the ability to crash it, security risks & all. I DO NOT WANT MY HAND HELD. ok?
I want to be able to install, control or kill running processes at my peril & discretion, without being mothered by my OS..
Like I said, Vista was a failure if for nothing else other than the constant requests for permissions.
I don’t need my learning curve interrupted by repetitive keystroking unrelated to the actual task I am trying to accomplish, whether it blows my engine up or not.
#3) *Numerous*, experienced and competent individuals are of the opinion that the recurring admin password request is not merely obstructive, but does, in fact, do little to actually augment security.
& Not only that, but I spent over $400 on a Dell 19″ AIO, with OEM Ubuntu drivers, specifically to make this transition.
At best the Mint installation is clunky, but I’m willing to forgive that, and **try to learn to correct it**, so long as I can rip stuff apart and see where my conflicts or system settings or defective drivers might be, without my machine slowing the process down every time I try & make a tweak.
Learning a new OS is **NOT** easy, & frankly (although I *am* a linux –NOOB– I have never seen the kind of granularity present in any Linux distro that I have in XP or W7.
Now.. this may be a good thing.
‘Granularity’ in wincrap generally means “turning stuff off that shouldn’t be there to begin with (or at least *off* by default)”, so a lot of my learning may be admittedly pointless, which is *why* I would like to migrate in the first place.
So far, however, (& it is only day 3 since my Mint install, & only about 7 days with Canonical, previously), the only advantage I’ve seen is that I can crash my hung Linux install with the power button & not get a blown reboot.
Again, this is a *brand new Dell*, purchased specifically because Dell has committed to Linux hardware support, & that’s the first thing I need to make sure most failures are based upon *operator* error and not some deeply buried IO or protocol conflict.
I do meatball surgery, not neuroscience.. just like my cars..
I’m no automotive engineer or metallurgist, but I know enough that I spend an average of *maybe* twenty dollars a year (or less) at professional garages..
i am a meatball-shade tree mechanic, & you know what?
i like it that way.
i HATE cars that demand computer codes, that fail because i pull a fuse in the wrong order or refuse to run because of what is essentially an unnecessary minor sensor not related to the actual combustion process.
There is little point to cares designed like microsoft software.
i do not need my automobile to tell me to not work on it, because if it does, it is intrinsically a piece of crap, right down to the kernel… excuse me.. engine block..
anyways..
I’m done.
If Linux developers can’t do a secure workaround, other than suggesting a 1 character password or some such, then all Linux really is, is a toy.
Just a toy, like most computers & most software, but more of a toy if it only lets me play on its terms.
It actually makes me feel less secure, because it makes me wonder if I may have somehow missed something as I crawl around my installs & settings..
now.. you can shame me, tell me this is the wrong forum, that i’m just a dumb noob.. whatever.
I’m a new (& willing) recruit to your supposedly superior software universe, and I am just telling you what my experience is.
I’ll go step up against the wall, eyes open, in case you feel a need to shoot the messenger in order to defend an exceedingly clear OS deficiency.
I’ve already put my money where my mouth is, & I hope to God that whoever uses Linux, of any flavor, does well with it, & far, far better than the crap being shoved down our throats since win 3.1
I was raised on PCs because my father designed mainframes (the core system architecture) for IBM, and hell *YES*, I wish back in 1985 I could have seen the evil coming.. I actually saw it in ’94, I believe, and screwed around with GEOS & then OS2, but had problems migrating my old data sources, as well as finding drivers.
So here it is.
30 years after the fact.
i’ll go walk to the wall, now.
@585 Joe H (Joe Football)
RE: your comment “Regardless, MintUpdate now automatically checks for this (as of version 4.9.9.1)”
Running the update manager on 4.9.9.1 generates security warnings on four packages, namely:
CA-Certs
GLIB Networking
GNULTS26
OPENSSL
Are these safe to install? Thanks
Or Clem, if you’re not too busy, can you answer my question in 599 above? (I’m a noob and especially paranoid at the moment). Thank you for your ongoing efforts.
Hi. New here and barely know what I am doing, i have questions but….
Regarding this break in… I was wondering how this benefits these guys. Does your program, with their addition, contact them whenever we go online with a tainted Mint op sys??? Be nice if someone could load that with a worm or virus so they would get a delivered surprise, eh?
That is way beyond my abilities but don’t we get this kind of stuff in the emails all the time??? well just wondering out side of the box.
Hey is there a place where I could talk or contact a user to ask dumb questions for awhile?
Ihave a dvd up and running but it says I need to upgrade ADOBE, no idea how to do that, not as easy as WINDOZE in that respect and I have other dumb questions… I just need a push to get flying
thanks
s
My 17.3 KDE has a Md5 mismatch ?
Gives cfcbd9f191cbc3bd060d8895d23834c2
This does not match any showing on the site.
Problem ?
Hi Sean. Run the Hexchat app you got in mint and it will take you directly to the Linux Mint help IRC.
@Sean wrote:
>Hey is there a place where I could talk or contact a user to ask dumb questions for awhile?
Yes, of course, now that _the Mini forum is back up._
There’s a section for ‘noob’ questions and you’ll get friendly answers. Actually, upgrading ‘Adobe’ is easier now, the repo maintainers have already found the latest version and it’s waiting for you along with all the other updates — waiting for you to push the button.
Actually, I’m only checking this thread because I’m wondering if the donation list updates just happened to freeze, or if messing with the donations was the first part of the ‘intrusion’ — I see that’s still under moderation …
@Clem you guys rock. I just made a small 5$ contribution (added to my monthly 1$) to Mint to show my continued support.
This is a shocking incident.Get well soon.
Announcement for Turkish users: http://webmaster.bbs.tr/showthred.php?t=13303
It’s impossible to login on the forum.
Again I have to change my password, the password I made after the Forums came back online is not accepted, so I can’t change my password.
The “contact us” url sends me back to the page to change my password
Fixed by deleting cookies
the updates are safe???
To Clem and the entire Linux Mint team, great work, thank you for all the endless hard work and the info provided. This incident does not seem to have caused much damage, and if I am wrong, my apologies in advance to any one it may affect, but it certainly will lead to improve many things in the Linux Mint universe. May Linux Mint continue on for 100 years!
@glauco Yes, the updates are safe.
>Learning a new OS is **NOT** easy, & frankly (although I *am* a linux –NOOB– I have never seen the kind of granularity present in any Linux distro that I have in XP or W7.
You may want to look at KDE for MORE config options than in Windows!
You can log in as root, though Mint does not allow this by default, but it can be made to, with means no security password at all. But you will be wide open if you do so.
I’m wondering if anyone has been locked out of their (admin) user account, because I am at the moment. Right now, I’m logged into my wife’s account. Not only can I not get into this home workstation, but neither will the quite complex password work on my work laptop, either.
My home computer is running Mint KDE 17.3 64bit, which I downloaded and made a boot stick out of several weeks ago. I just installed it on this home computer yesterday.
My laptop has had Cinnamon 17.2 64bit on it. All of the sudden, the same password I’ve been using for months, which is pretty unique among my passwords, doesn’t work now on either machine. I’ve punched it into both machines very slowly, and tried several different possible variations. Nothing. Weird. I’ve logged into both a recently as 2 hours ago.
I also just found out that I needed to create a new password on the Mint forums, which I just did. Both the old and new passwords are entirely dissimilar to my computer login passwords. It is very possible that this is related to the recent hack? It doesn’t seem like it could be, but it doesn’t seem either like I could just continuously mess up dozens of times a password that I’ve been sucessfully inputting for months, right up to today.
Am I just getting old? Anybody got any suggestions?
Interesting, I did know for some reason on either computer it seems like I can’t even boot 17.3.
Actually 17.2 mint seems to be the only thing I can boot of the Linux I have. Trisquel wont even boot once I got a laptop with 10 on it.
I love both OSes a lot, and want to keep using them.
Let’s give squinty a break!
So, you want your machine to be free like air?
Ok then! Edit the system file ‘/etc/sudoer’ on your computer using the special editor ‘visudo’ and insert the line with NOPASSWD below all the way at the end of the file, on the last line.
Save it and exit the editor. You’re done!
sudo visudo
insert following line at the end of the file:
root ALL = (ALL:ALL) NOPASSWD:ALL
If you need documentation about the meaning of the parameters just google ‘sudoer nopasswd visudo’ and you’ll find plenty of reference material.
Good luck!
Hal
will it be fixed if i update and upgrade ?
Edit by Clem: If you installed from the hacked ISO, no, don’t just remove the backdoor, update and upgrade… wipe the installation altogether and review anything it might have compromised. It’s unlikely harm was done (the backdoor was closed very soon after it was found because it could help lead to the hackers) but you have to consider the worst case scenario.
As a friend of the Linux Mint community, its pathetic to see my suggestions and comments here lay for days in moderated unposted status and then erased. Those were comments #93 and #96.There was nothing in the suggestions that was even remotely negative, they were positive suggestions yet were not only approved by mods to post but deleted in a heavy handed act of censorship and abuse here.
