Beware of hacked ISOs if you downloaded Linux Mint on February 20th!

I’m sorry I have to come with bad news.

We were exposed to an intrusion today. It was brief and it shouldn’t impact many people, but if it impacts you, it’s very important you read the information below.

What happened?

Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it.

Does this affect you?

As far as we know, the only compromised edition was Linux Mint 17.3 Cinnamon edition.

If you downloaded another release or another edition, this does not affect you. If you downloaded via torrents or via a direct HTTP link, this doesn’t affect you either.

Finally, the situation happened today, so it should only impact people who downloaded this edition on February 20th.

How to check if your ISO is compromised?

If you still have the ISO file, check its MD5 signature with the command “md5sum yourfile.iso” (where yourfile.iso is the name of the ISO).

The valid signatures are below:

6e7f7e03500747c6c3bfece2c9c8394f  linuxmint-17.3-cinnamon-32bit.iso
e71a2aad8b58605e906dbea444dc4983  linuxmint-17.3-cinnamon-64bit.iso
30fef1aa1134c5f3778c77c4417f7238  linuxmint-17.3-cinnamon-nocodecs-32bit.iso
3406350a87c201cdca0927b1bc7c2ccd  linuxmint-17.3-cinnamon-nocodecs-64bit.iso
df38af96e99726bb0a1ef3e5cd47563d  linuxmint-17.3-cinnamon-oem-64bit.iso

If you still have the burnt DVD or USB stick, boot a computer or a virtual machine offline (turn off your router if in doubt) with it and let it load the live session.

Once in the live session, if there is a file in /var/lib/, then this is an infected ISO.

What to do if you are affected?

Delete the ISO. If you burnt it to DVD, trash the disc. If you burnt it to USB, format the stick.

If you installed this ISO on a computer:

  • Put the computer offline.
  • Backup your personal data, if any.
  • Reinstall the OS or format the partition.
  • Change your passwords for sensitive websites (for your email in particular).

Is everything back to normal now?

Not yet. We took the server down while we’re fixing the issue.

Who did that?

The hacked ISOs are hosted on and the backdoor connects to

Both lead to Sofia, Bulgaria, and the name of 3 people over there. We don’t know their roles in this, but if we ask for an investigation, this is where it will start.

What we don’t know is the motivation behind this attack. If more efforts are made to attack our project and if the goal is to hurt us, we’ll get in touch with authorities and security firms to confront the people behind this.

If you’ve been affected by this, please do let us know.


  1. Are there lots of server problems lately or are you just being more transparent about them?

    Edit by Clem: We’ve always been transparent. It’s something we owe people to a certain extent, and it’s also easier to just say things the way they are. That’s how I was brought up anyway, so that’s how it is. Regarding servers, there are more and more servers all the time, yes. The only attacks we suffered in the past were DDOS though, this is new. It’s also important we communicate about this attack because we’re not talking about downtime or inconvenience here, this is a call to action. We need people who are affected by this, to understand that they are, so they don’t get hurt or used going forward.

  2. If you have any doubt or any question, please don’t hesitate to ask. I tried to stick to the most important information, but I understand how unsettling this can be. I’ll be happy to answer as many questions as I can.

  3. Dumb question but were any of the repositories affected? I did an upgrade today and was surprised that firmware upgraded to Linux 3.19.0-32-generic #37~14.04.1-Ubuntu

    Edit by Clem: No.

  4. Were downloads via Torrent also affevted, or is Torrent more difficult to compromise?

    Edit by Clem: No they weren’t.

  5. Heyo, it seems like the download pages still point to the hacked ISOs.
    Honestly, the only reason why I noticed is because I was downloading the ISOs in bulk using wget, I saw a strange IP address and the fact that it was a PHP file.

    Anyway, are the download pages going to be fixed anytime soon? I want to burn a CD for an old family friend… He got scammed by the “windows tech support” scammers and I want to show him the joys of Linux Mint!

    Edit by Clem: Thanks for reporting this, this is a second attack so it means we’re still vulnerable. I’m shutting the server down right now.

  6. I’ll ask this question, without knowing the intrinsic details, or any specific details other than what has been posted above; did the breach have anything to do with the fact that you’re running WordPress?

    Best wishes and thanks for the heads up.


    Edit by Clem: Yes, the breach was made via wordpress. From there they got a www-data shell.

  7. Was there a time stamp upon this file you mention as to when it was created on the server. Hopefully there was sufficient info on the intrusion of the server and to which version of Cinnamon weather it was a 32bit or 64bit version affected or both ?


    Edit by Clem: Yes, it was from today. 64-bit definitely, 32-bit didn’t show links but was found on the Bulgarian server, so it looks like they were preparing to compromise this one as well later on.

  8. I’ve just been trying to install a fresh version of Linux Mint on a new machine from this corrupted ISO for the last couple of hours. I thought something was weird when I was unable to connect to the internet after installing, yet I was able to reach my router. I’d stupidly not checked the MD5 checksum before using the ISO. Has anyone/is anyone going to be looking into the ‘functional’ difference between the genuine and hacked versions? I’d be interested to know what/if any of my data or keyboard input has been stolen from me.

    Thank you for letting us know about this.

    Edit by Clem: Yes, it’s Mint with tsunami running on it. Here’s some info on it

  9. So, it is only Cinnamon versions, correct? I just installed linuxmint-17.3-xfce-64bit today and I am a bit concerned after reading this blog.

    Edit by Clem: Check the MD5 to be safe, but yes, it’s Cinnamon.

  10. Hi Clem. Thanks for being straightforward and quick to let us know. I guess being targeted is the price you have to pay for making the most popular Linux distro. 😀 Thankfully I haven’t downloaded anything within the last few days.

    Considering that this might happen again, have you guys considered some sort of way (besides md5sums) that we can verify the ISOs come from you? Maybe something like GPG?
    That way if the server was hacked, the isos were replaced, and the publicly listed .iso md5sums were changed, the isos would still have incorrect gpg signatures.

    Assuming you did start signing the releases and posting a link on the Linux Mint main page to the public Mint gpg key, an attacker could still replace the isos with malicious ones and replace the key link with one that links to his own. To combat this, some of us in the community and on the forums who use gpg (I know of several besides myself) could sign the Mint gpg key with our own keys. That way more trust could be put in the Mint key. I mean, even I could easily create a gpg key that claims to be from Clement Lefebvre, but it would be much harder for me or an actual attacker to then sign that key with the keys of several other members of the community.

    Just an idea but thought you might be interested. 🙂 I’m sure whatever you guys end up doing will be great!

    Also, do you think you could make an announcement on the forums/link this one there?

    Edit by Clem: What really helps here is duplication and the community. We were alerted very fast and we were able to be alerted because people could find contradicting MD5s (and that’s mostly because the MD5s aren’t just in one place, but in many). Another thing which is going to help is to buy more servers and separate services even more. That way, if somebody hacks say wordpress, there’s only wordpress on that server and nothing else.

  11. Doesn’t do much good to post hashes on a site that’s not served over TLS.

    When will * go https only?

    Edit by Clem: It’s planned and I’m hoping it’ll happen soon. Please note that this wouldn’t have helped here though. You’d be served the exact same hacked information via HTTPs.

  12. Hi Clem, did this happen because there’s no HTTPS protection on mint website?

    Edit by Clem: No. We need HTTPs to protect communication (mostly on your side, and against local or middle attacks). Here we have an intrusion, so it has nothing to do with the protocol. The hackers used wordpress to get in.

  13. Hi, I downloaded and installed LinuxMint on Feb 18’th using a link from the official website, I should be ok, right?


    Edit by Clem: Yes. Check the signature just out of precaution.

  14. I really appreciate you keeping us posted. This was passed along to me by another friend whom knows I am devoted to Linux Mint. I was going to ask similarly if anyone had checked all the repositories, though I’ve not had anything seemingly affected.

    I am always thankful that you guys are not only working on the project, but that you are straight forward and proactive. Thank you guys for being diligent enough to see it, and transparent enough to let us know just in case. Keep us updated.

    Though I will ask why you are not pursuing action now, and only waiting to see if they try this again? Have you let authorities know and sent them the information?

    Edit by Clem: It’s 3am here for us and 4am for them and the main concern is to clean up and get back to being safe and operational.

  15. WARNING: The download links are still redirecting to this bulgarian IP,


    Clem please disable downloads until you can gurantee user safety.

    Edit by Clem: We shut down the server until we find the source of the second intrusion (probably something left by the first).

  16. Please add HTTPS support to, whether it’s related or not to this hacking, this is really unacceptable in 2016

    Edit by Clem: It’s not, but we will.

  17. Just downloaded two copies of the 64 bit Cinnamon from the Oceania links for University of Canterbury and Xnet both are coming up with the same incorrect md5sum (7d590864618866c225ede058f1ba61f0) – So of course I have not installed. (Time NZST 15.50 Date 21 Feburary 2016)

    How long before we can get a trusted download here in NZ?

    Edit by Clem: That’s the MD5SUM of the hacked ISO alright. The server was taken down until we know it’s safe again. I’m sorry I can’t give you an ETA.

  18. Looks Like I was a lucky one….
    Decided to set up an old laptop yesterday.
    Had version 15 of mint could/would not update,
    Downloaded the ISO, rufused to a USB and installed….

    Interesting times.

  19. I’m a Gentoo user mainly, but was trying to find out why the mint site wasn’t working and ended up here (have a new netbook with a 32gb SSD – not enough free space for Windows 10 to update, even with a 8gb micro)

    Just want to say top marks to Clem for personally responding to nearly every post. That is the mark of a legend.

  20. Mint was (and still is) something like a sanctuary for me and probably for many. It is where I feel warm and safe and strong and alive. I absolutely hate the fact that someone took advantage of this clean and wonderful world of Linux Mint and I personally offer anything that is in my power to help it get back to all of us.

  21. Thanks Clem for taking quick action and being so upfront about this.

    I would like to call to everybody reading this to spread the warning to others they might know using Mint in case they haven’t seen this post. I am afraid many people who use Mint don’t read the blog here, so they might not be aware of the danger.

    If you have access to some linux-related blog, rss feed, etc, then pls share this so it can get to the people who might have downloaded the hacked isos during this sad day…

  22. thanks, I checked it out, I still have the USB, the ISO is gone

    Once in the live session, if there is a file in /var/lib/, then this is an infected ISO.

    I only found a man.db, I hope it’s ok (I am a total noob, it’s my first linux after 15 years of windows lol)

  23. “Edit by Clem: Yes, the breach was made via wordpress. From there they got a www-data shell.”

    “Edit by Clem:Another thing which is going to help is to buy more servers and separate services even more. That way, if somebody hacks say wordpress, there’s only wordpress on that server and nothing else.”


    (cr)acker exploits and gains shell by webserver user (which is www-data as reported)
    looks at wp-config.php, uses the username and password in the file to gain a mysql shell (which is fine since mysql is bound to localhost usually the cracker is the www-data user)
    Probably a search made for post wanted (download links) edited from there..

    The only things I can suggest are:
    – Ensure the webserver user’s shell is /bin/false or /bin/nologin (and not /bin/sh or /bin/bash)
    – Spend some quality time on planning separation of privilege for software. webserver user should have write access to as little as possible (just wp-content in wordpress))
    – Ensure incremental, automated backups are make that are not accessible to the webserver user
    – Usage of chroot jails to really separate stuff.

    Sorry this happened! The people who did this were clearly not on a thrill ride – they wanted backdoored LM installs out there. Scary

  24. I updated from 17.2 to 17.3 via the software update link today via the update manager (didn’t do a clean install from an ISO or USB). Were those affected too?

  25. If you want to make things better I’d at least do the following:

    1) Completely rebuild everything and verify nobody made any changes to the code (I assume you’re using a vcs like Git so that should be easy)

    2) Rebuild everything on a development machine and move the ISO downloads to a separate server only serving static files (no PHP or MySQL).

    3) Make sure your developers are using secure passwords generated by something like KeepassX

    4) Ensure it’s using TLS with HSTS enabled (very important because it makes sure everyone is using TLS). Also disable outdated ciphers like RC4, etc. Here’s some help

    5) Provide magnet links or GPG signatures for downloads over https.

  26. Argh. I just had a minor panic attack after checking the MD5 of an ISO I downloaded Tuesday (e71a2aad8b58605e906dbea444dc4983)(I figured it was possible that they did an earlier attack that was missed, so I might as well check the ISO to be safe) and saw it matched the one listed above. I panicked, started to tell you I had a bad ISO, then re-read the post and realized it was the MD5 of a clean ISO. I need to get some sleep.

    But I’m saying this because I think you should make the post a bit more clear that the listed MD5s are the SAFE ones.

  27. Time to retaliate and send shit back… Lets work guys, I know youre here, reading..

    Back on topic: Clem, please, consider releasing a new website, but this time in pure html5 and let the forum and blog on a separate hosting, and dev/integratio/talk on another host. This will cost a little more but will be for the best interest of all.. The ISOs could be on the default server, the html5 one, or via the partners around the world.

  28. 😀 phew , thank goodness I downloaded via torrent, I just finished downloaded yesterday and this post really scared me

  29. Hi, hopefully the website is coming back soon. If you need some technical support, don’t hesitate to contact me! Maybe I can help you out with some Server or Hosting. Just get in contact with me.
    Best wishes

  30. I was literally downloading cinnamon tonite Feb 20 (app. 11-12 EST), Was going very slow and said 5 hours to go and while viewing in another firefox tab got a pop up that said clickjack attempt. The iso was only half downloaded. In a panic I closed all tabs.
    I think its unusual that there was a supposed clickjack attempt while downloading the iso. Its only the second time I EVER saw that.
    Please check what you have and your site’s carefully. Im wondering if I was possibly infected by an incomplete download because that is a real “coincidence”.
    (Just by clicking the link? is that possible?)
    Also please update us detailed ASAP

  31. Clem, I see this blog is currently running WordPress 4.4.2, the latest version. Was the blog running this version when it got exploited or was it an older version that hadn’t been updated to 4.4.2 yet? Did you update to 4.4.2 after the exploit happened? Or could the exploit have been caused by a vulnerable extension/addon/theme/etc? Whatever you find out, report it to whoever can patch it.

    Thank you for transparently reporting this info. Honestly, a lot of organizations that encounter situations like this would prefer nothing more than to hide it all, deny it ever happened, or downplay and obscure the seriousness of the damage. Public relations can be a sick game of deceit sometimes. Thank you for your honesty and openness.

    Edit by Clem: I’m answering this on Feb 24th and we have more info. It was a brand new version of WP with no plugins but using a theme called Sydney. That said, there were already PHP backdoors on the forums and we think we had lax file permissions too.

  32. I second the recommendation to sign all ISOs with GPG and host the gpg sigs and key(s) via HTTPS. They are after all really small files and are very important! For checksums I’d switch to using both sha512 and whirlpool.

  33. I just wanted to say that for all of those requesting that should have https:// , that would do absolutely nothing to prevent all attacks and would be no guarantee that any information (such as hashes) that is put on the site is legit.

    All that does is encrypt the data between the server and the viewer.

    It does prevent that data from being sniffed, however if a site is compromised and false information (such as fake hashes) posted, then having https:// isn’t going to make a difference.

    On the flip side however:

    1. The site really should have https:// enabled, as it can help to encrypt data between servers and those with administrative access to help decrease the chance of MITM attacks and sniffing. Having no SSL or mixed SSL usage on a site is a recipe for disaster.

    2. The fact that is even accessible when I checked is REALLY disturbing and probably the BIGGEST security risk. It’s not that hard to move this to another location. There are even plugins specifically designed to do this.

    3. The even if moving the login page, it should only allow requests to administrative areas specifically for those that should have access to these areas. It is not hard to have a modified .htaccess file that denies access to administrative areas for preset IP addresses. If you need to gain access from a location not in the list, modification of the .htaccess to add a temporary IP via SSH is easy.

    Just a few ideas…

  34. While you’re moderating maybe make that link ‘not clickable’ so no one accidentally clicks it…IDK

  35. Sorry to hear you guys got hacked. Thanks for being upfront & honest about what happened.

    WordPress does seem to have quite a history for these sorts of incidents. Are there any plans to move away from it? Perhaps in time? Would more manpower/resource for the website help? Maybe get someone from the community to do it?

    I wouldn’t mind having a crack at it as a volunteer, if your team is interested. Mint’s done a lot for me, so it’d be nice to give back in some way.

  36. I downloaded and installed 17.3 with Xfce 2 days ago, but have already removed the ISO. I understand your claim that only the Cinnamon version was hacked, but would still feel much safer if I can run some checks to confirm my installation is virus-free. Is there any other way to do this?

  37. As mentioned, only the links to the ISOs are compromised. It was also mentioned on the comments that repositories we’re not compromised.

    But, is there a way to check if our machine is infected or not, with this backdoor?

    I do update as soon as there’s an update available. And I just did a kernel upgrade before this was posted. I wonder if there’s a way for me to check if my system is clean from this kind of backdoor/infection.


  38. Sorry to ask, but yesterday i’ve downloaded LMDE2 via torrent. I’m checking the md5 sum anyway, just in case, but i can’t compare it since the site is down…the terminal says:” 55d22b55687770f7e60013ccf1575baf lmde-2-201503-mate-32bit.iso”. Is that right?

  39. This underscores a serious problem with Linux Mint’s release integrity.

    MD5 is totally broken. It takes only an hour to generate a collision on regular hardware. If hackers placed backdoored ISOs on your servers that had valid MD5s, it would be hard to detect. I’m surprised they didn’t attempt a hash collision in this breach. You need to switch to secure hash functions like SHA256.

    Redundancy and community reporting of issues only go so far. You also need a secure way to prove the hashes are authentic. If hackers changed the hashes listed on your server to hashes of the backdoored ISOs, this would also make it hard to detect the breach. For example, this very WordPress blog post could be hacked and the hashes listed above as “valid” could be changed and none of us would know. Get a PGP key and start signing either the hashes or the ISOs themselves. Every other serious distro does this, and it’s so easy there is no excuse for not doing it.

    This should never happen again.

  40. Do you think this could have been a false flag attack by the NSA and/or FBI in connection with the Kennedy assassination?

  41. I hope that md5sums and sha256sums could be put on 3rd party external server. maybe git repository.

    I do not think it’s secure to have the ISOs and the md5sums on the same server.

  42. I not have the DVD I burn the ISO so how can I check my installation?
    I installed i januari 5 so its maybe is Ok?

  43. Well, this is a damn shame and a bloody pain in the arse for you guys. I’m just double checking here. I presume that LMDE2 is unaffected by this intrusion. I hope for the sake of everyone, you get it all cleared up soon – good luck.

  44. OK, fast reaction, good work. All we can do now is warn as many people as we can through as many channels possible.

    My ISOs were quite ‘old’, hence not affected.

  45. Have you considered releasing a version 17.4 so you can simply say 17.3 is bad and for users to re-download if they have an iso with that filename?

  46. How does this affect apt updates from mint domains? Is it possible for them to modify the signing key thus allowing malicious updates and downloads?

  47. @KenWeiLL If you haven’t downloaded an ISO recently and update as usual (through apt-get or update manager), you should not be affected by this. This is only concerning people, who downloaded and installed a linux mint ISO recently. (Please also read the past comments – especially #3 and #8)

  48. Hello
    I made a strange observation. A ping to absentvodka brings the following results

    PING ( 56 (84) bytes of data.
    64 bytes from localhost ( icmp_seq = 1 ttl = 64 time = 0.033 ms
    64 bytes from localhost ( icmp_seq = 2 ttl = 64 time = 0.051 ms
    64 bytes from localhost ( icmp_seq = 3 ttl = 64 time = 0.050 ms
    64 bytes from localhost ( icmp_seq = 4 ttl = 64 time = 0.051 ms
    ^ C
    — ping statistics —
    4 packets transmitted, 4 received, 0% packet loss, time 3000ms
    rtt min / avg / max / mdev = 0,033 / 0,046 / 0,051 / 0,009 ms

    My 17.3 installation is an upgrade version, so should not be affected.
    Does somebody has any idea?

  49. @clem I know you are prob. very busy cleaning up (or getting a bit of sleep), but when you have the time, information on the version of wordpress that lead to breach?

    No easy solution. It’s hard work. You could checksum all files in (relevant) packages and compare that with another machine with same versions of packages that is known to be clean, but where do you find that? I think you can assume for now that the repositories haven’t been compromised.

  50. What you really need to do is ditch wordpress for hosting downloads, move to a static website that doesn’t depend on any vulnerable plugins. Get HTTPs to ensure that the correct page is served to clients (costs nothing thanks to Let’s Encrypt) and sign the ISOs with GPG keys that are not stored on the server, and enforce verification (like Tails).

  51. I wondered why the site was down this morning. Thought it might have been more server trouble. Thanks Clem and the team for dealing with this so well and so quickly. It really makes me mad that some asshole would attack us like that.

  52. BTW. could you please add / fix https to your online services, so the readers are sure, that the MD5 checksums are valid?

    Edit by Clem: Yes, it’s coming. Please don’t trust a page just because it’s https though. That protects you from your local entourage, but it doesn’t protect you from a server being hacked.

  53. I know it is unrelated but maybe this is a warning sign that Mint should turn on level 4 and 5 updates in the updater..

  54. Wow this sucks.
    Glad you noticed this right away Clem, I installed awhile ago way before the 20th so I should be good and checked the var/lib folder seems clean but will double check things just be sure.
    Thanks for the very quick response, just good to see that and wanted to shout out a big thanks for the quick response.
    I’ll check back to see when things are cleared up before doing any updates just to be on the safe side.
    Don’t rush it, better to be clean and sure 🙂
    Good to be back home

  55. Pingback: PC Fórum
  56. You commented that they got in through WordPress. Not that supricing, WordPress never had a good securityrecord, but exactly what method did they use to get in? Was the fault on you because of outdated software, or on WordPress? Also, have you considered replacing WP with something with a better record like Drupal or maybe no cms at all to reduce the attacksurface?

  57. Ok I started downloading it via torrent, but now stopped it until things are correct.
    I am concerned about sites I maintain via wordpress hosting, however my servers are on 1and1 so I think 1and1 keeps them pretty safe and I have security plugins, but my wordpress have been hacked before also, but not since beefing up wordpress security, 1and1 is good in shutting down the site if it is under attack and alerting me.
    Do you have your own server or is it hosted, maybe you should go to hosting that has more security ? Idk, now I must check my wordpress sites.

    Yes linuxmint still down. Ok I will wait until you fix it.

    What about updates via my linux mint pcs are these effected, I noticed some posts about that .??

  58. What is the timeframe for this shutdown? Is there another way to download it (like a torrent or something)?

    I’m asking because trying out Linux was supposed to be my sunday activity this weekend

  59. What a scumbag thing to do to such a benevolent project. Appreciate you quickly making the right decision to inform the public, Clem. Mint has a great reputation for a good reason.

  60. by the way i notied when submitting my comment, you have wordpress on this blog below, not good for hackers.. also different table names instead of the default wp_ and not using admin as a username, and also once hacked recommend malware and virus scanning all files on the server, and if you are not sure, go way back until you know a file on the server was not compromised.
    I have over 100 sites I manage, this happened to several of them 2 times, until I had more beefed up security.
    do you use bulletproof security, ithemes security, wordfence and other plugins to protect ? I would also recommend googling for stronger wordpress security, I read these every month and continue to make my sites stronger
    this is a good one,
    if you need more advice you probably can see my email, i can recommend some things for you

  61. please use GPG and sign the releases from now on! checksums are good for download verification but GPG Signatures are the real deal!

  62. I hope from now on Clem and Linux Mint developers will take privacy and security a lot more seriously in terms of not just the website but more importantly the Mint OS as well as applying security and kernel updates.

    Security has to be moved to high on the development agenda and not just the basic implementations like it is now.

  63. Fred Barclay – I still have copies of those ISOs – How do you want me to get them to you?

    Clem – That’s OK I understand the problem and all the extra work that is involved.

  64. If your sentence starts with “I know it is unrelated but”… then is it really worth finishing?

    Clem, thank you for your vigilance, it’s appreciated. As for the crackers: may the fleas of a thousand camels infest these miscreants’ armpits and groin regions.

  65. Sorry I didn’t get it, the torrents were not affected and direct http version was not affected either. So what was actually affected?

    Edit by Clem: The website itself, i.e. the MD5 and the links pointing to the mirrors (they weren’t pointing to the mirrors but to the hacked ISO).

  66. That sucks so bad man! Total support for you Clem and the whole team . I am not using mint at the moment but i love it and i have used it for many years. As soon as everything is up and running again and i’ll make a donation to support you guys.

  67. Where we can download 17.3 Cinnamon now?
    Or when we will be able?

    I want to install it on my PC for some work, and I want to know when it is safe

  68. Yesterday I downloaded linuxmint-17.3-cinnamon-32bit.iso.
    According to the file properties it is from Sat 20 Feb 2016 09:48:42 PM CET

    Did md5sum it checks-out ok.
    Jumped the gun! :-S
    Website must have been compromised after that time

    Good luck with resolving the issue!

  69. Facebook is even offering the Hacker side of this issue in its “People Also Shared” list showing how to compromise the Mint ISO (the blog appeared to be from the Mint 15.x days).

  70. my MD5sum is ok.

    But please clarify:
    “Once in the live session, if there is a file in /var/lib/, then this is an infected ISO.”

    Is the live session directory /var/lib and the infected file

  71. Dear Linux Mint team,

    I´ve downloaded my ISO file on the 19th. Should I be affected by this unfortunate occurence, that happened to Linux Mint Website?

  72. Does this include all of the mirrors whom hosts Linux Mint downloads also? I get all of mine from the James Madison University site, because in my area, it’s the fastest.

    On the other hand, do have a couple of MInt 17 (no point release) & MInt 17.2, which is usable, yet don’t like, as it takes away much of cpufreq. The answer after I filed a bug, was to disable Intel_PState, and this would make Mint act as the older versions.

    Just scared to do something that may mess up my new CPU, the i7-4790K.


  73. I did download the ISO, and found the

    I installed it to a new partition next to win8 on my secondary laptop with a USB drive.

    However, I think I’m lucky because even though I did connect to the network, I was not able to access any websites due to the DNS service not working (due to a bug?) I was able to ping IP-s but not able to access any websites.

    So didn’t login anywhere on the net, and found this blog post while searching for a solution.

    Could you confirm that I’m safe this way?


    Edit by Clem: Afaik the backdoor couldn’t create the initial connection without DNS resolution (it tries a list of domain names), so you’re probably safe. Make sure you wipe that install and destroy that ISO though if it’s not already done.

  74. Maybe torrent is an option, as it is harder to hack. As long as the server is down, you cold publish the torrent files here on the blog so that people who need it can download the ISOs.

  75. bananabob: I’d like a copy of the backdoored iso as well, there seemed to be quite a big size difference between the legit and backdoored one that wasn’t explained by just that script. Unfortunately I could’ve grab a full copy from the attackers server before it got taken offline. Could you upload it to mega or torrent/etc somewhere where we can grab it?

  76. Be careful with attribution. The link with Bulgaria is far from obvious. First, the IP address is registered to an ISP in Belize, Verdina (the code BG – Bulgaria – is probably a mistake since it does not fit the city). The contact (Lyubomir Bambov) is mentioned with an address in Bulgaria but we all know Internet databases are purely declarative so the Verdina client could have say anything.

    Second, the domain does not have public data (hidden behind a proxy) so you cannot really tell.

    Third, this domain went (in january) to another IP address in Belize, (Verdina, again) but now goes to, not convenient for remote access.

  77. Could you please detail the way your website was hacked?

    I think this would help other admins alot from not experiencing the same situation.

  78. Please don’t use md5 for this kind of integrity check anymore. It’s possible for an attacker to craft a modified ISO with the same checksum as the original.

    Do use SHA2-based sums.

  79. On a dutch tech-site I’m reading about the forum also beïng hacked. Is this true and do we need to change our passwords?

  80. Dear Clem,

    Thank you for your great work on this Linux distribution and for informing the community right away. You have my sympathy, I would not want to have to go through what you are going through right now.

    I have a few questions though. First, why don’t you immediately involve the authorities? It seems the right thing to do; You have been attacked and a potentially large amount of users could have been affected.

    Second, I politely suggest you to read .

    Third, could you link the shasums you provided in the comments more prominently in the post itself? (Also, the mirror server you linked supports HTTPS.)

    Fourth, however, I know that this is not your first priority currently, have you looked into letsencrypt? That should be a safe and quick way to get HTTPS running on the linux mint websites.

    Best regards,

  81. Clem, regarding:

    ‘As far as we know, the only compromised edition was Linux Mint 17.3 Cinnamon edition. If you downloaded another release or another edition, this does not affect you. If you downloaded via torrents or via a direct HTTP link, this doesn’t affect you either.’

    I’m afraid this is not right. Friday the 20th I downloaded 3 iso’s.

    At first a 17.3 64bit XFCE via torrent. Checked the MD5sum: faulty result. Deleted the download.
    Secondly tried a direct download for again 17.3 64bit XFCE. Same problem, incorrect MD5sum – deleted.
    Couple of hours later I downloaded a 17.3 64bit Cinnamon, directly from Heanet. After checking the MD5sum and getting bad result I deleted and gave up.