Edit by Clem: Hi. Sorry about this. I read your other comment saying they were related to compiling pages for extra security. It’s good advice. There’s been hundreds of comments and all that happened while we were securing servers. I don’t know why these two particular comments were removed, I can’t honestly remember each comment individually, but if it helps, I commented about moderation and explained why in certain cases helpful comments might also have been removed. Please check comment #625. Also, from the top of my head… if your comment suggested we sent an update to detect the malware and alert users, it might have been removed for that reason. That would have been a very very good idea of course, but it was something we were already doing and we wanted to have the upper-hand on the hackers (i.e. reach as many users as possible with the update before they get a chance to know about it and open backdoors to rename some of its files).
How does suggesting webpages be compiled to increase security warrant my comment be deleted by a heavy handed act of censorship here?
Its refreshing that after nearly 5 years of requests and suggestions that Https is coming soon here, this is a computer related blog and site isn’t it?
>How does suggesting webpages be compiled to increase security warrant my comment be deleted by a heavy handed act of censorship here?
Easy. Clem is overwhelmed at the moment. All sorts of things are possible with new servers bouncing around. Give Clem a change. He has stated he will explain a lot of things later.
And your suggestion may have been so good, Clem took it down for security reasons, not sharing what the plan might be!
I dunno but Clem has promised explanation later.
Right now, more than ever, the Dev team need our trust. It’s not time to yell at them.
Jedinovice, Hal, thank you!
looking at the forums.. have to log in from Mint to join, so it may be a bit.. very busy with many things, here..
thank you for allowing me to set myself on fire..
Hal? I’ve seen several iterations of the “ALL = (ALL:ALL) NOPASSWD:ALL” sudo parameter, but it hasn’t worked, yet..
looking at a 100% fresh install of Mint Xfe or KDE..
like i said, i bought brand new Dell hardware specifically for this transition, so i don’t intend on giving up..
dunno who here has ever rebuilt an automotive engine, but you have to tear stuff apart in order to understand how it all goes together..
Wankel rotary engines are, by logic, innately superior to reciprocating axial engines.. fewer parts (about 30%), better compression on a per volume basis & a larger range of operational RPMs…
now.. that being said.. i have NEVER worked on a Wankel.. i would *love* to, but… the engine has yet to be mated to the type of vehicle i use, so far as i know..
Linux is a bit like that..
the majority of the *skills* required to transition from one core framework to the other are portable, but the basic *configuration* in which they are used is exceedingly different..
bicycle cranks are a far **less** desirable geometry than the simpler, more powerfull & more efficient turbojet (arguably anticipated some 2400 years ago by Hero’s engine), but By The Almighty, the Wright Brothers put up the ‘Flier 1’ with a reciprocator..
Computers, for me, are not how I do my good in this world..
i do my *best* good with wrenches..
i get people’s wives & children off of stranded highways..
i get kids banging around the country on a shoestring either back up & running or to someplace safe they can call from..
& generally speaking?
once i pull over, i *never* leave anyone stranded, unless they say they are OK…
soo..
my power, clearly, is not on computer platforms, & i don’t have time to deal with it, just like somebody staring up at the sky in the middle of the night, because they don’t know which screw to turn..
surely they have the intelligence, but they have better things to do than screw around with poorly designed vehicles..
they might even understand enough, after learning a little to say “well.. why not just a warning blink, when the EGR goes, instead of refusing to start??”, to which i might respond “Heck.. i dunno squat about GTK, but why not a button you can click to enter the admin password, defacto, instead of having to use the keytboard?”
once i learn my way around, that might be the very first thing i do, but it’s probably months away, though a super good motivating objective, which i (equivalently) can *already* accomplish in winhell..
all i am looking for is the power to do good..
to use my machines (of all kinds.. cooking impliments, computer, cars, lawn machines, whatever..)to do good..
i’m not a geek.. i can’t program.. that is beyond my power..
but i CAN use the tools YOU create to spread the consequences of YOUR creativity, with good results for others..
how many of us, for example, design or fabricate frypans??
very few..
but where would we be without at least cast iron?
not designing Linux, most likely..
how many of us are potters?
probably few..
but do you know what a potter needs to know, to turn, cast or glaze some of the incredibly beautifull & usefull stuff that they have learned over the course of a lifetime?
i dunn think even 1% of us could produce more than a semi-functional pinch pot, left on our own with tools we really don’t understand..
BUT.. if any of us *wanted* to learn, just handed the tools?
sure.. “hey!! don’t allow more than 200 amps through the coils!!”
“HEY!!! that’s a thin wall Raku kiln!! DON’T OPEN THE VALVE FULL WIDE!!!”
& the answer is: “hey mofos.. i know enough to understand.. *thank you*.. sincerely.. but this is MY equipment & MY experiment & not only do i understand and RESPECT your knowledge & opinions, i am going to EXPAND on them, by observing what happens when I push things to destruction..”
it isn’t that people who don’t follow your advice are stupid..
it’s just that they need to explore..
yeah, tell them “that stuff will bow up in your face & you will roll down the side of the hill, screaming, looking to throw mud on your face to put down the damm near 3rd degree burns you’ve subjecected yourself to by modifying a few stock ‘D’ class model rocket engines!!”
BUT DO NOT STOP THEM..
let them burn the hair off their faces..
let them scream in pain, as they are engulfed in smoke & white orange flares..
…THEY WILL LEARN….
& that is all we want..
& if you don’t understand, well..
it’s ok..
you never will.
& that’s why you’ll never make the point..
sure.. a Wankel may be ***way*** better than a reciprocator..
but if all you do is sit in a chair & proclaim it?
i dunno.. kinda like arm chair quaterbacking..
it’s always best to listen to the folks who actually drive what they design..
in fact, for all of you sycophants, the core engineers are usually the most polite, understanding & informative..
they are *seldom* recalcitrant..
take a lesson from them..
AND.. as much as i hate bill gates, & suspect he stole this quote from somewhere else, because he is more vile than intelligent & probably has the IQ of a 17 day old snail & peanut butter breadspread
“your most disatisfied customers are the ones you learn the most from!”
now.. nobody *makes* money, here, though we all know it is needed..
but the idea holds true..
people just want stuff to work..
programmers just want their cars to work..
automotive engineers just want their computers to work..
potters just want their cookware to work
chefs just want to be able to email..
whatever the permutations are..
none of us are masters of the whole spectrum of human arts, & we are vain if we think we can survive beyond a subsistence level id all we have to rely upon is ourselves..
it is, in fact TRUE, that if the electricity goes out, the ones that survive are the NON-TECHNOLOGICAL..
after all is said & done?
we are just luxury workers, so we have better things to do than gripe at each other because of what we want to do with a particular OS..
humanity loves simplicity..
if it isn’t simple, it’s flawed..
Is it possible to get a status report from the Mint team?
A lot of people want to know how to check an installed version off Mint?
Well Squinty, your call. I understand wanted to learn which is why I started with Slackware. Not a bad distro but the manual install of everything was killing me. With Mint I got get past software onto video editing!
I suggest you check out KDE. If you want configurablity and granularity then KDE is for you. Everything in KDE is configurable – and I mean everything!! But it is also quite logical. Note though – if you are using KDE on low spec hardware, turn off desktop effects – especially transparency! Still, Cinnamon, I understand, is getting close to KDE functionality… and also comes with desktop effects enabled. (Wobbly windows?)
As I say, if your major gripe is password for software installation, use synaptic rather than the all color, loadsa graphics software manager. I only use synaptic. There you can queue a mass of installs and only have to input your password once for the mass install. Much nicer. I also have a keyboard shortcut to the cache folder to copy the deb files out for install via synaptic or dpkg offline should I need to reinstall. I don’t like complete reliance on the internet for everything.
If you really, really want root access at all time, in KDE – go to system setting – MDM Login Manager. Click on the ‘options’ tab’ and select ‘Allow root logon’ and ‘Apply.’ When you restart your machine you will be able to login as ‘root.’ (I assume you will have to type in the user. I don’t know. I haven;t logged in as root since Slackware as, really, Mint dos not need this. You normally use the ‘su’ or ‘sudo’ commands. Since MDM is a Mint component I would to find the same option in Cinnamon.
Anyway, once logged in as root no passwords will appear, or warnings. You are the total master which means, you could blow up the OS I did that in Slackware four times while learning. So be ready to re-install and keep your data on a separate partition from the OS! I always do that. I never use the ‘home’ folder and store data on a separate partition under ‘documents,’ images’, ‘sources’ and the like.
Have fun but bear mind, we have done our duty and warned you. The consequences are on you! 🙂 Be prepared to re-install while you learn!
iso of linux mint KDE17.3 64 bit downloaded from main mirror also appears altered (asks for user name on live boot in Virtualbox)
SHA256sum :at the mirror aa33bf286e92556163c335b258fe5cbd9f65f4ab8490e277fed94cf20d3920e4 linuxmint-17.3-kde-64bit.iso
on checking shows
Desktop:~/Downloads > sha256sum linuxmint-17.3-kde-64bit.iso
1164fecffdaac43b570c6f982c1c89e267d18e55b6c0774a39b3fdc34d88566b linuxmint-17.3-kde-64bit.iso
Edit by Clem: Hi, it can also be caused by a bad download. To make sure, download it twice and see if you get the same wrong sum again. Also please mention which mirror you download from.
great work Clem & team, willing to extend any help if needed, can test your fresh iso, in fact download all the isos to check the SHAsum provided at your mirror.