    I probably should have informed you guys (earlier), which I unfortunately didn’t. Sorry for that.

  82. Hello Clem, as a friend and promoter of Linux Mint, I am a bit surprised that in your reply to Fred Barclay’s Post (#11 ITT) you don’t react at all to his constructive suggestion of using PGP signatures for download verification, but instead fully ignore it and talk about the oh so great security of duplicated md5sums.

    Cryptographic signing with PGP is the global de facto standard for secure verification of digital data, which can’t be stressed enough.

    On the contrary, posting (known insecure) md5sums on the same (hacked) website (wordpress!) as the download link itself and not even providing secure https connections, is IMHO for the very least *grossly negligent* and hard to not interpret as a dead canary.

    I am well aware that 100% security is an illusion – and the closer we get, the harder they fight. But the tools to massively improve it are at our fingertips.

    Nevertheless thanks for this great distro!



  83. I tried to install Linux Mint 17.3 with a USB installer (pendrivelinux) on the 19th, but it gave an error with choosing a partition after which I gave up installing it. I tried to redownload it on the 20th, however again the same error occured, after which I gave up again and today read this. So I did start up Mint 17.3 (using the USB stick) but when I wanted to install it on my computer the installer failed me. Should I really reset my entire windows OS for this or is there no damage done to me? Isn’t there any other way?

  84. Please do not refer to checksums as signatures, it’s misleading. If the user verifies the (real in meaning) signatures she can instantly know that bad things happened and keeps safe.

  85. Hey team,

    I would like to thank you for being open and transparent on this.

    This event should be an eye opener in general how important it is to keep the “our basement safe.

    Moreover, I would like to point out that you have reacted extremely fast. Such hacks generally run through undetected for months. Thank you for this!

    I know that you are passing a very shitty time for the moment, even more since you are doing all this work out of passion for FOSS. Please keep in mind that your are the victims here and not the wrongdoers.

    Please keep the process as transparent as possible and do not hesitate to ask security people for help.

    Good Luck!

  86. I’m new to linux, so I have some rather dumb questions. I downloaded the affected iso on my windows 10 pc. I wanted to install Linux Mint but I haven’t done anything with the iso so far (neither opened or burned). Is my windows 10 now contaminated as well?

    Edit by Clem: No, the ISO file itself isn’t dangerous. What’s dangerous is the backdoor that is run within the OS included in the ISO when and after it is installed.

  87. Clem, if you still want to use WordPress after this, please consider spending a little time doing some security hardening of your WordPress installation.
    The are several excellent plugins available that will assist in the process, such as iThemes Security. It may not be enough to keep a determined attacker out, but it will certainly improve your odds against random script kids and classic exploits.
    Better yet, compartmentalize: don’t put WordPress on the same system as anything important.

  88. Maybe you should look into the advertisements on your page too. Is a serious website or something else?

    Good luck

  89. I have installed the hacked version alongside a Windows partition – is it likely that data / credentials were read from the Windows partition?

  90. I’m curious if you have been able to narrow down exactly how the breach happened. I’m primarily interested if there was a wordpress core exploit, or if the attack was done through a vulnerable plugin.

  91. For any good , I downloaded the direct file mint cinnamon 17.3 64bit edition .I have checked md5sum via terminal and it matches exactly with the value given above .Thanks to the developers for telling the problems to the user as soon as founding the threat.

    Security and vulnerabilities can’t be compromised in this digital world.Take some measures and good luck for the recovery of our beautiful Os. Make the site up and be running soon.

    Thank you once again Developers.

  92. you’re doing a valiant job Clem and co., and your upfront honesty is refreshing, as indeed is your vigilance in responding quickly to this. You deserve a cold beer at the end of the day.

  93. ” Ken Says:
    February 21st, 2016 at 10:43 am

    my MD5sum is ok.

    But please clarify:
    “Once in the live session, if there is a file in /var/lib/, then this is an infected ISO.”

    Is the live session directory /var/lib and the infected file”

    Would be very interesting. I got it in the same way.

    In my case, I haven’t stored the image file, but installed Linux Mint. That means, if there is no file called “” my system is clean, right ?

    Thx, Andy

  94. Thank you for your segnalation and your control. I like this attention, I do not trust those who claim to never have problems.

    Best regards. Eros.

  95. Bad news here… One noob question: if the website is compromised, can’t they modify the ISO files AND the MD5 signature ?
    Additionally, you should change md5 to sh256 or better gpg signature with public keys on an independent website.

  96. Yes, I downloaded it from the Kent Uni site. It’s on a USB and I haven’t been able to boot into it for some reason (options are USB hard drive, USB superdrive). Just done a checksum check and they don’t match, so will download again.

    Trying to breath new life into an HP 8510w.


  97. I hope you are able to figure out the issues. Mint is my favorite distribution. I guess since people are hacking Mint, you are now considered popular!

  98. so did you bother to track the back door? where does the rabbit hole lead?

    Edit by Clem: The fake ISO in Sofia, the OS backdoor in Sofia also, the guy accessing our server via the second backdoor from Russia, but when you look at a hole and see somebody looking at you, you need to figure out who knows more than the other, and if we’re reacting to their actions it was pretty clear we had to take everything down. The hacker from Russia (could be a VPN of course) even DDOSed my personal IP to prevent me from taking the site down. He also took down part of his set up since.

  99. I DID download and install Linux 32bit Cinnamon yesterday, Feb 20th from a German server. The md5 checksum was valid. However, there was an error message during install that caught my attention:

    “EDID checksum is invalid reminder is 45” (or so)

    I downloaded, burnt and installed twice, I got the same error message each time. Might not have anything to do with the Bulgarians, but I still wanted to let You know.

    I’m new to Linux Mint, and boy is this exciting. I just wanted to create an account on to post this, but had to post here instead.

    Of course I am wondering if my iso is corrupted, but I’ll probably reinstall either way.

    Edit by Clem: Hi, it’s not related. The MD5 sum of the hacked ISO would not match.

  100. What evidence have you got that the attack was via WordPress? If it’s something in core (extremely unlikely), then you should report it responsibly.

    More likely it’s from a poorly coded plugin or theme, which should also be reported responsibly to the author concerned. Or, it’s due to lax file permissions or other server mis-configuration.

    Either way, accusing WordPress (core) without any further details is detrimental to all.

    Edit by Clem: We found an uploaded php backdoor in the theme directory of a wordpress installation, which was 1 day old and had no plugins running. The theme was new but most importantly I think we had lax file permissions on this. This was only set up hours before the attack but we were probably scanned for something like this for a while. Anyhow, we don’t know yet how it was uploaded but we know it happened there, and I’m certainly not pointing the finger at anybody. People just asked if we were running wordpress or if wordpress was used in the attack and I answered yes.

  101. (sorry, bad english)

    Why only the links to the ISOs are changed and not also the displayed MD5 numbers?

    Edit by Clem: They could change anything in the database, so both md5s and links to mirrors.

  102. @plata : might come to have a need for encrypted ISO’s, not just checksums…

    Hope these guys didn’t hack he update-servers as well. Guess I’ll have to suspend update-checking for a few days.

  103. Hi,
    First of all – thanks for managing this incident so well. Looks like an paid attack. What kind of hacker could have the motivation to hurt Linux in general? Linux is the number one OS for hackers. I would suggest you install some kind of a guardian-service that shields your downloads completely from the rest of your web-presence. Only allowing access through a “manager” that sits within an virtual network that only can be accessed from within the virtual network, implementing a background-check for the downloaded files and issuing some kind of download-tickets. Another service could check the extracted ISO files (something similar to RKhunter) each hour for file changes.

    Edit by Clem: We’ve a bit more information about it now and we think it’s a single individual with no funding behind the attack. We’ll pass the relay to a security firm now.

  104. Are you sure it was the 20th? I have 2 different hashes of 17.3 cinnamon ISOs that I downloaded 19th morning. I didnt check hash until today.

    Edit by Clem: What hashes do you have?

  105. Clem, are you aware of this? (Found via Slashdot firehose)

    “Someone with the peace_of_mind username was selling the “ shell, php mailer, and full forum dump” for 0.1910 Bitcoin (~$85)”

    Edit by Clem: It’s very good. I disagree with the origin of the attack, we found the first backdoor and it was possible to access the forums database from there. The information about tsunami is very interesting (not that it’s the time for an evening read, we’re ultra busy as you can imagine but it’s important we understand as much as possible and this helps). Regarding the modus operandi I agree as well, we’d spend much more than $85 to stop that data but without trust nothing can happen. We’re getting ready to purchase 2 or 3 additional servers so we can split the services and we’ll probably also contract a security firm to look into the bottom of this for us, we’re software developers not intrusion experts. In the end it’s going to cost much more than $85.

  106. Dirk: See comment #3. Clem says the repositories (the update-servers) aren’t affected. So, no need to suspend updating.

  107. In some ways it might be good that this has happened. I’m a bit of a newbie to Mint and I like it a lot. However, I was, and still am, amazed at the attitude to basic security that is often seen on Mint forums.

    Every now and then someone posts into the forums asking why the GUI firewall controller (GUFW) isn’t installed and activated by default in new installs of Linux Mint. The response, and this is from people that are real gurus when it comes to Mint, is that this isn’t necessary – Linux is inherently secure. (This, more of often than not, is stated as a “relative to Windows” point of view.) This attitude, often expressed by experts, never ceases to amaze me.

    Installing and activating GUFW as part of a new install of Mint, as best as I can see, at the least enhances security a little bit and is certainly not detrimental to security – on that basis alone, I would take it as a better than good argument for installing and activating it at the time of install of Mint. By doing that one thing an additional layer of security would be added to Mint at the time of install. So why isn’t this done?

    I would suppose now that Mint developers will be hardening security for its own servers – all to the good. However, please don’t leave the end users out of this equation. If Mint can (now) see the point of hardening its own security why, oh why, can’t that same courtesy also be extended to the end user as a matter of routine.

    Install and activate GUFW at the time of a new install, it makes sense. And maybe, going forward, do some serious development on GUFW so that it is readily configurable by (relatively) naive users (like myself). GUFW could be greatly improved just by allowing or blocking of connections on a per-program/per-process basis.

    P.S. I do understand that on the surface this looks like I’m not actually suggesting anything that is related to the situation with compromised ISO’s. However, I would argue that it does – there is an attitude that exists in the Linux community that leads to lax opinions around the area of security. That attitude relates to both these issues and, I would say, really does need to be addressed. Now would be good time to address it.

    Hope this helps.

  108. I decided to give Linux a try yesterday and downloaded the mint 64 bit. I verified the signature and it seems I have a hacked copy 🙁 I hope my personal informatiom wasn’t compromised.

    Edit by Clem: Afaik downloading it isn’t dangerous. The backdoor opens when you run it or after you install it.

  109. Would have compromised any my other computers on my network? Or only the one that I installed it on?

    Edit by Clem: By itself it only creates a backdoor. But from that backdoor, the hacker can issue commands run by your computer so it’s hard to know what he might do, how much efforts he might put into hacking you specifically etc. If a computer was hacked on your network, check what that computer is able to do on other computers on the network.

  110. Hey Clem, as a Drupal site administrator I feel your pain. Thanks for the transparency.

    Have you considered using a static site generator such as Hugo ( or a similar tool? They are very easy to use and have some fantastic site templates. The advantage is that all of the CMS features happen on your desktop computer, and all you have to do is rsync a bunch of automatically generated HTML and CSS files to your server. Practically impossible to exploit that.

    Edit by Clem: That sounds cool, we’ll still need dynamic server pages for the forums of course but we can look into that at some stage.

  111. I remember clem saying in a discussion about security on IRC that you will lock your door but not secure it against someone who fires an RPG at it. Maybe the real lesson out of this will be that Linux Mint has become important enough to fire RPGs after all.

  112. Hi,
    you should make a redirection from to this post, so everybody can see what happened.

    At the moment I got an error of an unreachable website.

  113. Did the hackers also have access to password data? Even if it was hashed you probably should warn users.

    Edit by Clem: Yes, I made a separate post for this after it was confirmed as it affects different people than the hacked ISOs.

  114. Thank you for responding to this security issue.

    Here are some suggestions to improve security, which can hopefully be included in the next LTS.

    -always show security updates and mark them as trusted;optionally let them install automatically
    -remove flash from the list of default packages

  115. Please clarify if the ( a file or folder.
    The only available in my live ISO is (man-db) but no (

    Edit by Clem: It’s a file, it’s the source code for the backdoor.

  116. #11 is right: having a hashes file signed is the way to go, as long as the signing key is trustable (meaning, signed by well-known keys in the community).

    In this attack, hashes weren’t affected but if they were, it could’ve been a lot harder to detect!

    Also, consider using other hash algo rather than MD5, which has been deprecated for years… SHA256 is the minimum standard, and the change affects nothing. Even cellphones can quickly calculate a 2GB SHA256 hash in 1 minute or less.

    Of course multiplication and decentralization works, as Clem says, but having an extra check doesn’t hurt at all…

    Cheers and kudos for addressing this quickly, I’m sure many of you didn’t sleep last night, and many other might have been awakened w/ an urgent bad news… thx to you, guys!

  117. Can´t you use MintUpdate to push an update to infected computers that removes the backdoor?

    Edit by Clem: We’re still looking into that backdoor. We’ve got the code for it, we know what it does, we think it portrays itself as being apt-cache and we don’t know everything about it just yet. It’s important we do before messing with it remotely.

  118. @Radish

    Adding a FW does not help if you need to interact with a box through network protocol like http AND the software (wordpress) has a breach.

    However enabling a firewall is a smart move in case you run software that isnt suppose to be exposed (outside your box or LAN), and I prefer to let ’em hang when I drop the packets (pun intended).

  119. No housewifes (read newbies for whom Linux Mint is friendly) never watched and never will neither MD5 nor SHA*. It should be clear to those who just wants to say something about security. Eeepic fail was inevitable.

  120. Hi guys,

    I’m sorry to hear about the issues you’re having now. The Mint project has been a great way of getting people onto Linux and I’m sure it’ll keep being that way.

    I’m not sure if you’ve heard but is a good way of getting https setup with free ssl certificates. (Brought together by our friends at the Linux Foundation.)

    Also it might be worth having a static page in place of the main linuxmint page with a message. Startup a free instance of AWS to put the page on.


  121. Is there a way to check if my installed Mint is compromised? I no longer have ISO to check MD5, I downloaded it on Friday around 21:00 CET.