“You exceeded the maximum allowed number of login attempts. In addition to your username and password you now also have to solve the CAPTCHA below.”
I cant reset my forum password… this captcha thing. forum doesnt accept my username or new password or captcha. And i got “reset password” mail from mint in my spam folder . Gmail says this is a spam mail.
Is it true that all forum usernames and passwords has been stolen sold on internet…..
I would switch to mint but…. sorry but now i dont feel secure.
Hello!
I downloaded 17.3 Cinnamon 64bit via mintUpdate, am I also affected, or are those affected who used in an ISO?
>”I would switch to mint but…. sorry but now i dont feel secure.”
Mint itself has not been affected AT ALL. There is no risk installing and running with Mint.
There is a lot of confusion on this matter. The website was hacked and user logins and password to the WEBSITE were captured but NOT logins and passwords to Mint systems. Completely different.
Think of it as your google account being hacked. Nasty, painful, but nothing to do with the operating system on your laptop.
>”I downloaded 17.3 Cinnamon 64bit via mintUpdate, am I also affected, or are those affected who used in an ISO?”
There is no problem with updates.
Frankly, by now, unless you still have an ISO downloaded form EXACTLY the 20th there is no risk.
>”Is it possible to get a status report from the Mint team?”
General status report, from what I can see is, all clear, all done.
There was no infection from an update or the repos. ONLY if you installed the 64 bit edition of Cinnamon Mint from an ISO downloaded on EXACTLY the 20th Feb (odds of which are very, very low) do you have to run a check.
Other than that, carry on as normal.
@671Jedinovice: General status report, from what I can see is, all clear, all done.
Thx fore the answer.
But I would like to have a statement from the Mint team!
Do you belong to the Mint team?
I’am reading since hours around the inet and here my questions again,
Is it possible to get a status report from the Mint team?
A lot of people want to know how to check an installed version off Mint?
Hi Clem,
You have got TONS of responses, it shows how important your work is. Keep up the good work. What I especially respect is also your attitude, ethics and morality. Actually this is what makes me like Mint a lot(besides design and user friendliness). Unfortunately, I am a non-pro video guy and because of kdenlive I had to switch to other distros temporally. Eagerly waiting your next release therefore. And yes, if you can, include some themes with brighter colors, if you have the time, but only then.
Best regards from
Serbia and Hungary
Status report. Reinstall Windows or if you can live withotu Opensource another Distro, avoid Mint as Death itself. I will never give my trust to them not even under toruture.
Aside beliving Clem for is good look there is not a single proff that mint was FUBAR well before the supposed 20 date.
People should sue not donate.
My firewall keeps blocking traffic from 192.124.249.9 while accessing linuxmint.com. This never happened before the hack event. Whois comes back as cloudproxy10009.sucuri.net. Suspected proxy located in USA. Anybody else experiencing this? I’m trying to submit comment and receive Sucuri WebSite Firewall – CloudProxy – Access Denied.
Hy to all, ive downloaded on the 24 of februar from an German Mirror (Germany Hochschule Esslingen University of Applied Sciences) this one is also infected.
with md5sum : e71a2aad8b58605e906dbea444dc4983 linuxmint-17.3-cinnamon-64bit.iso
@Squinty: The instruction is for the root user, it’s possible that you logged in under a different name. If so, substitute your user name to ‘root’ on the sudoer appendage. If it still doesn’t work, temporarily put ALL instead of root and try. That would be the most comprehensive version of password dodging.
Many myths about Linux OS, especially that it does not need an antivirus. Matthew Moore shows how his Arch Linux got slimed. We need to find and disspell these viral myths going around. Another is that it is faster and another is that the drive does not need to be cleaned up and straightened out. Wouldn’t it be nice if Linux Mint’s install guide had this section? See Matthew’s You Tube presentation under “Mythbusters”.
Added: In the March meeting at WPI our Worcester LUG will be covering intrusions into servers. Locals may want to attend. Look for meeting date.
@641 farjohn: I’m not exactly sure what you meant by “security warnings”. If you mean that MintUpdate is notifying you of packages that have updates, yes, they should be safe to install. Clem has stated in several of the comments above that the repositories have been checked, and updates can be applied.
DS writes, “But I would like to have a statement from the Mint team! Do you belong to the Mint team? I’am reading since hours around the inet and here my questions again, Is it possible to get a status report from the Mint team? A lot of people want to know how to check an installed version off Mint?”
@672 DS: Clem leads the Mint team, and has provided status updates in many of the comments in this posting, and the other posting regarding the forums. I’m confident he will provide even more information in the future as well.
MintUpdate (version 4.9.9.1 and later) automatically checks installed systems for the Tsunami malware.
@Joe H (re: post 675)
“automatically checks installed systems for the Tsunami malware.”
Please see post#261 (above). If you get hung up on looking for “Tsunami” you may fall right into their trap.
Don’t live in a fog of paranoia – but you might want to stay alert for ANY SUSPICIOUS BEHAVIOR. In other words… just because there is an automatic check for one specific condition you should NOT let your guard down !!
When I saw my screen flashing and then appearing upside down and backwards I knew something was wrong. At that point this page wasn’t available, but I did google some news eventually. In the end I deleted the Mint partitions and one of the two (pre and post hack) regular ubuntu installs that were on the drive, because they had become unusable lacking start menus or even hot key terminal activation. I downloaded, checksummed, installed Linux Mint via torrent and also this site’s mirror pointing to Canada which had verified as authentic. While using the new Mint install, I noticed again the upside down and backwards display coming up. I assume that the hacked installs had infected the original Ubuntu install. I reinstalled Ubuntu on the now Mintless drive, and things seem to be stable. I suppose I should now unmount the first Ubuntu install which had 20G of data I was trying to save. There is also a windows XP install which I’m hoping is OK. Just wondering if you were aware of this infection behaviour.
good morning all…
this Blog Comment format is insane to read and follow, but I do believe Clem said he is going to revise that… but he is kinda busy at the moment.
For NOW, use your browser “find” function and search for “Edit by Clem” for the “official word”
(also scan for the Posts by Clem)
…those posts and comments are by the head guy over at Linux Mint.
hi
i download the iso on 20 feb and installed along with windows 7. Is the windows 7 safe?
i downloaded the iso from another pc. Is that pc safe?
thanks
please i want the new update of linux 1.1 and thank you
Hi,
Others users asked this but I’ve seen no answer:
“If I upgraded to Rosa via the upgrade manager on the 20th and subsequently have no checksum to verify, how can I tell if my system is compromised?”
I’m worried. Linux Mint is my main OS. Please, answer the question. If I have to reinstall it, I must know as soon as I can.
Thanks!
Thank you for all your hard work and for this wonderful distribution. I use Linux Mint all the time .And will keep using it because i like it the most.
Best regards
Sorry to see that you were hacked by these “I DEE 10 Ts” (idiots). It’s good to see you up and running again. I was beginning to wonder what DID happen…..but overall good to see you up and running again! :). Once you find out who did this….kick them in the……………with a steal toed booted! lol
How can I find out that I installed the hacked iso if I have already deleted the .iso file, and no, I am not sure if I installed it on the 20th!
Edit by Clem: Update mintupdate and check for the file /var/lib/man.cy. If it’s there or if mintupdate warn you, reinstall. If in doubt, reinstall as well. You can also install gufw and set the firewall to block outgoing traffic, and use netstat to monitor things.. but really, don’t take a risk. This is a fresh install, only a few days old, so I’d recommend to reinstall.
@687 Assis
From Clem’s notes above:
If you still have the burnt DVD or USB stick, boot a computer or a virtual machine offline (turn off your router if in doubt) with it and let it load the live session.
Once in the live session, if there is a file in /var/lib/man.cy, then this is an infected ISO.
>”I’m worried. Linux Mint is my main OS. Please, answer the question. If I have to reinstall it, I must know as soon as I can.”
If you ran an upgrade from 17.2 to 17.3 there is no problem. It was only the ISO images for Cinnamon 64 bit that were affected not any repos.
Windows installs installs are not and cannot be affected. Carry on as normal folks!
@680 Joe H (JoeFootball) or Clem
I’m reposting the text of my #641 here for convenience (as the numbers seem to change as comments are moderated:
RE: your comment “Regardless, MintUpdate now automatically checks for this (as of version 4.9.9.1)”
Running the update manager on 4.9.9.1 generates security warnings on four packages, namely:
CA-Certs
GLIB Networking
GNULTS26
OPENSSL
Are these safe to install? Thanks
You ask what I mean by “security warnings”. By that I mean when I run “updates” from the desktop icon (and there are now 5 rather than the 4 originally mentioned, four of which are security updates and the fifth a program update) and attempt to install them, a screen pops up that says, quote”
“WARNING- You are about to install software that cannot be authenticated! Doing this could allow a malicious individual to damage or take control of your system” Unquote.
Below this warning is a box labeled “Summary”, in which appears the text: “8 Packages will be held back and not upgraded. 12 packages will be upgraded”
I verified this is still the case just before posting this. At this point I have bailed out of the update process as I’m not certain if this is a normal message. Setting up email accounts without certificates will generate this kind of a message for example.
I selected you (JoeFootball) as you appear to be one of the more knowledgeable of the people participating here and I know how busy Clem and company are, but I welcome answers from anyone that has credible input to my newbie questions. I have literally read and reread every comment to date and my basic questions (and similar questions by others) remain unanswered. Let me state my situation exactly.
I believe I downloaded the .iso file in question, that is, linuxmint-17.3-cinnamon-64bit.iso on the date in question, 2/20/16 from the mirror “Nexcess” (as I recall). I say I “believe” that was the date as I no longer have the Windows 7 OS installed from which I performed the download. It is backed up and I COULD blow away my Mint 17.3 install and retrieve the original .iso but I am reluctant to do that as I’ve invested hours in downloading and configuring software since installing 17.3, all of which will be suspect if I’m infected.
Having said all that, the original instructions from Clem were to check for a telltale file in the directory “/var/lib/man.cy”. It was never made clear whether the so called file is the “man.cy” part, or if that’s a folder that contains a file that shouldn’t be there. To confuse things, when I check that path, I see “var/lib/man-db/auto-update”. In my case the “man-db” is a folder which contains the file “auto-update”, a text file of length zero bytes, modified 11/28/15.
Several posters have asked for clarification on this point and none has been forthcoming, but that’s understandable given the panic in progress. However, if some knowledgeable soul with a known good system can confirm that this part of my file system looks normal it will go a light-year toward making me feel better. And I would send roses, candy and a new luxury sedan in appreciation. (if I had any money).
Then there’s the question of the correct md5sum. I presume the original .iso file that was downloaded is needed in order to check for the correct value, and that the bootable DVD media created from that file (which I assume most people still have) is useless for checking. Did I mention I’m a novice? I have attempted to run the md5sum utility on the installation disk as well as the contents of that disk transferred to a file on my hard drive and the utility fails to find a valid file to check.
I don’t understand why a known good installation disk can’t be used to generate a new md5sum hash code and that value published as an integrity check. But then, I can’t even get the disk I have to generate a checksum, so I’m obviously missing something very fundamental here.
And finally, JoeFootball, the comment you made about the new updates left me with the impression that they “fixed everything”. I have a feeling I misunderstood. But the security warning I described above left me wondering if only the lepers among us see that warning.
In any case, I would be deeply appreciative of any feedback from any direction.
Thank you all so much. This is a great forum.
=====================================
POTENTIALLY IMPORTANT!!!!!
=====================================
I have today upgraded my Petra box to Rebecca and then Rosa, between about 12:30 and 18:00 BST. I am noticing some very strange firewall blocks, both inbound and outbound, on this machine and my router. This probably is a coincidence, but please could you double check there has been no odd activity today or previously in the package databases (and if you are able to ask anyone internal at Ubuntu, that’d also be great)?
Thanks a lot
@Elisa Masah : Not so fast whoever the xxx you are!!!
I don’t know Clem, I never met him or talked to him, yet I have been enjoying the fruit of HIS and HIS TEAM’s efforts and product for the last 10 years; so I can’t let you BS here, at a tough time for LinuxMint and its creators as it is right now and get away with it!
If you like provoking people or act like a low-life, it’s you choice, but you can do it elsewhere, no LinuxMint user needs to hear your nonsense.
As for me, I can vouch for this group of idealists that I have been following since the day they started (literally 10 years ago) even though, as I said before I never met any of them (and I didn’t have or need to).
It’s with blind faith that you first trust this kind of endeavor, and very quickly things speak for themselves. And in this case with Clem, his team and LinuxMint things spoke for themselves VERY QUICKLY and VERY HIGHLY. This is why Mint IS the most popular distribution on the planet!
You have to be an illiterate xxx to think that the most popular, the best, and the most versatile Linux distribution is FUBAR.
I think the readers of this blog will easily recognize that the only FUBAR here is you Elisa Masah! Please get lost!
Edit by Clem: Hi, I appreciate the support. Please don’t fight here though. Everyone is entitled to his/her opinion but this is a blog to inform, ask and reply, not to argue with one another.
Hello,
I downloaded and installed Mint (and Ubuntu) recently (last week). Try as I may, I cant get a fix on the date. I don’t have the ISO file to check the image too.
What is the best course of action for me? Can I selectively overwrite the Mint? [Currently, I put Ubuntu and Mint at 50% of storage]
Is there any other way to check if this is a compromised ISO?
Thank you,
JB
Edit by Clem: If in doubt, reinstall yes. Download Mint, check the MD5, boot it and run the installer. Select the option “Something else” for the partitoning, and assign the current Mint partition to / with the option to format it. And that’s it, that will overwrite the current Mint with a new one, and won’t affect Ubuntu.
So is the most recent Mint ISO okay to download and use now? I want to put it on an old laptop of mine, but I want to be doubly-sure before I go to install it.
Edit by Clem: Yes, but make sure to check the MD5 after downloading it.
Thank you Clem and the team,
Linux Mint is great as usual.
This is a chance to remind again that it’s good to install the system (/) on one drive, and the data (/home) on another drive. This way it’s possible to format the system drive and reinstall Linux Mint quickly again.
This option should be integrated into the setup program of Linux Mint.
All the best.
Edit by Clem: It’s handy, although it can be tricky with encrypted home directories.
Clem, RE: Your most recent edits:
I have an earlier download of 17.3 on an external drive that predates the one I possibly installed. Its md5sum is good. The install I made with the possibly corrupted download was installed with the ‘Home’ directory encrypted.
Will the method you described in your edit to #697 enable me to over-write the earlier installation without wiping out, for example, all the email accounts I configured under Thunderbird? In other words, are just the system files replaced, or will the partition be reformatted? Tnx.
Edit by Clem: No, it’s a bit tricky to reinstall with access to the encrypted home dir. I would suggest you search a bit about it before doing it. With that said, if the OS was from the hacked ISO, I wouldn’t try and save the data, as it could be compromised as well. Especially if you’re using IMAP (in which case it’s all online anyway). Make sure you change your email password (I suppose thunderbird needs to store it in clear somewhere to access IMAP, I’m not 100% sure..).
Hi,
i am inpacted as well … the package manager warned me. I also remember to having had strange issues with DNS and IP on the day of installation. Starting from the live CD i could use Firefox put the installer said you do not have an internet connection. checking in the console i could not resole DNS however using nslookup it worked.
Unfortunately i did throw away the DVD i used so im unable to check the md5 but i guess iam p0wned.
What i like to share here is that i probably downloaded the infected iso around 22:00pm CET on Friday 19.2. I am not exactly sure when i did the installation but 5minuates ago on the infected machine I checked the time stamp of my /etc/hostname file and it was 23:51 on Friday 19. So maybe the ISO was there already a little earlier?
Regards Jan
Edit by Clem: Thanks Jan, you’re the first person I hear which was notified by the update. That’s really nice to hear. The window during which the links were pointing to the hacked ISO was relatively small but it’s possible it might have been the 19th or even the 21st for some people depending on their timezone.
Thanks Clem, will do so.
Do not worry about negative comments here. Everything happens for the best. This event will be a important event in reorganising Mint perhaps. See the positive sides of it.
BTW, I am coming after decades in MS world. They would never ever be so open and confess a backdoor, let alone a bug!
You guys are doing great. All the best.
Stop using MD5Sums. MD5Sums are basically cracked at this point.
MD5: e71a2aad8b58605e906dbea444dc4983 linuxmint-17.3-cinnamon-64bit.iso
SHA_224: a15e0a63f3633ca56f6ef66d44e6717cf4706b17204540a102c5214d linuxmint-17.3-cinnamon-64bit.iso
SHA_256: 854d0cfaa9139a898c2a22aa505b919ddde34f93b04a831b3f030ffe4e25a8e3 linuxmint-17.3-cinnamon-64bit.iso
SHA_384: 988fdb01813899e681674d0ccf1608e8413a77933bc5303202e988cbb69a618f78047349d242f00b239098fc84a4995b linuxmint-17.3-cinnamon-64bit.iso
SHA_512: c1f4b1f9d06b6cbdf05d5239175871916446735bd0e2e78e2d2d51a3a18b5ebbe2e638b3bf2485246b88277ec80acac0ff478233c55710d55e454ef158765e1a linuxmint-17.3-cinnamon-64bit.iso
Just use shasum to get these values – for example:
shasum -a 512
Edit by Clem: We will. As hard as it might be to inject a backdoor in a chroot, add build-essential, compile it, mksquashfs it, and finally genisoimage it to get an ISO with the exact same MD5, it is possible. We won’t wait for another hacker to figure it out and we’ll be using sha256sums by default going forward.
Many thanks for the information and honesty.
I did notice your site was down that day although, thankfully, I’d downloaded my ISO (Xfce version) a week earlier.
I was MS from approx. 8086 or 8088s to present Win7s at work, but switched from MS to Linux on my home computers last year.
Mint is the BEST of the Linux flavors I’ve tried.
Thank You,
Where can interested parties contribute? (A noob question, right?)
Sincerely,
Very happy with Mint
Paypal option available?
Edit by Clem: Yes. It might take a few days before your donation is processed though. We’re literally not doing anything other than addressing the attack at the moment.
I just received a notice that my password, “…may have been compromised today (02/26/2016) from breachalarm.com
I doubt it was anything that occurred due to LINUX Mint 17.2 Rafaela.
This stuff is sure getting irritating and I’m of the opinion that hackers and cybercriminals should be hanged by their xxx and slowly burned to death.