    Edit by Clem: If you see a file in /var/lib/ then it’s definitely not right and you need to wipe the OS. If the file is not there, then it’s VERY likely to be OK but we can’t rule out the possibility of the hacker using the backdoor to remove that file. To be honest, considering it’s been just one day and even though it might sound like an excessive precaution, why take a risk? I’d recommend you wipe it.

  122. Any chance updating current clean installs can get infected?

    Edit by Clem: It’s not easy to be or sound confident after you got hacked. That said, we didn’t find any trace of hacks affecting the repositories.

  123. I just made a contact with the owner of the network (pointing to this article) and he told me that he will see what is the case and will take measures.

  124. Could you give a detailed description on how they managed to get in via WordPress?. I’m curious whether it is a 0-day exploit due to bug in WordPress core or whether it was caused by plugins that you’re running. If it’s due to core WordPress bug then every WordPress websites out there is in serious problem.

    Edit by Clem: No plugins, latest WP, but a custom theme and lax file permissions for a few hours. The security experts will probably find the exact cause. At the moment there’s no indication it’s related to WP core (we’d probably see a lot more sites being hacked right now, this seems to be targeted specifically at us).

  125. Hello, Clem!
    I’ve downloaded and installed Mint x64 alongside Windows7 on the 20th Feb, but couldn’t get access to the internet that day, after what I decided to reinstall Mint x32. And today I’ve found that there was a hack of the server. I’ve checked both ISOs and it turned out that they are poisoned. Here is the question: is it enough to remove only Mint from my PC or it is better to remove Win7 too? Thanks.

  126. – here is our quick conversation … if someone needs translation – I’ll provide it

    Edit by Clem: Please do, he’s one of the 3 people on our list, it would be nice to rule him out and if his server got hacked as well he should be able to provide extra information about the attacker.

  127. Hi,

    took this, while the MD5 ist not correct!
    It is from 13.02.2016
    I have got: 117ebb18ed163fe5488a8b5de8c958c2 as MD5

    The other one is OK
    linuxmint-17.3-cinnamon-64bit.iso (16.01.2016)

    Got 2 verifier Programs therefore.

  128. The good thing is that if Linux Mint was hacked, it means they admit Mint Popularity among Linux users. Linux Mint staff should be proud after all.

  129. MD5 is not secure, a home computer can make files colliding MD5 sums.

    please use SHA256 instead.

    Edit by Clem: I know. We use both, we’ll probably default to showing sha256 for upcoming releases. Note that in this attack, the fake ISO fails to match with all sums, including MD5.

  130. Hi, Clem-
    I updated my linux mint rosa last night from my windows pc, didn’t go to a website. I’m a noob, and not sure how to check the iso steps listed. What I found was initrd.img 3.19.0-32-generic Gzip archive dated 2-20-16, seems to be my update.
    Am I ok?
    As a tech support agent for a mobile carrier, I understand how exhausted you must be from troubleshooting the intrusion. Hope you have beer, and are able to get some sleep.

    Best wishes!

    Edit by Clem: Yes. This is one of these rare moments when sleep sounds better than beer.

  131. @bananabob Something like dropbox would probably be a good idea (unless you have a server I could wget the iso from).

    Would you like to discuss this over IRC? That way we don’t clutter the comment section and also (if we use private messaging) not as much info would be publicly visible. 🙂

  132. Hi,

    i have downlaoded the linuxmint-17.3-cinnamon-64bit.iso on the 9th of February and the Hash does not match either?! oO

    Edit by Clem: It could be a bad download too. You can make sure by running it in a virtual machine and checking to see if /var/lib/ is present or not.

  133. regarding post 79 from me:

    i do also not have the folder /var/lib/ after booting from the image?? I thought the folder should b there but no file in it?

  134. If I don’t have the ISO with me anymore and I have installed on my machine. Is there anyone for me to check? Will the file still located at /var/lib?

  135. REALLY ??

    If you installed this ISO on a computer:

    Put the computer offline.
    Backup your personal data, if any.
    Reinstall the OS or format the partition.
    Change your passwords for sensitive websites (for your email in particular).

    er…you might want to format all your partitions,
    and consider what else on your lan might have been compromised.
    ….Not exactly setting a good example and inspiring trust are we?

  136. #75 – Here it is:
    Me: “Man, look what is discussing here:
    The address from where the attack is coming is within network, which has you enlisted as owner. And because I believe that isn’t you, I’m asking you to see what exactly is happening.”
    He: “Hello, thank you I’ll take a look and will take measures”
    Me: “Thank you”
    He: “I thank [you] for the signal”
    Me: “:)”

    Edit by Clem: Thanks.

  137. ty for the blog, i had no idea linuxmint was attacked. im glad also that you provide torrents thou i only use mate 17.2 and 17.3. prior to this attack i was not able to download any torrents on for week or two. everyone should make the habit to check the md5 checksum. thats the way to go!!! viva mate!!!

  138. Interesting on Feb. 12 between 4:56pm C & 8pm Central, I attempted to dl ISO. Would not connect to let me DL, kept timing out. I ended up installing 17.2 from an old DVD. Upgraded to 17.3…point being; I wonder if they were messing around with servers before the 20th.

  139. Thanks for the transparency, it shows professionalism. Will support financially the project after the “crisis” has been solved (wouldn’t want to give money to the hackers :). Good luck Clem!

    Mint is by far my preferred OS ever!

  140. I d/led 64bit cinnamon on the 20th. Verified checksum. It would not install. The auto-login kept looping. If I tried mint/no password, login failed.

  141. Apologies if this has been asked already, but since Linux Mint website is currently offline, when can we download a clean copy of 17.3 in the meantime? Thanks 🙂

  142. Hi,

    are older isos completely safe, or should I wipe the system just out of precaution? I installed 17.3 Cinnamon on my girlfriends laptop like 3 weeks ago…

    I’ll take the opportunity to say that Linux Mint is really a superb distro, keep the good work!!


  143. Hi. Yesterday I installed Linux Mint KDE 17.3 (64 bit) version. Upgrading the system after the installation was successful. Do I have the upgrade yesterday could damage your own system? Today my system reports that no updates.

    If I now installed the system, whether these technologies upgrade and whether it is safe to do the upgrade until the problem is solved?

  144. wow just reading zdnet, they say forum was stolen also ( Quote=It’s thought the Linux distro’s website and forum was stolen in the breach.

    CSO’s Steve Ragan found an ad on a dark web site claiming to have a “full forum dump” of the site, with a going rate of about 0.19 bitcoin, or about $83 per download. (We were able to verify the listing exists, but could not speak to its authenticity.) Is this true????????

  145. Clem,

    Will you be getting an HTTPS cert now? Adding PGP and SHA1 signatures? Not using passwords of 6 letters containing the word “mint”? This is honestly extremely upsetting to me, as someone who loves Linux and recommends this distro to anyone who might want to give it a shot. I don’t think you should just go after these guys. I think you need to seriously reevaluate your security strategy here. Linux Mint is not a tiny indie project anymore. Another vulnerability at this scale would be devastating. Not only to mint, but to the greater Linux community.

    Thanks for listening,


  146. Are regularly performed system updates (i.e. no fresh installations) safe or are chances that they are compromised/hacked too?

    My last update of 17.3 “Rosa” (Cinnamon) was done on Friday, Feb. 19th.


  147. Well done on such an early discovery of the problem. I don’t envy you the cleanup job… I also downloaded 17.3 Cinnamon 64 bit on the 19th and had an infected side-by-side installation with Win7. I’ve now got to check other computers on my network.

    You might like to be informed that that the infection in the hacked Mint 17.3 also appeared to kill my Win7 network connections to local user requests. Seems too much of a coincidence on a previously good working installation….. so I may have a second OS to reinstall!

    Any thoughts on this?

  148. #76: A home computer can make two files with colliding MD5s. A giant supercomputer still can’t make a file with the same MD5 as an existing, published, known-safe file. Different attacks.

  149. I upgraded from 17.2 to 17.3 on the 20th using the Update Manager, any risks from that? It looks from the comments that the repositories weren’t affected, so I’m 95% sure I’m ok, but still…

  150. Clem – why was the site not protected by SSL/TLS certificates? is free and would have helped. Just seems like a very amateur mistake.

  151. linuxero:
    Arquivo corrompido com malware. Você pode salvá-lo para a ciência forense?
    Versões corrigidas foram postadas.
    (através do tradutor on-line)

  152. 1742 hrs right now. Linux Mint site still down.

    Had downloaded Linux Mint Cinnamon 32-bit (version 17.3) from Softpedia and ran MD5 linuxmint-17.3-cinnamon-32bit.iso (on a Macbook Pro – so not MD5sum).

    MD5 (linuxmint-17.3-cinnamon-32bit.iso) = 6e7f7e03500747c6c3bfece2c9c8394f

    Which matches the MD5sum stated by Clem. Upon finishing download however the ISO was moved straight to trash.

    Presume safe or perhaps “dodgy” until the Linux Mint site is back up and running?

  153. Hi guys..

    I made a download of the 17.3 mate version 3 days ago..
    Yesterday I made a download of LMDE2 mate too..

    When I make a refresh in mintupdate(LMDE 2), this are the links it connects..

    sudo lsof -ni{4,6}{udp,tcp}

    http 4901 root 3u IPv4 45665 0t0 TCP> (ESTABLISHED)
    http 4902 root 3u IPv4 45664 0t0 TCP> (ESTABLISHED)
    https 4903 root 5u IPv4 47140 0t0 TCP> (ESTABLISHED) (SYN_SENT)
    http 4905 root 3u IPv4 43631 0t0 TCP> (ESTABLISHED)
    http 4908 root 3u IPv4 47138 0t0 TCP> (ESTABLISHED)

    does any one see here any problem??

    Does the system clock is connected well?

    clock-app 3300 tuxd3v 15u IPv4 42955 0t0 TCP> (CLOSE_WAIT)

    that link to opera hapens with opera clodsed..don’t get it..

    Good Luck to All, and thanks to Clem, for sharing this with us.


  154. WordPress gets pwnt like this pretty often. Especially through theme functions lately. Ever think about developing your own website system, or building something static with no input for the download page?

  155. I tried to read through everything, only saw one mention of the man-db under /var/lib
    Checking for the man-cy, I do not have but I do have the man-db folder.
    New to linux here, found a distro that is pleasing, concerned about this hacked version.
    I had two events though that concerned me, on the 20th, navigate to and the site was blocking me, too many attempts or too many connections.
    Installed skype, was sending a file to my colleague and it indicated I was sending the file to two contacts, and further investigating this was showing to be the same contact waiting to receive, I figure this is a skype issue though.
    I have the ISO and install went fine, I am as I say new to linux and still have to learn how to do the MD5 check.
    Should I be concerned? ISO File date is from Feb 05-2016 so downloaded long before the 20th.
    REALLY liking this distro 🙂 thank you

  156. This in effect could kill the Mint project.

    Trust is a delicate thing and many will form the view that if the master ISO can’t even be protected then this is a bit sketchy of a project to base their entire system on.

    I’ve gone back to OS X sorry!

  157. Downloaded 17,3 KDE yesterday so I’m OK but just saying it’s a testament to the security of Linux that miscreants have to resort to such practices just to get a back door in! As for WordPress – seen way too many compromised sites to touch it with the proverbial barge pole. Maybe it *can* be locked down but it’s evidently something that too many users don’t consider important. Maybe getting hit in a matter of hours after installing is bad luck but it shows how careful you need to be when a compromised system can lead to such a problem as this!

  158. The cat is out of the bag, censoring comments wont help the cause, twitter and reddit are eating this alive, dig in and fix this, get to the root, you have worked to hard to let this happen, and we have been faithful to the quest. Good luck…

  159. I am running Linux Mint Debian Edition on 4 different computers and do all the updates as they come in do I have to worry? I use the Mate desktop.

  160. Surely someone in the Linux Mint Community has a html/php compiler you can use to compile the webpages which would make such hacking far more difficult in the future. Many modern websites have switched over to Haskell compiled webpages to prevent similar attacks on their websites.

    A page checksum test against the known index, page bytes and if those change alerts the administrator and restores the page by a archive might be useful to look into.

    Adding Sha256 hash sums and Https seems to be what people have been asking for here over many years now. Would Https had prevented the hackers gaming the html/php coding, breaking into the site, probably not but it might have helped prevent Linux Mint Community victims from traveling to the hackers non-Https website via a warning the hackers connection was not Https supported and given them pause on continuing over a unsafe connection.

  161. Given the circumstances, a mere “The valid signatures are below:” seems a bit short to be absolutely clear. Please add something like “If the md5 hash you have matches one of the values below, then you should be fine. If you don’t get a match, then your ISO file is compromised.”

    When you are done fixing the issues at hand, please don’t head back to “business as usual”. Take this incident as a reminder that this project has grown to the point that hackers start targeting Linux Mint. Re-evaluate server security accordingly.


  162. Hi,

    Thanks for informing the community so promptly, could I suggest the next steps…

    Rent another host, take the current host off-line and preserve as much evidence as possible. Contact the authorities, this is no time to play amateur detective.

  163. Hi Clem and everyone,

    I was just thinking, regarding the $85 thing above, Linux Mint has given my computers a whole new lease on life and saved my bacon when the upgrade from Ubuntu 10.x to 12.04 caused my quad-core to run like a snail, and I probably should have donated some money back by now (If I were working I would have already but anyway). I know now’s probably not the right time, but personally I’d be happy to put £10 or whatever in to help with this clean-up and I imagine that most of the people here probably would consider doing that so if it’s going to cost a lot and take money away from the normal development and running costs, maybe a little fundraiser would be in order.

    Thanks for all your relentless work, I imagine you all must be going through a pretty stressful time right now so it’s really appreciated that you’re doing all you can to make everything safe again.



  164. I have the same question:

    “If I don’t have the ISO with me anymore and I have installed on my machine. Is there anyone for me to check? Will the file still located at /var/lib?”

    Also, are there other symptoms, signs, or checks we can make on our currently installed Mint to further see if we are compromised?


  165. I downloaded Mint 17.3 a long time ago. Is there any other way to find out if I’m safe? I got worried now. I also got some upgrades I’ve never seen before. It said it was due to some changes I’ve done in some scripts. But I haven’t changed any scripts. But I answered ‘no’ for ‘standard’. But if the only infected version was 20th February, I’m probably safe, right? I’m all new to this, and chose Linux for safety. I’m planning to give a friend Linux Mint, so I hope I can do that now, when this is fixed!

  166. Hi Clem. Thanks for being open about this issue.

    If you need system hardening advice later, let me know personally by email. I’m the original author of rkhunter (malware) and Lynis (security scan). I also can offer you our security guidance to the Mint Linux distro, free of charge. A great option to give back to the distro and community.

    Good luck with the incident response and follow-up.