Is it safe to download an ISO of linux mint at the current time?
Edit by Clem: Yes, and also always check the MD.. SHA256SUM (not just in case of attacks, but also to check bad downloads).
Compromised data of my email from Mint forum is: Avatar, Date of birth, Email address, Geographic location, IP address, Password, Time zone, and Website activity.
Oh is that all? geeezzuss, that’s just great now I have to trak down and change email or passwords all over the frikin net.
It’s disappointing to see so much FUD on this forum, as well as so many questions from people who apparently can’t be bothered to read what Clem has already posted.
Enough already! A website was hacked, but the distro remains sound.
Thanks, Clem, for a great OS.
Like 623 Daniel Wilson, I work with WordPress pretty much every day so, if you would like some help with that, just send me an email.
Hi Guys,
I downloaded my version of Cinnamon 17.3 64bit last year, which, for what I read, it should be fine.
I rechecked the md5sum though just to be safe and it print out
“d41d8cd98f00b204e9800998ecf8427e”
it does not match with the one above, I also looked for suspicious file on /var and I didn’t find.
should I be worry? should I reinstall?
Edit by Clem: This is neither the sum of the hacked ISO (at least not the one we know.. it’s possible it’s another hacked ISO…), or the one of the official ISO. It’s very likely just a bad download. In any case, I would recommend to reinstall.
@703 Tim,
I’m not sophisticated enough to know what “FUD” means, though I can guess what the “F” stands for. And at the risk of going against Clem’s wish to keep this blog civil, I take offense to your reference to “so many questions from people who apparently can’t be bothered to read what Clem has already posted”. I’m one of those people I guess, although I’ve read it all from the beginning and still don’t get it. No, the “distro” does not remain sound. Several people seem to have stumbled into a corrupted version, whatever the mechanism, and are understandably alarmed and seeking help. It seems to me that if this blog serves a purpose at all, it’s to help those among us that haven’t yet attained your exalted level of enlightenment. So perhaps it’s you that should seek a more comfortable venue among your exalted peers if you can’t put up with our uninformed questions. But thank you for your kind words of wisdom.
Hi Clem, I’ve LMDE 2 “Betsy” installed. I’ve just checked the md5 and they don’t match.
From the ISO: (64-bit)
5e5d617c6c6daed27cba9c1aca75c4ca
MD5 hex hash: for LMDE 2 Betsy
3089a29a1ab87095c47a4a00f1374e28
You may need to check for yourselves. Unless I’m behind the times.
@fargohn
FUD = FEar, Uncertainly and Doubt.
To explain the situation I made the following post. Clearly, I am going to have to repost it each time someone asks, “Am I affected by this, is Mint safe.” Here is the sitution:
[Clearly I need to submit this here- with typos corrected.]
To those worrying about Mint with fears that virus checking is needed, malware detectors, whether Mint Linux is safe, can downloads be trusted, etc, etc.
Calm down!
NOTHING HAS CHANGED!
Mint Linux itself has not changed. Mint was not even hacked!
Nothing has changed regarding virus, the need for virus checkers or anything else.
I am using Mint Linux KDE 17.0 and continuing to use it as before.
The Mint WEBSITE was hacked!!
That’s like Google being hacked. Any data you had stored on Google is up from grabs but it has no impact on the operating system you were using to access it, be it Windows, OSX, Android or Mint.
You can use Mint in the exact same way you were before – though it’s a lesson on having different passwords for different sites.
Yes, on the 20th Feb Mint Cinnamon 64 was ‘hacked’ in the sense the weblink to the ISO image was REPLACED and the user sent to a hacked version of Mint. But we’re talking about a REPLACEMENT ISO – not a bit of malware you pick up from an update.
Absolutely NOTHING was compromised on updates, software installs, nothing.
You would be infected if you installed SPECIFICALLY mint Cinnamon 64bit edition having downloaded the ISO image in EXACTLY the 20th February – which means 99.8% of Mint users are unaffected- including me. I am a naturally nervous person and even I am completely sanguine about this. I know I have no problem and odds are – neither do you.
*If* you installed SPECIFICALLY Mint Cinnamon 64 using an image from the EXACTLY the 20th, FEBRUARY get a new image, reformat the hard disk, re-install, problem solved.
If you used the same password to access the Mint forums and other sites, you should change the password on ALL sites that you used that password on. But, again, this has nothing to do with Mint itself.
Linux Mint remains as secure as it ever was. Nothing has changed. Now, the website is whole other matter and it seems deficiencies were found and exploited – but it’s damn hard to maintain web security. But, again, this has NOTHING to do with Mint.
There is a lot of FUD flying around Mint now which is completely undeserved. Let’s keep our heads – and donate to keep the A number 1 easy to use, “it just works: (and still works) Linux distro going from strength to strength!
I’ve downloaded on Feb/20-th, the 64-bit version, the MD5-sum of it is:
7d590864618866c225ede058f1ba61f0
so I can re-burn the DVD and reinstall it all right?!
This bad very bad – I’ve installed it to some family member to show up in Linux world she don’t need to care about anti-virus that much as her Win on that machine using Facebook etc was one big mass…
kifer
Edit by Clem: Destroy the ISO and the DVD, download again and reinstall. This is the hacked ISO.
Hi Clem, this is an amendment to my previous post regarding the mis-matching md5 hash sum for LMDE 2 “Betsy”. I installed it around the 20th Feb 2016. I’m sorry I can’t be more specific. I ran the install date command and this is the output:
andy@lmde2-latitude-e6410 ~ $ sudo passwd -S sys | tail -1 | awk ‘{print $3}’
04/06/2015
andy@lmde2-latitude-e6410 ~ $
Something’s not right there. This computer has never had LMDE 2 installed on it before. The SSD and /DATA HDD are brand new.
Edit by Clem: Hi Andy, I’m sorry I’m not sure what you mean.. what are you checking exactly?
@ Jedinovice – I get all of that. The problem is that I fall into that small fraction of installers that potentially installed a corrupted version on the 20th of this month. All I have asked is for some means of looking at my installation to determine if it’s good. There’s no question that I could wipe my drive and start with a good install. I have a known good .iso on an outboard drive. I’m reluctant to start over because I may be good with what I’ve already got. The phantom file at /var/lib/man.cy is one test that could determine this, yet I have yet to receive a coherent answer as to what I should expect to see. There was a reference to that path that doesn’t appear on my drive. Instead I see /var/lib/man-db/auto-update and there is nothing else even similar below /var/lib …. I’ve asked repeatedly if a healthy load is consistent with this and …. roaring silence. So I suppose I should just nuke what I’ve got and start over? No questions asked? I’m actually trying to learn something from this.
Edit by Clem: The presence of /var/lib/man.cy means the backdoor is there. However, its absence doesn’t mean the OS is clean… because the backdoor allows the hacker to execute commands, thus to rename file and move the backdoor elsewhere. In other words, you can look at the OS and see if it’s hacked. But you can’t look at the OS and be sure that it’s clean. To be sure it’s clean, you need to look at the ISO you installed it with.
Hi,
First off, am very happy with Mint. Thank you for such an excellent job.
It’s very hard to be secure when the gov can walk into the server room attach to the drive and copy change whatever they want. No amount of SSL/TLS https etc will help.
Am not a hardcore tech guy, but going forward you will probably explore some sort of end-to-end encryption like stuff, and I bet that will cost a pile of money.
Am sorry I have been dilly dallying on sending you some moolha. But this hack convinced me you guys need all the help you can get. So I sent you guys some.
Cheers!!
Keep everything free, ’cause Indians love free stuff 🙂
Because this blog entry is becoming unwieldy and people remain nervous and want assurance on their personal Mint install, I have created a suitable thread on the forum.
IF YOU ARE WORRIED ABOUT YOUR MINT INSTALLATION COME HERE!
https://forums.linuxmint.com/viewtopic.php?f=60&t=217357
All is explained in understandable language and you will come away reassured.
@farjohn
As I understand it, if you boot the ISO into live mode and there is a file man.cy in /var/lib/ then are affected,
If it’s not there, you are clear. As simple as that. [My understanding is that man.cy file is the source that compiles into Mint during installation but we need more data to know exactly what’s going on. I only know from Clem’s comments here that it’s the source code for the malware.]
I understand there has been an update to Mint update which runs a check for the file – but I am running 17.0 and so haven’t seen it.
I think people are not replying because they are no longer here. The blog was filled while the forums were down. Now they are back everyone has gone back to the forum.
Another reason for my posting. Come over and ask your questions on my thread!
@Jedinovice, Thank you. That’s as clear and direct an answer as I could have expected, and pardon my frustration. I appreciate your help. I’ll attend your sideshow in the hope of learning more. Thanks again.
“Stannis says:
February 25th, 2016 at 8:14 am
I just switched back to Ubuntu. Anyone else here do the same/similar thing?”
No, it’s just you.
Edit by Clem: We have a responsibility to react to the attack and understand that our security was too low. We’ve been working non-stop on this since. It’s important to understand what we’re up against though. The more successful we are the more of a target we will be. Almost every big project out there is getting hacked: https://haveibeenpwned.com/PwnedWebsites. Regarding Ubuntu, it’s the other big distro, so you can imagine it’s also a target and of course it’s also been breached (https://blog.sucuri.net/2013/07/ubuntu-forums-hacked.html).