  167. Hey Clem, I have been using Mint for a very long time now and it is time that I support you in hopes of helping speed up the recovery/information gathering process of this situation here. I know you have links somewhere on your site for donating but with the site being down, I have no way to find that information. How can I donate to you / Mint?

  168. Finally getting serious and using Lastpass. Going to each site I have an account on and using Lastpass’ “Generate Secure Password” feature on each one to generate a random, unique password for each. Even I won’t know what each site’s password is. As for my master password, I made up a phrase and took the first letter of each word of that phrase to make the password. The master password won’t be used anywhere else.

  169. Also, what would be really good is a third-party (in the sense of being separate from the browser rather than unaffiliated) download program. Like if I get a link for a torrent in Firefox, I can open this with Transmission, what we’d want is a small file that opens in a downloading application that downloads the disk image from the location in the file and then downloads a signed checksum, decrypts the checksum and performs the hash, and then outputs the disk image to its intended destination, or renames it from a .part to whatever it should be.

  170. Ins’t it a good idea to sign the MD5 hash? What if an atacker changes the MD5 hash shown on the portal? And I think a lot of user dosn’t know how to check a signed txt or how to check their MD5 iso, probably show the users how to do this should be a good idea.

  171. If you’ve just downloaded the compromised ISO and burnt it to a CD/USB, can it still affect the host OS (Mint XFCE)?

  172. Was this a known, patched WordPress vulnerability that was ignored, or a 0-day? I think that’s pretty important to know

  173. Is is possible other versions are hacked with backdoors? We caught this but my main concern is other versions before Feb 20th.

    I love Mint but am nervous and feel like maybe switching to Ubuntu unless someone can explain why I should not be concerned. I am not trying to cause panic but looking for reassurance.

  174. I said it would happen, guys in the forums said no worries, not need for an antivirus (which would find and disable your infected system). Linux has been to laid back when it comes to protecting the end user. Tell people to use an antivirus and stop giving them false hope about how safe Linux is.

    As Linux of all flavours gets more popular, more hackers will write for it. Mint and Ubuntu are leading the way in making Linux as easy to operate as windows which means more users. More users attracts more hackers.

  175. Sorry, but now it is time for me to leave linuxmint. I do not feel safe anymore with your great distri. For now I am back to latest Kubuntu LTS.

  176. My quick two cents:

    – Please use SHA256 by default, even if the checksums mismatch with MD5 too.
    – Always publish the checksums on another media (pinned tweet for example) for cross validation.
    – As mentioned above, consider using PGP for signing. Pin your PGP key on another media (keybase).
    – It’s 2016 and Let’s Encrypt is now public. Takes 10min to set it up. No excuses.
    – Set proper CSP/XFO/XSSP/XCTO HTTP header.
    – Keep Apache updated. You are 4 versions late.
    – sudo chmod -R 400 on your webdir root. Exception: /wp-content/upload

    – Out of curiosity, would you please post a link to file.

    I can provide time and resources to help.

  177. I hope ya’ll get a better password for the site this time. “Clem’s Site” is obviously too easy to hack.

  178. Hi, Clem… I have never tried Mint release but after what has happened
    I definitely will. Right after your server is up and operational.
    This is the type of honesty and transparency that we need in a community. Ignore all those TROLLS, never know what their intentions are. Cheers…

  179. Not sure why are still using MD5 for hash as it’s been broken for years. SHA256 or even SHA512 should be used.

    I use a tool called GtkHash (available in package manager) to check the hash against the files and it’s very easy to use. It can even generate hash on several files at once in easy to read output.

    Glad this was caught early on but we should take a closer look on updating the security measure for the ISOs. I have noticed on is that it’s using older version of GnuPG to sign the hash text file. I know Clem have no direct control of that FTP website but suggestion should be made to have them upgrade to version 2 of GnuPG. I use GnuPG to encrypt or sign my e-mails which is a breeze to use via plug-ins in Thunderbird.

    Someone suggested encrypting the ISO. That is not the answer. We need better mechanism to protect the validity of the hash text files. GnuPG is the way to do that long as the PGP key is trusted and valid.

    I remember using ISO burner that automatically generates the hash before it burns to CD. But GtkHash offers alot more choices to which hash to generate.

    I know the package updater or apt-get are using PGP keys to verify the files before installing so it’s not an issue here. It will even warn you if there is a mismatch before installing.

    Hope to see the website back in action soon!

  180. Hello,

    I am sorry this happened, but to those who think that moving to another distribution is going to make you safer, I have to say that is totally madness. You cannot stop anyone from hacking a website or server or computer. You can however control the situation by keeping your personal information off your computer. Put it on a ext drive and disconnect the drive when not needed.

    I appauld the mint team for being up front, and I expect that people should hold that with respect because it shows character. But as usual there are those that want to make the situation worse by putting their 2cents in. It’s one thing to have valid resolutions to provide, but totally out of place to say that someone isn’t taking their security serious or imply that they are wantonly creating headaches for themselves and others.

    Please stop shooting from the hip and provide help to the mint team to send this to the proper authorities so this person can be caught. As far as WordPress is concerned, That peace of software is known to have serious code issues and downright horrible security. So doesn’t surprise me that anyone can hack their software.

    Clem I’m sure has learned what to do, and what not to do and will make changes accordingly. If it is easy for us to jump ship, Well that shows that character may be lacking even when it comes to one’s personal relationships with people.

  181. I just installed from an ISO I got several days ago, but when trying to configure my system, I’m trying to add a different search provider (Google) to my Firefox but it won’t let me. When I click “Add more search engines” I get an error page “Failed to connect”. Is this because your site is down? Is there another way to add Google as one of my search engines in Firefox?

  182. Bad Luck! Why I’ve had the Idea to remove Xubuntu and to download the new Linux-Mint version17-3 Rosa 64-bit Cinnamon exactly on February 20th! I’m not a Expert or Tweaker, but was convinced of the safety of the Linux-Mint site to Download Mint Rosa…
    It took some time before I’ve found te bad file in the /var/lib map. It stands alone and not under “man-db”. It is a textfile (probably WordPress as I read the notes from the experts here above.
    So I’ve downloaded the ISO, copied it on a DVD. I didn’t install Mint but wanted to view it without installing. There were several “wrong-messages”so I haven’t enjoyed it.
    This afternoon (EU-time)I’ve heard from the hack. I’ve removed my documents etc from the infected laptop and did an installation of Win7. A virus-scan showed nothing and I hope, that I’ve been on time to prevent big troubles thanx to your quick information.
    Two questions:
    1-Is there more I can do with the infected notebook?
    2-Does the infection attack my other hardware (PC, tablet smartphone)?
    Thanx for the speed of your information, Hope to receive a reaction!
    Kind Regards from NL.

  183. I can’t believe anyone is seriously still using MD5 digests in this day and age.

    You should be using GPG to _sign_ your ISO releases and code. Generate a 4096 bit signing key (or higher). If you care about quantum computers, more bits means they need more qubits to crack it so it buys you some time.

    Now publish your public key to a keyserver. Now get other people to sign your key. Now add your public key to,,, your twitter and your Wikipedia page. If people check the signatures and check the public key from all these blockchains and sites then that is orders of magnitude harder to subvert.

  184. I downloaded a linuxmint-17.3-cinnamon-64bit.iso around Jan 29th, but its md5sum 00e611ad8e0eda6d24244da684cef627 is different with the one you published. Is it a good one?

  185. Gonna put Mint on a laptop when it’s available again. Can’t wait to be able to donate $$, again, to the Minty cause. Bummer about the hack. Thank you for being open and reactive. I hope you get some sleep soon!

  186. I have to ask this, but will the Linux Mint team now re-consider their choice of web-app software for hosting the main site? wordpress and even phpbb to some extent are not renowned for being super robust and secure, from what i’ve heard over the years (And some experience working with it as an admin)

    If it were up to me personally, i would opt for plain old static HTML, with some php where it’s needed, but nothing that could open up flaws such as the ones which allowed this to happen. maybe keep forums and if you really have to, WordPress blogs on physically separate hosts with their own set of keys and passwords, so incidents like this are at least less serious.

  187. I’ll continue to use Mint, but I do hope the Mint team treat this as an opportunity to look for ways to try and improve security throughout their project. Mint always delivers an outstanding & well polished desktop that most any user can get to work with immediately; however, I do think a stronger emphasis on security would eliminate their one weakness. I certainly see Fedora and their work on SELinux as one of the bigger innovators in this space, & Mageia offers their MSEC tool the help users improve their system security quickly & easily. After Mint gets their website/download mirror issues fully under control I hope they start looking at such security tools & for other ways to improve security both for themselves & their websites, as well as for their users. I’m not sure which sorts of security tools would best fit the Mint desktop & their ease of use goals, but I would like to see the project better secured at both the end user desktop level & the up stream level where the project hosts forums, down servers, mirrors, etc. It is sadly a very rough world out there & there will always be security issues regardless of what OS or Linux distro you use.

    P.S. Thanks to Clem & the team for being open & honest about the problems & good luck to you in handling these issues. I do seem to remember something about one of the BSD projects being hit with similar issues as well, so it can easily happen to anyone. As long as this gets treated as both a crisis & an opportunity for improvement I think these problems will only cause Mint to be stronger in the long run.

  188. I had recently downloaded Linux Mint last week (I am not sure it was Friday). One thing I noticed when I installed it, when the OS started, I had a badge warning (bottom right) stating the APT cache was corrupted. Since I am a Linux newbie I did a search and from what I was supposed to do was to pick new repositories and update. This Mint that I downloaded would not let me change the repositories. I do not know if that means I downloaded the altered version. Needless to say, the processor burnt out on the laptop (it was a 6 year old laptop). i GIVE Mint CREDIT FOR AT LEAST POSTING ABOUT THE HACKED DOWNLOAD SITE. Thank You. I will get a new version and try on my other laptops.

  189. Bad that this happend, but hey it could be anyone/server/. hope you can fix it. (no doubt about that)

    will increase my donation this month and i hope everyone reading this should donate at least a small amount of money to help this great distro. becouse it will be become much greater.
    so guys if you love this distro donate a few bucks..

  190. I downloaded linux Mint 17.3 with Cinnamon on Friday, Feb 19, 2016 and the md5sum doesn’t match any of those listed above. Therefore, the hacked must have happened sooner.

  191. Clem, your point is good one that duplication and the community was an effective cross-check and instrumental in spotting the compromise quickly. But (and you knew there was a ‘but’, right?) the people on this thread suggesting improved gpg-signing of checksums also have a valid point.

    You said ‘You can find them at also along with signed sha256sums’ and ‘we’ll probably default to showing sha256 for upcoming releases’ — which is good news. However, please note that primary download pages such as have for a long time (and still) listed md5sums and gpg signatures of sha256sums, but not included gpg signatures of md5sums, and not included sha256sums. So, unless a member of the public thinks to also look on, he/she could not easily check gpg signatures at all.

    I would like to politely suggest that you good folks take a careful look at the published means of verifying authenticity, and make sure everything works even for half-clued outsiders, and that this include care to make sure signing keys are publicised and able to be vetted using the gpg chain of trust.

    Thank you for Linux Mint, and for your good work.

    Best Regards,
    Rick Moen

  192. Am I safe if I close ALL ports?
    I am writing this on the infected OS.

    Edit by Clem: First, make sure you’re offline and on an isolated machine (live session with no access to data or virtual machine). Unless you’re experimented I would suggest you ditch that install though.

  193. It sickens me to see this attack. I agree with Fred Barclay’s comments at (11) above and was always impressed with how handled their signings in a clear way. Their site explains very clearly how their own web of trust is set up and makes it more difficult for a site hack to compromise their ISOs.

    All the best for a quick recovery.

  194. Прошу прощения что не оставляю почту для комментария. Просто захотелось поддержать разработчиков! Желаю скорейшего поиска хакеров, и их наказания самым суровым образом! Таких козлов надо мочить в сортирах! Простите за излишние эмоции. Страх правда от мысли что вдруг как-то репозитории тоже взломали? А как быть владельцам Мате? Я например установил 16 февраля систему. Не мог ли быть прецедент того, что хакеры ещё раньше начали проводить своё зло, и в более ранних числах взломали сайт? Разработчикам быстрее восстановиться. А этим мерзким уродам руки вырвать надо. И в жопу засунуть!!!

  195. I see so many talking crap about linux because of this, and my comment to them is” How long do you think it would have taken Microsoft to find this back door, here it has been less than 20 hours and it is contained”. You don’t get that kind of response from microsoft.. Thanks guys and gals, and a thank you to Clem for having a place to go to to see whats happening. VIVA LA LINUXMINT!

  196. Why don’t you write a script to look for visitors coming from the same source IPs as those in the Feb 20 access logs that (may have) downloaded the infected ISO? You could present them with a warning/popup about having an infected install..

    The same IP or even same subnet for most dynamic IP users….

  197. As I stated above, I have a hacked version and I did install it on my computer (as a dual boot). However, I was never able to connect to the internet using Mint. Apparently, I had a connection, but I couldn’t actually load a web page. Is there any possibility that anything on my computer or any of the computers connected to my router was compromised?

  198. I installed several distros from late-20th to early-21st – including LMDE, both versions. In the end I installed plain Cinnamon 64-bit – however that iso was the only one I downloaded previously: last year! Phew!

    I noticed the LMDE installer screens proudly proclaiming that Mint is the 3rd most used operating system, behind Windows and Mac OSX. Sounds like a motive?

  199. Check mint mate x64 .ISO
    Admin password work with all (i hope all..), except “Finestra di accesso” (i think in english is logon screen) on Control Center menù!

  200. If you would like your WordPress install hardened to prevent this from happening again, please contact me. I’m one of the founders of CodeGuard. I use that tech plus a few other simple steps to make WordPress much tougher to penetrate. If you are non-profit I don’t charge.

  201. I have complete trust in the Mint Team. Nevertheless, it worries me that the things that are so obvious and so visible and so easy to track could be designed as a mis-direct to divert attention from other compromises. I know virtually nothing about the “hacking” world, but I do know that if I want to conceal something over here I need to get you looking over there.

  202. No the distro ist not perfect secure!
    The Linux Mint team philosophy says: Stability has preference over security, an this is unacceptable in any ways.
    Safety packages are even retained and hidden, just for flimsy stability reasons. Unacceptable.
    Security you will never to back, certainly not for user-friendliness.

    WordPress is the most vulnerable thing on earth, why use this insecure software? I can not understand this.

    MD5 Hashes? Really? Its 2016 and you use MD5. Use GPG always!

    You have a very large user base, Linux Mint in this position has to set an example
    Linux Mint plus the website really need a change.

  203. No the distro ist not perfect secure!
    The Linux Mint team philosophy says: Stability has preference over security, an this is unacceptable in any ways.
    Safety packages are even retained and hidden, just for flimsy stability reasons. Unacceptable.
    Security you will never to back, certainly not for user-friendliness.

    WordPress is the most vulnerable thing on earth, why use this insecure software? I can not understand this.

    MD5 Hashes? Really? Its 2016 and you use MD5. Use GPG always!

    You have a very large user base, Linux Mint in this position has to set an example.
    Linux Mint plus the website really need a change.

  204. It’s a shame this happened. Mint is my favorite distro. But this is the sad reality of our time.

    People should take this as a wake-up call, and improve the procedures they use for downloading and verifying an .iso:

    1. Get the hashes from several places (eg. mirrors), and on different days, in case the distro’s website was compromised.

    2. Get the hashes through several different routes (eg. VPNs & torbrowser) to reduce the chance of a man-in-the-middle attack, by having several different “middles”. Use https wherever possible. To be even more certain, try to avoid DNS leaks. If you use a VPN, test it on or a similar service. Do not use your router/ISP for DNS. Use your VPN or Google or other public DNS you trust.

    3. Wherever possible, verify the hash with a GPG signature (eg. has this available for Mint).

    Practicing good internet ‘hygiene’ like this will help protect you from installing a compromised .iso

  205. It sounds like you have some expenses ahead, so I think it’s about time I finally sent a donation to Mint. With the main website and the forums down, though, I’m not sure how to send it. Somehow I did find a Bitcoin address, “”; is this legit? (Then I have to figure out how to get a bit of a Bitcoin…) Or would PayPal still get to you? With much appreciation and best wishes!

  206. First, thnxs for the transparency – honesty is why i left windows for linux.
    2nd, are updates, etc. affected? I updated and added some apps during the time frame of the second breach.

  207. I am sorry to hear this happened to the beloved Linuxmint site and team Any idea on what your plan at linuxmint will be to prevent being hacked like this in the future or? I am a long mint user for about 8 years now and I love it especially cinnamon and kd. I was wondering though has this made any problems with any other ISO like KDE,MINT,XFCE and so on or? also How have things at mint been since the problem that is currently going on?

  208. Looks like I got an infected ISO. I fortunately only used it to build up a Virtual machine which was on long enough to build the machine.

    /var/lib/ exists
    /var/lib/ C source, ASCII text, with very long lines

    Any need/reason to keep the ISO and or VM for the mint team? or am I good to just clean house?

  209. I added Cinnamon to an existing Ubuntu 14.04 install via a PPA. Is there any way this could’ve affected them. I don’t think so, but others may have the same question.

  210. If the file does not exist /var/lib/ means that the iso on the pen drive is clean or compromised?

    Edit by Clem: If it’s not there, it’s clean.. it’s /var/lib/ though. Check the MD5 all the same, it could be corrupted (i.e. bad download).

  211. Gentlemen:

    What I would suggest is adopting the same strategy as the Tor developers and the Tails and GnuPG developers. I’m referring to publishing a PGP key, and signing your releases with that key.

    You could also use that key to PGP-clearsign a list of hashes; the reason for doing this is because if an intruder can change an .iso file, they can also change any associated hashsets as well. However, what they CANNOT do, is to duplicate or forge a valid PGP signature.

  212. MD5s are not signatures! You need a DSA 1024-bit (minimum) or Elliptic Curve 384-bit (minimum) PGP private key signature for each ISO. That is the only way to combat this problem in the long term. Also, you may have to attend a key signing party to enter the highest level web-of-trust. Once a public key is signed by others via web-of-trust, it should be listed in the database. This is all pretty standard protocol and should gain the trust of many security-minded folks such as myself.


  213. Clem (and team)
    What a horrible situation to be in. I feel for you all, and I cross my fingers that you’ll get everything back to normal (and patched!) soon.
    Take heart, though – I think the OS you have worked so hard to put together is GREAT. I’ve played around a little with Mint in the past, and last week (not the 20th, natch!) I installed it on a spare Intel NUC. Wow. Everything worked, out of the box. I was blown away by how quick & easy it was.
    I’ll be donating again after this, that’s for sure. A worthy cause. Your efforts are most certainly appreciated here.

  214. Sorry for the temporary email address — I won’t receive a reply — not on a trustworthy computer & out of town. I do forensics on stuff like this and would be glad to help. I’ve always been a fan of Mint. If you’d like to take me up on this, let me know and I’ll pass along a secure way to get ahold of me (and we should exchange gpg keys to discuss details).

    To those still getting bad sums — especially on mirrors — some of your problems have to do with syncing, others have to do with DNS caching, which doesn’t necessarily mean there wasn’t still a problem — it just may not be the problem you expect.

    I’d like to know more about the backdoor mechanisms and help if I can. Did they rebuild the ISO from scratch? Kind of a strange way to backdoor considering (and I assume they didn’t go to the trouble of mucking with the repo tools and sources) it’d likely break due to signature verification if anyone tried to update. Bit of an amateur job, complicated/compounded by the fact that it looks like due to how it was ‘acquired’ and then posted online, you’re likely facing multiple attackers. I hope you’ve forensically imaged your own server and made sure it wasn’t also serving the iso in memory. Either way I’m willing to bet you kept getting boinked because your remote access apps were backdoored before that ISO was ever uploaded — perhaps by the original ‘hacker’ and then replaced by the newer ones.

    Anyway, if I can be of assistance let me know. I have a few hours and I can probably offer you some insights (even if I’m not a Cinnamon user 😛 — XFCE ftw!). I don’t, unfortunately, have time to dig apart the ISO from scratch (or download it) due to some personal obligations right now but I would like to help.

    Good luck. And don’t just pull the machines or wipe them — image and put aside those machines. Stat. Also anything you may have connected to in any of your .ssh keys dirs should be thoroughly investigated.

    Cheers, and good luck.

    PS: Interesting they chose Cinnamon — I don’t keep track, but is this the most popular spin currently?

  215. @ av8r0023 Says:

    Not a good mechanism for this particular sort of problem, though I agree that signatures are needed. If they had access to the boxes, chances are they either immediately or would have eventually gotten access to the pgp keys to sign things themselves. When the source is spoiled, one has to assume other things can be spoiled (in memory or on disk — doesn’t matter).

  216. @banababob: just realised I can’t do it then. 🙁 I’ll be on a network that doesn’t (if I remember correctly) allow IRC…
    Maybe the next day at the same time? Let me know what you think. And thanks!

  217. Sorry, last message — and reiterating what someone else said — get off of wordpress (and/or at least do something about all those trackers (and I assume plugins). Lower your attack surface.

    And get the blog far far away from anything serving anything. Never ssh from the blog to the servers serving the distros, too, if that’s being done. And please fix your passwords (though if it was exploited, that wouldn’t have helped; are you sure it was a run of the mill wp exploit and not just being disguised as one? I’m not going to look at your site — is your wp up to date?).

    But please don’t go to disqus or anything centralized for comments. It’d make the baby sheezus weep.

    Also, for the love of all that’s secure, do NOT go to joomla… or anything dependent on javascript, plugins, and third-party stuff that opens you up to worse than this. At least you caught this quickly (<3 the OS community. :))

  218. @Fred Barclay:

    Shouldn’t be IRCing that way anyway (no offense). Set up a VPN and ssh to a remote server then use a text-based irc like irssi with the otr plugin for a bit more safety and security.

    Hope I’m not coming across as pushy. Just trying to be of help.

  219. I know you guys are being swamped. I don’t think there is as much reason to panic as some people are showing. Have faith in Clem and the group. I’ve been without net for 9 hours and just checkin back up on this. The fact they jumped on it so fast should be encouraging people not dissuading them. It was one thing affected. Their sleep deprived. They are working on it! Feel secure at both the transparency and the fact they are reacting quickly to it and taking measures! The guys have made a great Distro. I love my KDE Mint.

    I know you’ve had a lot of concern and stress guys. I just want to make sure you know that a lot of us understand the stress you’re going through and supporting you. THANK YOU for what you’re doing to fix this for both yourselves, and the Community!

  220. 1. Assume nothing is safe, especially your hardware.

    2. Buy a throwaway keyboard, mouse, raspberry pi A+ w/noobs 4gb sd card, analog television with composite video-out.

    3. block all on inbound/outbound except inbound port 80.

    4. use netcat to send us links to torrents / mirror downloads.

    5. …

    6. Brace for the cyberpocalypse.

  221. 1. Assume nothing is safe, especially your hardware.

    2. Buy a throwaway keyboard, mouse, raspberry pi A+ w/noobs 4gb sd card, 2A 5v power brick, analog television with composite video-in.

    3. block all on inbound except port 80.

    4. use netcat to send us links to torrents / mirror downloads.

    5. …

    6. Brace for the cyberpocalypse.

  222. @Ilija: VM and virtual network breakouts and crossovers are not unheard of, especially once an attacker has made it in internaly. Any distro site should be kept totally separate from anything customers or staffers/developers can write to or post to (or wordpress and its ilk); it should do NOTHING but distribute and have NO unnecessary ports open (not even ssh on a standard port, and all ports should be filtered and that machine should be strictly iptabled; not a total panacea but will stop most attackers that lack a lot of sophistication or access from the maintainers’ boxes themselves).

    Think dev network, content network, and distribution network, all on separate nets and boxes, not just separate virtual networks, and no ssh’ing from one of the others to the dev network; that should be strictly controlled in case of an sshd/pam/etc backdoor or sniffer (even tcpdump). Right spirit, but not the best way to go about privsep.

    Should also be using rsyslog in realtime to a machine where logs can’t be changed/wiped easily, have ssh logins/suspicious entries on the distro box emailed/smsed to you along with details (<30 minutes to write a script like that), and a host of other precautionary measures on any machine serving a distro. Be also a good idea if you automate checking on a regular basis from a remote box that the sums match the sums they should match. This too can be scripted, easily, and hidden from the attacker unless they know to look for it. Locking all this down shouldn't take more than a few hours, generally speaking, plus maybe a couple hundred for the cert. I'm sure that'd be easy enough to convince people to donate to if money is an issue (and don't use one of the ones known to be duped by state sponsored or contractors using certs to manipulate users; that might take a few minutes of research but it's worth it).

    In other words, YES, GET HTTPS with a real, certified, bona-fide cert that's properly verified; actually I wouldn't even offer regular HTTP as a download mechanism (or rsync). Not even this blog is https. ;).

  223. If I may make a suggestion – Clem is right, this is going to cost the Mint team – heavily.
    Mint is a great distro – arguably number 1 for ease of use and stability. One rogue cracker (I’m glad Clem used the correct term and not ‘hacker’) should not be allowed to take Mint down.

    When this is sorted, I suggest as many Mint users as possible make some donation to the project – just $5 or so. I admit to being dreadful on donating to Linux project but, I live in Indoneisa were wages are low, and it’s hard to get credit cards (and it has to be a credit card) to carry out transactions abroad. I have recently solved this problem so I will try and persuade the wife to let me use the credit card!

    I would suggest the next piece of news on Mint should be “Mint users rally to support Clem with record number of donations” to show our faith in the project. That should do a lot for Clem and co. and clean out some of the bad taste on the web world.

    Credit to Clem and co. for total transparency on this.
    I will repost this when the forums are back up.

  224. @Jedinovice: In the longer-term I doubt it’ll have much of an impact on trust, especially considering the transparency, the fact it was caught quickly, and the plans to lock down the systems. In fact, most users probably won’t even remember this incident or find out about it unless they’re really into the open source community (or someone goes twitter crazy; I can’t say I care for twitter enough to find out more than the one or two posts I saw if that’s happening). Either way it’s not a disaster, it’s not the first time a distro or popular app or whatnot has been backdoored, and I think most people are generally not as unforgiving as all that, especially in this day and age.

    As long as he locks things down, remains transparent, and does what’s necessary to satisfy the community and so forth, I’d be disgusted if Clem were ostracised at all; if he were I’d PERSONALLY be ashamed of our community. I did mention something about donations to get SSL properly set up in my post while you were posting, and I still think that’s a good idea. Note, I said properly set up. And of course if hardware or something else is needed to make things more secure, we should be willing to contribute to that too in whatever way we can to meet the basic requirements and not cross over into the funding category (things get ugly often when that happens).

  225. ” The infected Linux ISO images installed the complete OS with the Internet Relay Chat (IRC) backdoor Tsunami, giving the attackers access to the system via IRC servers.

    Tsunami is a well-known Linux ELF trojan that is a simple IRC bot used for launching Distributed Denial of Service (DDoS) attack”

    Just saw this elsewhere. Definitely sounds like an amateur job from someone not very familiar with linux internals/backdooring/etc. That’s a *good* thing. You see this sort of (if not even exactly this) software floating around on linux apps on untrustworthy torrents occasionally. It’s not the nightmare I expected — it’s even not hard to clean (though you really should reinstall — who knows what else might have been modified). Overall, though, not sophisticated at all. Nor were they likely to have ‘gotten’ many people. That’s a good thing.

  226. @Clem:

    “Edit by Clem: It’s planned and I’m hoping it’ll happen soon. Please note that this wouldn’t have helped here though. You’d be served the exact same hacked information via HTTPs.”

    This may be true for this particular instance, but since a lot of people download or otherwise access ISOs on public wifi or shared networks, it opens things up to a very ugly man-in-the-middle or man-on-the-side attack (one reason I suggested torrents; not perfect but they do bother with quorum-like checksumming). If someone injects anywhere along the way because the pathway isn’t made secure on both ends (putting aside SSL attacks), then you’re not protecting your users, just yourself. 🙂 That’s not an insult; please don’t take it as such. But HTTP leaves people open to exactly the sort of thing, at any point on the network chain, as just grabbing a backdoored ISO does from the source itself. It should be a priority, not something to get to.

    Sorry for the tone; been up all night, and this didn’t even affect me or anyone I know — just want to make sure it gets dealt with properly. 🙂

  227. (edited to add: it also allows people to inject false checksums and modify what *appears* to be your page and addresses and so forth extraordinarily easily, sans SSL — that includes any actor, not just a local network one) — and via things far more easily available to people that even the WP details were available for sale.

  228. Did or any other subdomains get compromised too?

    Edit by Clem: The compromised sites were the main website, the forums and the cinnamon website.

  229. Within the last days, I got offered an update for the “nss” package which was unsigned. So I rejected to update. I tried the update process the next day. There was no claim about missing signatures anymore, but “nss” was still offered. So, I took the update.

    …maybe this was related???