The hacked page is now offline
@farjohn 694
Farjohn, this isn’t a forum, it’s a blog. As you have so many questions you would have a much better chance of getting answers by actually joining the Mint Forums at: https://forums.linuxmint.com There are a lot of people there with real Mint expertise and they will be delighted to help you.
As for the malicious content in the Mint Cinnamon hacked ISO it has been stated several times in this blog that what to look for is the FILE /var/lib/man.cy, so “man.cy” is a FILE.
For checking the MD5 of an ISO go here and get a copy of the MD5 checksums for Mint releases: http://ftp.heanet.ie/pub/linuxmint.com/stable/17.3/
Just click on the link md5sum.txt and copy the content into a text editor of you choice and save it. (If you want to double check your ISO(s) then do the same for sha256sum.txt link.)
Now that you have the official checksums numbers you can check the ISO(s) that you have against those checksums. To do that launch a terminal and type the following (note you will have to adjust the command to suit the fullpath and exact filename to the ISO file you want to check):
md5sum linuxmint-17.3-cinnamon-64bit.iso
Once the command completes (it will take some time, be patient) highlight and then copy the long complicated hexadecimal number that the command produces – be very careful when you do this that you select ALL of the number and ONLY THE NUMBER, no extra spaces at the end. Now open the md5sum.txt that you created earlier in a text editor and do the following;
1) Use the Search function of the text editor and paste the MD5 number you got for the ISO from the terminal command into the Search Text-box.
2) Now click on the Search button
3) If the Search function finds a match then your ISO is fine.
4) If the Search function does not find a match then your ISO is either hacked or you have a faulty/corrupted downloaded ISO.
You can then follow the same procedure to check the ISO against the SHA256 checksum – though, obviously, you need to make sure that you do the checking against the text information in the sha256sum.txt file you might have created earlier. If you want to do that check the command to use in the terminal is:
sha256sum linuxmint-17.3-cinnamon-64bit.iso
Again you will need to provide the correct full path and exact filename for the ISO you are checking.
Lastly, what is the difference regarding checking MD5 or SHA256? SHA256 is a much more secure check than an MD5 check. That said, for most purposes MD5 is okay because it’s reasonably secure anyway. But in the longer run I would guess it would be good for Mint to just abandon MD5 sums and transfer to SHA256 (or higher) – extra security at no extra price – go for it.
“Stannis says:
February 25th, 2016 at 8:14 am
I just switched back to Ubuntu. Anyone else here do the same/similar thing?”
No. But you may want to give https://en.wikipedia.org/wiki/Red_Star_OS a try.
Clem how about upgraded installs (upgrade from 17.2 -> 17.3) ?
And why the ping to absentvodka.com shows it as localhost ?
PING absentvodka.com (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.023 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.043 ms
Edit by Clem: Upgrades are fine. As for absentvodka, I assume the hackers modified its DNS entry to 127.0.01 when the backdoor was revealed, so investigators wouldn’t use it to get to them through it.
Hi,
I see this event gave rise to a security matter in Linux for some people.
I’m doing a “soft” Windows to Linux conversion (meaning I’m not yet fully converted…) for somes months and the “no virus on Linux” question seems to be unclearly solved.
While ElisaMasah seems to draw some extreme conclusions, I find there are some points here : is there one Linux tool that can detect such malware ? Either by scanning or by analyzing system in real-time ?
ClamAV/TK seems to only work at scan-time and I read everything about it (including poor reviews).
Some AV only scan the MS executables on MS partitions/systems…
Even if Linux is a lesser target to virus and is harder to infect, this event proves that the detection of a *known* malware is a hard task if it can only be detected by its name (which can be remotely changed by the hacker…).
Yet again, I’m knew to this whole world, but my system security is an important matter I need to fully understand before I complete my conversion 😉
Cheer up, and thanks for the way you’re dealing with the situation.
@694 farjohn: Thanks for the compliment, but I must be clear that my apparent knowledge of the situation comes only from what I read on the Linux Mint blog & forums, as well as in the news. I do not have any privileged insights, nor do I have authority to speak on behalf of Clem.
You’re asking some specific questions, which perhaps may get better answered posting each one separately on the forums (https://forums.linuxmint.com/). It’s a far better infrastructure to support back & forth conversations, and I recommend it highly.
But allow me to respond to your “fixed everything” comment.
It is my understanding that the Linux Mint website has indeed returned to its proper state, and no longer has download links incorrectly pointing to counterfeit ISOs somewhere in Bulgaria (I’m sure it’s an otherwise nice place), and now has better overall security.
It is also my understanding that the only compromised ISO was for Linux Mint 17.3 Cinnamon 64-bit, and that other the ISOs were not affected.
It is my understanding that if you still have the installation DVD for Linux Mint 17.3 Cinnamon 64-bit, you can boot into the live session, and inspect for the existence of a file named man.cy, found in the /var/lib/ directory. If there, then it’s my understanding that the DVD was created via the counterfeit ISO we’re talking about.
That all said, it is also my understanding that the genuine ISOs hosted on genuine mirrors were never compromised at any time, so if someone did indeed download anything from a genuine mirror, even on February 20th, then they would not be of the affected audience. Related, it’s my understanding that if someone downloaded their ISO via one of the official torrents, or made their upgrade to 17.3 via MintUpdate, then they would also likewise not be affected.
It is my understanding that the Linux Mint repositories were not affected by the intrusion, and therefore system updates can continue to be made. It is also my understanding that MintUpdate, as of version 4.9.9.1, now automatically checks for the Tsunami malware that was found on systems installed with the compromised ISO.
Lastly, it is my understanding that Clem & team have been working with a website security firm to ensure the Linux Mint infrastructure was not otherwise affected (e.g., the forums), and to improve & harden all aspects so as to prevent this such intrusions in the future.
That is my understanding of the situation at hand. I’m confident others know more. Please excuse any pre-coffee typos.
@farjohn
you can preserve your Thunderbird settings.
Copy the .thunderbird folder to another drive, after reinstall copy it back (it is a Hidden folder in your /home directory)
same works for Firefox, but that folder is called .mozilla
Clem, haters gonna hate. I’m a Mint user and I’m here to stay. remember to relax. To the haters, it’s gonna take some time to get it fixed, but in the end Mint will still be a Great OS for us all.
@ JoeFootball
Thank you for your detailed reply. If you did all that before your first “cuppa”, you’re a far better man than I 😉 Yes, I understood before I asked you anything that you are a participant here and not a member of Clem’s group or empowered to speak in an official capacity. My complement was genuine; you appear both well grounded in Linux and intelligent. I’m just an old man that used to punch Hollerith cards and feed them to IBM 360’s. In any case I had gleaned pretty much everything you summarized from the blog, except clarification on the corrupting file. Clem had stated, to quote from his original post” if there is a file in /var/lib/man.cy, then this is an infected ISO. Reading this literally, man.cy is a subdirectory of /var/lib (or a “folder” in todays parlance, and GOD I hate that term) that should not contain some (unnamed) file. Several people expressed confusion over this and, to my knowledge, the question was never clearly answered though in fairness I may have missed it somewhere. My own confusion was compounded when I examined the /var/lib path on my potentially corrupted drive and found a similarly named subdirectory called “man-db” containing an empty text file. Trying to ask the question a different way, I asked if this might indicate a healthy install. But apparently nobody still listening understood or cared to reply. Your point about many having fled back to the forums is well taken. Anyway, I do appreciate your willingness to hold my hand on this one. So thank you, JoeFootball, and perhaps we’ll engage on a forum sometime down the line during happier times. Now you’d better get that cup of coffee 😉
@peter e,
Thanks for the tip. I haven’t played with Linux enough yet to know where the hidden things are stashed and your info helps. I suppose though, given the uncertainty as to what this Cossack bottom feeder planted other than the back door (or subsequently THROUGH the back door) that if there’s any doubt, the drive and anything that ever touched it should be wiped clean. I’ve invested several hours in setting up this particular install, which is why I’ve been trying hard to either confirm its health or face grim reality. Anyway, thanks for your post.
@703tim, re:my #704,
Please excuse the flame. I was having a bad day and took your post personally. I apologize.
Lucky me, I DL and installed mint 17.3 cin on the 20th.
Yes I got a bad copy, fortunately I was installing it on a laptop used for car ODBII diagnostics so no real problem. I was alerted to this when I tried to run the update manager.
I was messing around with the ttl usb devices and lost the use of my mouse so I thought it was something I did, I don’t know if this was my messing about or the result of the hack.
@farjohn,
No problem! At least you took the time to read what others then posted. But not every acronym with an F is abusive!
@719 Tim,
Too much time spent recently on political blogs, I guess :-/
I know my install isn’t affected, however can someone tell me what the md5 for linuxmint-17.3-cinnamon-64bit-beta.iso would be (got it around decemenber)? Is it the same?
FYI, this is what I get:
f8784498df6bd6efa6841272d9484009 linuxmint-17.3-cinnamon-64bit-beta.iso
Let me know if there’s any red flags.
Edit by Clem: It doesn’t look right, check https://ftp.heanet.ie/mirrors/linuxmint.com/stable/17.3/md5sum.txt
Hello Clem & The Linux Mint Team
I have just made my first donation to show my support.