  230. I’ve been running version 17 happily for at least a year, along the way upgrading from 17.1 to 17.2 then 17.3 with kernel 4.2-027 and the proprietary Nvidia drivers. All upgrades went smoothly! But when my SSD crashed on Feb 19, it became necessary to reinstall. As part of the troubleshooting process I had this bright idea that maybe a fresh install of 17.3 would do the trick, so on Feb 20th I downloaded 17.3 amd64 Cinnamon. I was able to connect to the router wirelessly, but not the internet. Tried disabling Ipv6, changed my DNS servers, some other tricks but nothing. I was able to duplicate this, what I thought was a “bug” with two different PC’s and three different wireless adapters. A recent wind storm with winds up to 115mph knocked out my wired connection so I was kinda stuck. Today my ISP restored connectivity and guess what? Same problem with my cat7. Router connection, no internet. I didn’t know about the hack at the time, I thought it was a 17.3 bug so I nuked the install and reinstalled 17.1. Poof! Internet works great. While spending the rest of the day reinstalling updates and software to bring me back to 17.3/4.2-027 only then did I learn about the hack. I have four questions: 1. Does the trojan write anything to your hard drive(s) when Mint is run as a live disk? 2. If installed, does the trojan compromise your home partition (my home partition is on a separate drive) or just the OS? and 3. when run as a Mint live disk, can this trojan attack my Windows machines/partitions? And finally 4. can this trojan attack Macs or Windows machines on the same network? I’ll be spending the next few days trying to track these answers down.

    Props to Clem and team for being proactive and transparent about this attack. I’ll be sending some BTC soon as I know my wallet is safe to restore on the affected PC.

  231. Fred Barclay – 1700 UTC is not good for me. I can see this time difference is going to be a problem. Do you have a G+ account – I am on there? Maybe that will be better.

  232. Hi Clem, My question: Is it possible that if you have a wrong ISO installed that the first time that you do a Mintupdate a pop up appairs with the message: Youre PC is made from a not valid Iso, Please reinstall’?

  233. @banabob: Mint is a very important project for me (I put it on computers left and right) so I definitely agree with the rallying stuff and will donate as soon as the website is up and the donation button available again.

    @Clem and the Mint team: Hang in there and know that we appreciate your hard work.

  234. @103 av8r0023 Says:

    “MD5s are not signatures! You need a DSA 1024-bit (minimum) or Elliptic Curve 384-bit (minimum) PGP private key signature for each ISO. That is the only way to combat this problem in the long term.”

    Correct me if I’m wrong, but doesn’t the user still have to check the signatures? That is, if they don’t bother to check MD5SUM or SHA256, will they bother checking a signature?

  235. i have Linux mint 17.3 or 17.2 KDE edition and i believe that i am unaffected by this i don’t get why LinuxMint needs to be hit by this now i used Linux mint since version 7 Gloria edition and this is uncalled for

  236. For purposes of checking the integrity of ISO’s, MD5 is sufficient. Engineering a file to have a specific MD5 sum is still a non-trivial problem to solve.

    Also, it is much, much simpler to check MD5 than to fire up PGP or GPG to check. I know that I will not do so.

    I’m just as lazy as the average computer user, and just paranoid enough to still check MD5 sums. It’s not like I can verify the PGP/GPG signature anyway, since I don’t have the necessary web of trust. So MD5 it is, or sha1 or even sha256 if that is available.

    Anyway, I still have perfect confidence in Mint. I’m going to install Xfce 17.3 64-bit that I downloaded yesterday via torrent. I calmly downloaded it at the same time that the website was taken offline and everyone else were running around in complete panic like headless chickens.

    Keep up the good work!

  237. Does a md5sum on the burnt DVD give the same md5 as on the ISO file it came from?

    having 935d 5a83 60f7 f0d0 b196 8273 4b3a e9ae for the md5sum /dev/cdrom
    Linuxmint cinnamon 17.3 32bit

  238. 98 – Lecter: It was the flakiness of the latest Kubuntu that drove me to check out the Mint KDE version and have to say it’s been a big improvement. Don’t throw the baby out with the bath water please 🙂

  239. You may want to clear up in the blog post that

    “Links to the malicious version of the ISO were added, detected, and removed on the same day, February 20.

    If you’re already running Linux Mint, this doesn’t affect you — all files installed or updated using the package manager are digitally signed and the signatures are verified.”

    as reported at micahflee. com/2016/02/backdoored-linux-mint-and-the-perils-of-checksums/

  240. I wondering if a fake iso would be detected when you first run the live-dvd or live-usb with “check the iso for defects”, before you run it live and install it afterwards ?

  241. I downloaded a german version of Mint 17.3 on the 20th from Heise.
    Is that currupted?
    How do I check the iso in win7?

  242. Well, hasn’t mint come a long way…it was only a matter of time before some parasite pulled shit like this. This is an example of how mint is evolving into something much bigger.

    The experimental specimen of a human who attacked our community is a small parasite. A parasite that escaped from the bag of human waste and found a place in the darkness waiting for a vulnerable host.

    My company runs on mint cinnamon with a total of 5 computers. I have the same desktop on all machines..proudly displaying the mint logo and more importantly, “from freedom came elegance”. I’ll be dammed if some parasite is going to push me to another distro. I have donated to this project and will continue to do so. I encourage all to do the same. Guys you have my support and I will continue to promote and convert the vulnerable. Change the locks and lets move on.

  243. I just check the md5sum of my Linux Mint XFCE 17.3 x64

    got this: 729c92e3ef247bbc12104e6c14a2b95e

    Does this mean the xfce version has been compromised as well?

  244. Clem
    Feel for you and well done for taking swift action. Unexpected website changes are one of the most common vulnerability exploits but it’s totally preventable if you were using ionCube24 as it alerts and blocks unexpected changes from execution. We’re more than happy to get you setup with ionCube24 for free ( if you’re looking to harden your system going forwards. Just get in touch so we can help.
    Good luck!

  245. After site of Linux distro developers (Linux based site by the way) can be hacked there is no cense to speak much about user’s actions – what is right way for them or what not. At first place right way is a good sysadmin.

  246. I don’t know if because of the iso hacked but I installed Mint Cinnamon 17.3 64 bits as a guest in VirtualBox 5.0.14 and the virtual machine have no access to the Internet. The ISO was discharged on 20 February and it seems ok, md5 it’s ok

    I tried configuring the network interface as NAT on virtualbox or bridge connection (setting an IP range of my LAN) but I can not go on the internet guest machine.

    Instead I tried with ubuntu 14.04 install as guest system and I have internet access.

    Can anyone guide what’s happen ?

    Thanks a lot.

  247. You should probably issue a level 1 update that attempts to locate and delete the backdoor file and alerts the user that he should format his system, re-download the ISO and install again.

  248. Ok, i found this in the opening post Written by Clem:
    [quote]Once in the live session, if there is a file in /var/lib/, then this is an infected ISO.[/quote]

  249. I can access some pages of through Linux Mint, but none through Windows 10 (both Opera and Edge browser. I’m aware that the site is generally down).

    Is that weird?

  250. Sorry. This shouldn’t be a case of “we’ll think about reporting it”, but rather “we WILL report it”.

    Regardless of the reason, the individuals involved should be found and prosecuted to the fulling extent of the law.

  251. I would like a copy of that file to be mailed to . Just for seeing how the backdoor works…

    #112: The site is down, but the blog is separate from the site and is working. Linux Mint x64 uninfected (installed quite a while ago and messed with it – I might have to redownload it though)

    Comment written at 201602221510+0200

  252. I wanted to take a look at Mint on saturday.

    So I downloaded the ISO (turns out it’s infected — MD5 7d590864618866c225ede058f1ba61f0), rufus’d it onto a USB stick and booted the live system but did not establish a network connection. I was on wifi and was too lazy to type the password.

    Is there a chance that some of the underlying systems — i.e. the Windows box where I created the USB stick or my Macbook (FileVault encrypted) booting the live system — could have been compromised, even without having been connected to a network?

  253. Maybe a silly question. But this issue is able to make me paranoid.

    Just this morning, after having made a svn up and svn log, all of a sudden svn asked for password when doing svn log -vr6056. The .subversion/auth file for that repo was changed and did not contain gnome-keyring any longer, as the others do.

    Any relations to this hack?

    Linux Mint 17, last updates on Feb. 18.

  254. @106 and @108 -I’m in total agreement with you both.

    It makes me sick to my stomach that this happened; and for no good reason but to show off, cause distrust of the most wonderful distro?

    Not gonna happen! Clem and Team, we’re with you all the way!

    Vive le Linux Mint!

  255. Hi Clem,

    I really appreciate your efforts to keep us informed. I was not affected by this, but as a fan of Linux Mint I’m certainly following along with everyone else. I know this must be a hard time for everyone right now, and I just wanted you and everyone else on the Mint team to know that I still love your work and support you 100%. I’m sure the same is true for many others. It’s sad to see some people bailing over this; this should be a time for solidarity in the Mint community. Like Jedinovice, I plan to donate money to the project as soon as this is resolved, you guys certainly deserve it for all that you do for us.

    Keep up the good work, and I wish you all the best in resolving this issue.

  256. I’ve got a confirmed copy of the bogus ISO downloaded the afternoon (EST) of FEB 19th. You need to expand your window a bit.

  257. As a sign of my good faith in Clem and the mint team I’m pledging 5$ to mint right now (on top of my monthly 1$ support).

    Go mint! I know this is probably a hard time, but you’ll pull through, and I’m personally not going anywhere. 🙂

  258. I tried to check with the instructions given.

    I entered md5sum linuxmint-17.3-cinnamon-64bit.iso

    And it said “No such file or directory”.. Must I have the ISO in a specific folder?

    Thanks 🙂

  259. Clem, it would be super beneficial if you could send an email to all of the mirror maintainers with the correct sha256 hashes so that we can check them independently of the ones above. I’d like to be able to verify that what I have on my mirror is legitimate via an out-of-band channel. Maybe tweeting the hashes would be a good idea, too, for yet another verification avenue. Unfortunately I feel very wary of trusting MD5 hashes residing on the same site that was compromised, SSL or not.

    Thank you!

  260. “Lecter Says:
    February 21st, 2016 at 8:16 pm

    Sorry, but now it is time for me to leave linuxmint. I do not feel safe anymore with your great distri. For now I am back to latest Kubuntu LTS.”

    What happened and how it is handled by Clem&Co is exactly the reason for my to stay with linuxmint. Kudos!

  261. Ah, wait. I just realized that the sha256sum.txt file is signed with GPG. I have verified that that file, with a date of Jan 6, 2016, has a valid GPG signature. All of my ISOs’ hashes are correct.

    $ stat -t ‘%Y-%m-%d %H:%M:%S’ sha256sum.txt*
    1075 121457096 -rw-r–r– 1 _mirror _mirror 485072102 1406 “2016-01-07 03:53:21” “2016-01-06 11:03:41” “2016-01-07 03:53:21” 65536 16 0 sha256sum.txt
    1075 121457097 -rw-r–r– 1 _mirror _mirror 485072103 181 “2016-01-07 03:53:21” “2016-01-06 11:09:59” “2016-01-07 03:53:21” 65536 16 0 sha256sum.txt.gpg

    $ gpg –verify sha256sum.txt.gpg sha256sum.txt
    gpg: Signature made Wed Jan 6 11:06:20 2016 EST using DSA key ID 0FF405B2
    gpg: requesting key 0FF405B2 from hkps server
    gpg: key 0FF405B2: public key “Clement Lefebvre (Linux Mint Package Repository v1) ” imported
    gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
    gpg: depth: 0 valid: 5 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 5u
    gpg: next trustdb check due at 2016-09-29
    gpg: Total number processed: 1
    gpg: imported: 1
    gpg: Good signature from “Clement Lefebvre (Linux Mint Package Repository v1) ” [unknown]
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg: There is no indication that the signature belongs to the owner.
    Primary key fingerprint: E1A3 8B8F 1446 75D0 60EA 666F 3EE6 7F3D 0FF4 05B2

    $ sha256 -C sha256sum.txt *.iso
    (SHA256) linuxmint-17.3-cinnamon-32bit.iso: OK
    (SHA256) linuxmint-17.3-cinnamon-64bit.iso: OK
    (SHA256) linuxmint-17.3-mate-32bit.iso: OK
    (SHA256) linuxmint-17.3-mate-64bit.iso: OK
    (SHA256) linuxmint-17.3-cinnamon-nocodecs-32bit.iso: OK
    (SHA256) linuxmint-17.3-cinnamon-nocodecs-64bit.iso: OK
    (SHA256) linuxmint-17.3-mate-nocodecs-32bit.iso: OK
    (SHA256) linuxmint-17.3-mate-nocodecs-64bit.iso: OK
    (SHA256) linuxmint-17.3-cinnamon-oem-64bit.iso: OK
    (SHA256) linuxmint-17.3-mate-oem-64bit.iso: OK
    (SHA256) linuxmint-17.3-kde-32bit.iso: OK
    (SHA256) linuxmint-17.3-kde-64bit.iso: OK
    (SHA256) linuxmint-17.3-xfce-32bit.iso: OK
    (SHA256) linuxmint-17.3-xfce-64bit.iso: OK

  262. Sorry, I’m a noob.. :/

    linuxmint-17.3-cinnamon-64bit.iso is what I have.

    Once I checked, I got the following signature which matches what you’ve posted above. So that does mean I’m OK, correct?


  263. I just joined the list of Linux Mint users this past Friday, and must say not only have I been impressed with Linux Mint as an OS, but I am very impressed by the responsiveness to issues and the transparency of the Dev team.

    Keep it up! I look forward to continuing being a part of this community.

  264. I was trying to install mint on 19-20 feb. I’m not sure if this is useful but I still have a webpage open for installation and on the infected iso md5sum. I can send a screen shot of it. But here is the details on the page:

    Linux Mint 17.3 “Rosa” – Cinnamon (64-bit)
    md5sum: 7d590864618866c225ede058f1ba61f0

    So if I am not mistaken the did change the md5sum on the website. I had trouble with installation and when I did the md5sum I got the correct value above (e71a2aad8b58605e906dbea444dc4983). I downloaded it again and I still got (e71a2aad8b58605e906dbea444dc4983) I suppose the mirrors I downloaded from where not infected.

  265. I am not sure when did upgrade my Linux Mint OS, but it was few days ago. Is it possible to check md5 on upgraded system? Just wanna to be sure that´s my system is clean. Thanks.

  266. @ bananabob: I do have a g+ (well, I have gmail so I think I’ve got g+) but don’t want to post it publicly. 🙂
    What would be a good time for you to chat? I can probably work around it–I’ve got weird hours.

  267. Keep up the GREAT work, we all still LOVE our Linux Mint! Good luck sorting out this little hack, Mint will be back stronger and better than ever.