Thanks for making this great distro. Linux Mint serves me very well since 2013 and I have no doubt that it will remain my favourite OS for a long time.
Thank you also for the transparent communication of the recent website hack. Your reaction to this incident is exemplary!
It is sad to see that many are unable or unwilling to distinguish between the website of this project and the distro itself. Don’t be discouraged by these uninformed comments.
A few observations:
I see a danger with the current drive to implement https, in that it may create a false sense of security among webmasters and their visitors. MITM attacks are rare, yet that is basically all https protects against. So, this is basically attacking a straw man.
The real issue here is that of CMS which use SQL as the database. There are a few other issues like xss, but the only real way to stop the majority of these hacks is to stop using SQL with its builtin code injection risks.
As for keeping WordPress up to date, yes that is advisable, but then again, how many vulns does the latest version contain? None, is an unlikely answer. So, how much more secure is the latest version than the previous? Answer, probably not much. The fact that the vulns in the latest release have not yet been found (or maybe found but not yet been publicised) does not make it a secure product.
Since all of the CMS coders -not just WordPress- are so reluctant to change to a more secure database, the only real answer to this is to switch to a static site, or maybe a file-based CMS.
Edit by Clem: We now only use WordPress for blogs. We will switch our websites to https (some already switched), and as you indicated it’s mostly to prevent from MITM attacks on our visitors.
Clem, Jedinovice, Hal, all..
Thanks for your work & advice..
Dissecting & burning & melting, this very moment..
getting used to the idea of multiple partitions as a form of system management, rather than data management..
Thanks for the knowledge & good advice!!
Ahh.. dooh.. Jedi Novice..
got it.. not an East European surname..
i’ll go pick up my engine shrapnel, now…
“We now only use WordPress for blogs.”
That is reassuring. I think it is also unfortunate that Linux Mint has taken a lot of collateral in the IT press over this incident when in fact there is no security problem with the distro itself. My faith in it has certainly not been affected.
(bows with bic lighter, setting hair on fire…)
BTW, for other old-time DOS noobs..
this is a usefull page: http://tldp.org/LDP/Linux-Filesystem-Hierarchy/html/index.html
BTW..!! I feel 33 again!! anyone remember EMM386.sys????
same rope, but prettier knots!!!
@731 farjohn: Yes, Clem’s original post could have been more clear, but he subsequently clarified that man.cy is a file located in the /var/lib directory. Also, for added clarity, this would be found in the live session running off a compromised ISO. (i.e., not a system installed via a compromised ISO)
Yes, it’s difficult to track conversations on a blog, especially a post such as this which is conducive to enthusiastic opinions. The forums are a far better solution for that. Recommended for everyone for (almost) everything: https://forums.linuxmint.com/
Hollerith cards. Now you’re dating yourself. I haven’t heard that term in a long time. While I never had the opportunity, I must confess that I’m not too far behind you.
Trivia Question: Why is the ASCII delete character number 127? One would logically think is would have a lower value to be part of the non-printable character set, true? Hint: Someone who punched Hollerith cards should know the answer.
Off to find coffee. See you on the forums.
@738 Jerry: That looks like the correct hash, but for the BETA version.
Stable versions (with MD5 and SHA256 hashes) are available at: https://ftp.heanet.ie/mirrors/linuxmint.com/stable/17.3/
registered for the forums on the Mint install..
Thanks!!
The main website is now under HTTPS.
Notes:
– This is not related to the attacks, it’s not there to protect us, but to protect you, but since we’re working on security, we’re switching to HTTPs at the same time.
– HTTPS encrypts the communication between you and us, so it protects you against people listening to your traffic and stealing the passwords or the information you’re typing.
– HTTPS certifies we are who we are so it protects you against people routing your traffic and DNS queries to fake servers.
– HTTPS does not protect us from being hacked. And it does not protect you from viewing hacked information on our server.
The iso 17.3 Rosa should I format?
@Squinty #741
Glad you’re having fun. That’s how it’s supposed to be.
How are you faring with the password dodging scheme?
FYI
https://www.eff.org/https-everywhere
@Clem, I perfectly know, I guess you meant to write all that to 609 ‑ Stannis, it was them saying they switched to Ubuntu.
I am still with Mint and I am not planning to change —– don’t worry.
@clem
From now on please add sha1 or 256. md5 is known to have some potential vulnerabilities. Just be on the safe side 🙂
@Others
Make it a good habit and check “hashsum” with every download, not just here. Linux is S A F E unless you download from unknown sources and/or not check filesums. And yes, even WindowsXP is safe, when properly hardened 🙂
1-2-3 How to:
– Go to file s folder
– Right click, “open with terminal” (bash aka command prompt)
– enter md5sum filename or sha1sum … or sha256 …
(note: usually 2 or 3 letters enough to auto-complete with tab button)
You are using wordpress? You should use a different CMS system, not those CMS that were written using PHP. Not that PHP is bad, but there are so many bugs in CMS written in PHP, I think you should write a CMS from scratch, that is simple, yet extensible, secure using a hardened Linux kernel. What I mean for simplicity is this: avoid bugs or try to limit the number of bugs or reduce it to zero, this type of bug that can be exploited by hackers. Extensible meaning, the database design must be up to the standard, and there should be no form of SQL injection in the code.
@755: SHA256 hashes have always been available. https://ftp.heanet.ie/mirrors/linuxmint.com/stable/17.3/sha256sum.txt
Additionally, the GPG signing key for the hash file has been available. https://ftp.heanet.ie/mirrors/linuxmint.com/stable/17.3/sha256sum.txt.gpg
Hey at all,
now the downloads for the distribution are save???
I als would be happy to see any short tutorial at the download sites of Mint for every desktop, so users can learn how to check the signatures!
Also I miss some secure domains like “https//:www.linuxmint.com” and not the normal http!
Edit by Clem: Hi Martin, the ISOs themselves were always safe, our website was hacked to point to fake ones. we’re still working on moving the blog to https, but the main site is already using it. Regarding signatures, it depends on your environment… in Linux, you would typically open a terminal and type sha256sum filename.iso, or md5sum filename.iso.
@758 Martin: It’s my understanding that none of the genuine ISOs at genuine mirrors were ever compromised.
It’s my understanding that the Linux Mint website was compromised, where it had download links incorrectly pointing to counterfeit ISOs elsewhere, and the only affected ISO was Linux Mint 17.3 Cinnamon 64-bit.
Comment #339 demonstrates how you can validate the GPG signature of the SHA-256 hash file.
The Linux Mint website forces the HTTPS protocol.
hi thanks 🙂
I can see my suggestion at comment #544 (unless it changes number again, otherwise hit Ctrl+F) has been implented, good on you guys for the 110% transparency on this!
A reason more to keep using and spreading Mint.
I moved to Linux 3 years ago and I tested some distributions. The one I liked the most was Linux Mint, and here I am. Happy not using Windows anymore at home. Guys, now it’s the best time to support Linux Mint!
I think the Mint team have handled this wonderfully and do not regret donating to them in the past.
This could happen to any site and any distribution and it speaks volumes that they even caught it so quickly and notified users this quickly.
One thing I would like to see come out are the exact details of the backdoor, especially the protocol, ports it uses and what program/rootkit it is.
Clem………….
The Mint Team needs to talk to these guys ASAP:
https://tails.boum.org
For their part, TAILS OS desperately needs a port of the MATE desktop (Gnome for Debian is a disaster). Maybe a collaboration.
In this era, no one can afford to ignore what seems to be for whatever reason a strong disposition to less than standard-of-care in regard to security. It’s no longer ‘cute’ in a post-Snowden era. Others before me have already given good advice so I’ll just ask/add:
Why are all the release being signed with a 1024 bit key (OX0FF405b2) that never expires? Why is the MD5 signature still up there on a site that went to https? For any user Gnupg user these are the among the top 5 cardinal sins (using a 1024bit key being the 1st). It wasn’t easy to find either.
Most people would be quick to dismiss #579 comments as a troll. I can assure you that he/she is not – yes there is some ‘junk’ mixed in but He/she is giving you the ‘why’ and ‘how’ and the message that this was only a demonstration (something similiar or worse can be directed toward the Mint team at any time)
I hope the Mint team didn’t think that they wouldn’t be touched because of how transparent, how good, and how important this distro is to the linux community. The Mint team was targeted BECAUSE of this. My hunch is that you can expect a lot more hidden ‘surprises’
yet to manifest themselves
1. As #261 implies, while you caught this backdoor what about the others that you haven’t discovered – or do you think that after going through all this effort to compromise the server that the culprits only put in one [easiest to find]? You said you’re going to get extra servers. Where are you getting them from, how are they going to be delivered (interdiction threat), and who setting them up? – see NSA’s Tailored Assess Operation (TAO). NSA’s TAO have gone after much smaller fish to spread malware worldwide and Linux Mint, with it’s global reach, is a whale. Also, I can’t understand the certainty when you say no other packages have been affected. It seems to early.
Hi, I am new to mint. Just downloaded today (Feb 29) and I checked md5 for 64bit cinnamon iso and it matches your list.
@763 Areeb Yasir: It’s my understanding that it was the Tsunami malware.
Bonjour. Désolé, je ne parle pas anglais. Je voudrais savoir si LMDE2 a été affecté aussi. Merci.
Edit by Clem: Bonjour, les attaques portaient sur un de nos serveurs web. Elles ont affecte nos forums et brievement notre site principal. Les ISOs et depots ne furent pas affectes.
my hard drive went back to windows OS, lost all my data, never DL the newer version. Does linux automatically updates? and is that how I got the virus?
Kaz – No, it only happens if you download fresh isos and install.
Sorry false alarm. was connected to different hard drive with windows OS. Yuppie, still have Linux 17.2 and everything intact.
But my question is: does automatic up infect my Linux?
I have disabled it for now.
Events like this make us realise how precious is this operating system to us and how some people hate the fact that we have a free operating system.
its simple.. wp installation was not updated to latest version or your theme (text inputs) is badly coded.. also ssh should be always accessible via ssh keys and wp-admin and wp-login should be protected via htaccess as well.. I think thats what happen here – things was possibly outdated 🙂
I would use wp only for blogs. You should just create simple html page with markdown phaser so you would have md file with all downloads listed there, and edit only that .md file when need it without coding.. some hybrid site, that would be best possible solution and even then site would be much faster then it is right now.
Edit by Clem: It’s not “that” simple, you also need restrict www-data write access, restrict php’s scope to /var/www, prevent php execution in upload dirs, forbid php use php_allow_*, execute and a whole list of stuff…. we’re not perfect, and we’re probably still not completely protected but we ran a checklist on all our servers and it had 27 work items for each one of them. So no, it’s not that simple.
Dear Clem,
are you sure that other versions of Linux Mint are not affected? I have downloaded 17.2 Cinnamon 64 bit with drivers recently (most probably in February, I’m not sure, when). When I check a random file on the burnt disc, it says; last modification: 27 June 2015, 15.11.56 CEST. Should I be worried? Thank you for your reply in advance!
Regards,
Andrew
For quite a number of years users logged in under plain, unencrypted http in the clear Internet. The possibility a administrator accidentally exposed their password is probable if not likely during that span. Sweeping comments that https wouldn’t have helped to prevent this problem should be scaled back I think.
Yesterday when I updated my linuxmint desktop with Update Manager, I updated Google Chrome and Linux Firmware. Suddenly my machine became unresponsive then I restarted it. But now it is not starting it says libcgmanager.so.0 is unreadable or not found when ran in recovery mode.
Then I boot up PC with live USB and I can see few files are became unreadable(corrupt) in my home folder as well.
Is this due to any virus or hacker activity?
Thanks
Edit by Clem: No, it doesn’t seem related. Look for I/O errors in syslog/dmesg to see if your HDD is showing signs of failure, and try to downgrade the packages you upgraded (the firmware one in particular) to see if that’s the cause of the issues.
Hi. date is 5 march and I downloaded via torrent linux mint 17.3 cinnamon 64-bit and the md5sum does not match the one posted here:
md5sum linuxmint-17.3-cinnamon-64bit.iso
d41d8cd98f00b204e9800998ecf8427e linuxmint-17.3-cinnamon-64bit.iso
please advise
I have 3 mint 17.1 laptops. When I updated Kodi on one laptop. It messed up right away.
@775 Ben: If it’s not the correct hash, then I advise you not to use that ISO. It’s likely just a corrupted download, but regardless, make sure you’re getting the torrent file from the official source. https://www.linuxmint.com/edition.php?id=204
Hello all,
I am one of the many people who opted out of anything Windows when XP became obsolete. Most of the newly minted (forgive the pun) Linux users come from where I came from.
I tried Ubuntu but I quickly changed to Mint and I am satisfied ever since.
I started using computers in the MS-DOS days, so, typing commands in a terminal is familiar. It was like owning cars: knowing how to drive wasn’t enough: you occasionally had to lift the hood and take care of things.
But many, many years later, no driver is required to open the hood of their cars and no computer-user is inclined to – god forbid – type in a… command? * are you serious * ?
This is – in my opinion – where Apple won the game: “forget about what’s under the hood; you concentrate on driving”. (Every Mac user I know – and they are many – falls under this category.)
As I said, I am happy with the Linux Mint universe and I am spreading the word. BUT: for the system, and the community, to make a difference, “things Linux Mint” have to:
1. keep users AWAY from the terminal
2. keep the repositories fresh and relevant: I am tempted to install software from places other than the repositories because i am promised the “latest version”. And this where problems begin: why the latest version isn’t in the repository? Am I missing out? What about that software that I can’t find in the repository? WHAT THE HELL IS A REPOSITORY? 🙂
You get the drift.
I hope I helped.
Christos
Hi
I am a bit confused with your description on the md5 signatures you have listed above.
If the check sum of my iso matches one of the signatures in your list is my ISO ok or not?
Good old WordPress, great platform, infamous for security bugs.
That said, it seems that webshells are all the rage these days. From Chinese organizations using them, now everyone is using them.
As for the attacks being from Bulgaria, there is a criminal organization that works out of there. Can’t discuss it further though, a big fat NDA is in the way of that.
Hello Clem,
Well done – discovering and them managing your business continuity was a major and well orchestrated effort on your part.
May I ask a question about a very trivial thing? The desktop backgrounds in Rosa – there is one I really love – Expo.
Where was the picture taken?
Best to all –
Waarheid
Edit by Clem: In Malcesine, Lake Garda, Italy.
@779 corkscrew: If you still have the ISO file, and it matches one of the hashes that Clem posted, then it’s very likely good.
Please note that unless you downloaded the ISO for Linux Mint Cinnamon desktop, for the 64-bit architecture, on February 20th, via one of the counterfeit IPs before the website was taken down, then it’s quite unlikely your ISO was affected.
If you are looking for a professional hacker with proof of skills. Contact at HacktivistAstra007@gmail.com. I executes jobs such as Change of Grades, Yahoo Passwords, Clearing of Criminal Background, Fake IDs, Bank Transfers, Mobile Phone Hacks, Facebook Passwords, Instagram Passwords, Website Hacks, clear Credit Card Debt, CC for sale, Credit Score Matters, Socks, Rdp, Viruses, Build/hack apps etc. You can also get your deceased love ones medical records, if you are unsure about their death. Trial will convince you.A trail will convince you! Integrity and efficient service delivery is my core value.
Edit by Clem: I sure hope you’re using your services to make people happier and without harming anyone. For the record, the attack performed on us recently cost us a huge amount of development time, harmed our project and its reputation, gave the opportunity to some people who disliked us to publicly criticize us and exposed some of our users, either via the fake ISO they downloaded or via a weak forum password which was leaked. Customer satisfaction is key when you’re talented, but choose your customers wisely if your talent can be used to hurt.
hi Clem, I believe I was hacked Prior to being admitted to hospital on the 9th February 2016. I had burnt a DVD containing Linux Mint 17.3 cinnamon 32 bit and found i could not access the Linux Mint website or Forum.
I eventually gave up and discarded the LM 32bit cinnamon disk, but not before I encountered a highly suspicious message from an eastern european country.
Since coming home from hospital I have changed the passwords on my router, wiped the hard drive and reinstalled LM 17.3 Cinn 64 bit. I am in the process of changing all my passwords for sensitive sites.
I read on one of the Linux websites that the hacker stated he had gained access to Linux Mint at the end of January. That would tally with my experience.
I am convalescing presently, so cannot enter in discussion about the above. I hope you find it useful.
kind regards, Kevin xxx
Edit by Clem: Hi Kevin, I removed your last name from the comment. Although we weren’t able to confirm it formally, we believe the hacker said the truth when claiming the first intrusion was on the 28th of January. That would mean encrypted passwords from the forums could have been cracked as early as that date. If your forum password was the same as on other websites, then by all means take this very seriously, especially if it was simple. Now, regarding the ISO, we believe the exposure from our website towards the fake ISO only lasted hours. It could have been the 19th of February, the 20th, the 21st even maybe, depending on your timezone, and the impact of that ISO running on a computer is that it had a backdoor in it, from which the hacker could have run local commands. That backdoor connected to a remote IRC server and people did report it messed their connection a little bit (we don’t know whether that was a side effect of the backdoor being used to flood another target, or some programming or manipulation error from the hackers). In terms of intrusions, we could confirm two of them on Feb 18th and Feb 20th and they confirm other claims from the hacker, so that leads us to believe he was telling the truth about Jan 28th.
hi
i have been on linux since 2001 with caldera open linux to redhat and had finally settelled with pear, after it got discontinued moved to LM13 and is still my OS, as a promotee of UNix/LINUX i regularly help install mint of those willing to try mint as dual boot with windows
after seeing this beware notice, i checked from those on whom 17.2/17.3 was installed in cinn/mate/xfce/kde
a peculiar problem has been reported where in var/log files are generated using 5-6 gib space eating partition as full, while on my linuxmint13/ a 13 gib partition is nowhere near full space over years of use, i have suggested to mark auto delete old log after 7 days
this is being sent 2 u 4 whatever worth it maybe and if u cud suggest remedy, mds cannot be checked as the user stays away from me and is not tech savy
i also understand the frustation that u and your team faces with these pranksters probably jealous of linux and mint
wishing u the best
also
anymore information as whn needed pls mail, will take week or so to reply as i travel 2 areas without net xcess