  268. Hi,
    I truly believe that we must not leave Mint at this point and we must support. They handled very honestly the whole situation and this should be credited. It is true that this hack indeed revealed severe security policy violation, like e.g. ridiculus passwords but I hope a lesson is learned.
    Besides I would advise Clem to escalate to authorities immediatelly and not to take it lightly, as it seems from the Zdnet article that this person(s) won’t stop.

  269. There were some level 3 and level 4 updates which appeared in the updater just the other day; it may have been the 20th but I can’t be sure. Anyway, since then, VPN connection has been very erratic and is now not working at all. I’m mentioning this just in case updates have been compromised or the attack has somehow affected VPN.

  270. Hi
    I downloaded via the Mint hp, sunday 21.02.2016 the 32-bit iso file “linuxmint-17.3-cinnamon-32bit.iso” and did today the md5sum check as proposed in this blog. The result was goood, the right checksum appeared! So, I’m happy, no harm is present!

    Supportix, Switzerland

  271. TL;DR version: STOP shipping MD5 sums with .iso files, RIGHT NOW.

    I’m a CISSP; I hate to see people making grievous security errors. As others have already hinted at, reliance on MD5 for security is improper. As a hashing algorithm, it has been obsoleted a number of years ago because of its weakness to artificial collisions.

    Google “md5 collision generator” … I’ll wait.

    Back? Ok, so now you know how bad it is. There’s plenty of space in an .iso file that can be manipulated to recreate whatever MD5 checksum an attacker desires. Using tools already in the wild, it is possible for an attacker to compromise an .iso image with a backdoor and keep the same MD5 sum and size as the original .iso.

    There are two problems to address when copying large files like ISO images: integrity and authenticity. This is a case of solving the wrong problem.

    Integrity: If a single person controls the entire path of a data transfer (e.g. copying a file from a thumb drive to a local disk), integrity is usually the right problem to address. Using sha256sum(1) for this is currently considered cryptographically sound; MD5 is not.

    Authenticity: If you’re obtaining the file from a system you do NOT have control over, and need to verify that it came from your intended source, this is the problem the Mint maintainers need to focus on. This can be solved with public key crypto tools like GnuPG.

    The Mint maintainers need to create a GnuPG key pair and widely distribute the public key, prominently feature the fingerprint on the official website, etc. Each .iso should have a corresponding .sig (outboard signature) signed by the official MINT key.

    The signing command for the distro maintainer would look like:

    gpg –output foo.iso.sig –detach-sig foo.iso

    Users can verify a downloaded image with:

    gpg –verify foo.iso.sig foo.iso

    Note that if you’re verifying the authenticity of a file with gpg(1), you are also automatically verifying its integrity as part of the process. Unauthenticated checksums like SHA and MD5 should NOT be present in the mirrors because they offer no guarantee of the file’s origin. Their presence can mislead users into thinking files are legitimate when they are not.

  272. @Clem:
    Some idea to prevent such problems in the future:
    Please run a Raspberry PI at home (and a second at the home of a friend) with a little script, that runs every five minutes, and checks the critical parts of the website. If it finds some irregularities, the script can automatically shut down the site, and send you a message. It could also check the ISOs every hour or two (depends on your bandwidth).
    Yes, the Raspberry PI could also be hacked, but with running nothing on it beside of the script, the attack surface should be minimal.
    And at first, the attackers have to find both personal IPs…

  273. Hi Clem,

    Were all the mirrors affected?

    I downloaded Mint 17.3 Cinnamon 64 from James Madison Univ. on 20 Feb at 08:03:45 PM EST. The ISO shows it was modified 20 Feb at 03:38:58 PM EST.

    My ISO has the correct hash and the burned disk does not show the bad file. Is it safe then to use? I have had it installed since yesterday, but turned off my network connection.

    Best wishes in getting things straightened out.

  274. @Clem:

    As a long time user/tester of WordPress installs I can tell you from experience that running a WordPress install without a decent security plugin that can protect not only core files but the folders and files in the “content” directory is leaving you wide open to attack. The “Wordfence” security plugin is an excellent choice even in the free version which I’ve been using successfully on my sites for quite awhile now.

    Just a thought.

  275. If I updated to Rosa via the update manager in the mint OS itself, is it possible that I have been compromised? How can I check? Thanks

  276. downloaded 64bit iso on February 19, burnt DVD (on Win 10 computer) ran it but did not install it (on another Win 10 computer)
    could any of those computers, network be infected? (shows infected MD5 signature). How to check in Windows if computer is infected?

    A name for the trojan to detect it?

  277. Hi Clem,
    I downloaded 5mn ago Mint Mate 64 and 32bit ISOs from Gwendal and Ircam… Is there any danger to install this ? Is there really only Cinnamon corrupted ? And these servers are they also corrupted or cleans ?
    thanks in advance 😉

  278. I was downloading on the 21th and there was also another odd thing as although I tried to select the Mate version the but dl was the Cinnimon version. Tried twice with the dame results so that’s what I went with and did get the hacked version but it doesn’t have the hack file.

  279. Hello, kenetics.

    Provided correct MD5 checksum means the checksum(s) published at the top of this blog page, then your downloaded ISO might be OK and not infected by the trojan.
    The MD5 checksums on the Linux Mint webpages had been manipulated to match the manipulated ISO image file(s). So they cannot be trusted.


  280. Hi i think I was affected by this. I downloaded and booted a copy from a USB stick. Is the entire laptop compromised? I typically run windows on my computer. Do I need to be worried about all files including the ones I access through windows typically?

  281. Time for hardening your worpress:

    And especially upload folder:

    I avoid to be compromised this saturday by using a mate edition…
    Great to know that you have detected it so quickly and to be transparent about this intrusion.
    Great work and keep it up !

  282. I updated from an already installed 17.2 MATE to 17.3 MATE through Mint’s download manager on that day. Is there any way that could have been affected. How could I check if I did not download and burn an ISO image for that update?

    Thank you so much for your hard work!


  283. I don’t recall having registered on the forums…but is there a way to be sure, Clem?

    Edit by Clem: Yes, please check They have knowledge of all the emails breached during this attack, and it will also show you if you were breached from earlier attacks.

  284. Hello,

    I have downloaded Linux Mint 17.3 on 19th february…

    My MD5sum is d5d99960f64f71b9f16b5d424dfe146c

    that’s not match with the md5sum on this page….

    it’s a valid or hacked md5sum :s ?

  285. I think I’m OK. I downloaded and installed around 12:00 pm CST on 2/21. MD5 checksum of image I used matches correctly and I do not see the file in /var/lib.

    I downloaded the .iso from a mirror, but forget which one. So if the mirrors WERE affected, perhaps they were corrected by 2/21.

  286. There can be a pir sensor accessible for controlling cameras,
    VCRs and DVRs. It supplies the most significant quantity of denim inside country which is one
    in the largest exporters of gemstone and jewelry in India at present.

    Cctv certification Există trei tipuri principale de camere de supraveghere – se ia.

    Another advantage concerns the clarity in the images which is often captured.
    First of all it truly is important to spell out
    why having some sort of Cctv ubuntu is unquestionably a wise decision.

  287. I created a bootable USB on 06Feb2016 and should be safe but get this :

    cd /drives/e
    md5sum -c MD5SUMS | grep FAILED

    md5sum: can’t open ‘./pool/main/b/bcmwl/bcmwl-kernel-source_6.30.223.248+bdcom-0ubuntu0.2~lp1415880~1_i386.deb’: No such file or directory
    ./boot/grub/grub.cfg: FAILED
    ./boot/grub/loopback.cfg: FAILED
    ./isolinux/chain.c32: FAILED
    ./isolinux/isolinux.cfg: FAILED
    ./isolinux/vesamenu.c32: FAILED
    md5sum: WARNING: 12 of 117 computed checksums did NOT match
    ./pool/main/b/bcmwl/bcmwl-kernel-source_6.30.223.248+bdcom-0ubuntu0.2~lp1415880~1_i386.deb: FAILED

    Some files were modified by the installer but I don’t know about the others.

    Does anyone have any suggestions? Since installing, I have spent 4-5 hours on configuration. Do I have to start over?

  288. As a very-longtime Mint user (actually since its inception) I wanted to express my utmost heartfelt thanks to Clem and his team for having made Linux Mint such a wonderful instrument. Coming from the Unix world of the 70s I know what a monumental task it has been for the GNU and Linux communities to build these formidable platforms. It’s disheartening to see that mint has been targeted by hackers, but I am confident – based on Linux Mint development team’s track record that they will put this incident behind and come through with flying colors.

  289. Clem,

    Since MD5 was compromised several years ago (, I am wondering what measures you can take going forward. These sorts of attacks are only going to increase. I upgraded to 17.3 MATE several weeks ago, but have had an ongoing issue with Update Manager (often takes up to twenty minutes before the download begins). I now have to wonder if there might be problems as yet undiscovered. I considered migrating to the Cubes OS recently, but it would require some new hardware. I suppose I’ll have to revisit the question now.

    Edit by Clem: Well, to be honest, we could switch to showing sha256sums by default, but the problem would have been the same. MD5 isn’t perfect but it plays no role here. The hacker would have replaced our sha256sum with his and performed the exact same attack. HTTPS is another thing we need to get done, and it protects against man in the middle attacks, but like MD5, HTTP isn’t perfect but it didn’t play a role in this attack.

  290. Can we get an updated blog post? The site is still down. Any ETA or what’s going on to get it up. I know you’re busy.

    Update Manager is saying there is an update to cpio. I don’t know whether to install it. More guidance would be helpful.

    Edit by Clem: I can’t give an ETA yet, there’s still a lot we want to get done before we come back online. The repositories are functional and they were checked so you can apply updates.

  291. Clem and Mint team;

    First – Thanx for the “heads up”. I was unaffected (no D/L recently) and I use unique, complex passwords for all things that require passwords so I am not worried about compromised access elsewhere… but I will change my PW on the forum when it comes back up…

    Second – Congratulations on being worth the effort it takes to be hacked. This is a back handed compliment from the hackers of the world… Congrats Mint Team – you have arrived!… 😉


    – Reorx –

  292. Great! I downloaded AND installed it on my laptop. Have had issues with it because it wouldn’t connect to the internet (connected to router but no internet access whatsoever). Maybe that explains why the forums pages wouldn’t load (trying to access via desktop) so I couldn’t get any help.

    Now that I have it on my laptop, how am I supposed to get it off? You say “reinstall your OS,” but I don’t have a windows installation disk. When I try to restore computer, it only recognizes the partition that was set aside for Windows when I installed Mint. Now what?

  293. Bad timing for me to reinstall and move from KDE to Cinnamon!

    I downloaded the iso yesterday 21 February 22:16 CET, but I did it directly from this server:

    I checked the MD5-sum and it matches the one on the top of this blog and I checked the file is not present either, so it seems I’m in the clear?
    …but man, I’m still a little nervous to start using my freshly installed Mint…what if other stuff is compromised and we don’t know yet…I’m sad now…
    Is there any way to see if there’s a backdoor once the OS is installed?

  294. I know this is a little nerve wracking for everybody concerned not least Clem and the team but lets think of how the “big” boys might have handled this.

    Can anybody here imagine the likes of MS, Apple, Adobe etc reactions to something like this happening to them? Perhaps waiting a few weeks while they decided to make it public never mind trying to fix it?

    I for one am extremely pleased to watch how Clem has dealt with what must be a worrying and somewhat embarrassing situation.

    Total honesty about what has happened, immediate action to mitigate and correct the problem and an attempt to keep us all in the loop despite my suspicions that Clem et all are at the point of exhaustion due to lack of sleep.

    As soon as the donate page is up again I am going to hand over some of my hard earned money. A night or two less in the pub this week won’t kill me!

    This is the best dist by far and I have been running it since I think version 3! At least I think it was 3 but my memory isn’t as good as it used to be.

    Keep up the good work Clem and team. It is very much appreciated.

  295. I have no doubt this “hit” was contracted for the express purpose of discrediting what has become the greatest alternative OS for people who are fed up with Microsoft spying and who also cannot afford an expensive Mac.

    To the Mint team: take it as a compliment. As the saying goes, the higher you get, the more of a target you become.

    Also, when you handle problems well like you are now, it actually ends up benefiting you in the end. Your users will trust you even more than they already do.

    Keep up the good work!

  296. +1 for Jerry’s post (126)! Clem, you did extremely well handling this, and I appreciate your honesty and hard work. 🙂

    If something like this had happened to MS, etc… we might have never heard of it.

  297. @ bananabob: that works for me. Actually I’m on irc right now if you want to try to connect, otherwise I’ll try again tomorrow.

  298. Man I’m glad I’m a MATE user…

    That said, I feel for you and your team, Clem. To be hacked like this right when you’re gearing up to build 18 must have you madder than a blind pervert in a strip club. As a Mint user this does have me a bit worried, but your prompt handling of the situation does much to put me at ease. Thanks Clem and team. Your efforts do not go unnoticed.

  299. Getting all of the typical Debian vitriol over this on sites like Ars Technica. Good luck, Mint dev’s, on catching this and repairing things. I’m a Mint convert and will continue to donate to the cause. Hang in there. Look at it as a bad day in school where you at least learned a lot :). Thanks for a great distro!

  300. Well, it’s about time the hack happened. There’s no such thing as “good” security, and it’s about time our community woke up to the problems we face. Security is a fluid. WordPress sites, while easy to setup and use, also pose problems – it’s a trade off between convenience for ease of access. As Linux Mint grows, so do the security issues – and frankly we might consider adopting some more of Debian’s methods. I love Linux Mint and the hack caught me by surprise, but rather than panic like a flock of hens, hopefully this will cause the team some pause to update our woefully backwards policy to protection. I think while a WordPress is an alright platform for news and blogs, for downloads and other services, we ought to migrate and adopt better tools to ward off attackers. The best foe of an enemy is a community capable of responding to attacks and mitigating damage and halting hacks when they occur.

  301. All you people complaining about md5sums need to give it a rest. The infected ISO files FAIL the md5 check, so the md5sums are doing exactly what they are designed to do. Verifying a corrupt ISO.

    Everyone looking for a “safe” download, use the torrents. They were not affected. I always use official torrents to download, and seed them 24/7 to help others. Since the Mint site is down at the moment, you could check or for the torrent files.

    Looking at the heanet mirror link from above, it appears their md5sum file is still valid (as of this post). They match the values I have and verify with the clean files on my server. Hopefully that means their mirror is still okay. If you are looking for a clean download and don’t want to use torrents, then get them from heanet and use the signed sha256sums to verify them. I checked the 64-bit Cinnamon ISO and it verifies with sha256, and also matched my ISO which was downloaded well before the attack.


    Wow! So sorry this happened. Thanks for the quick response and announcement. Hopefully you’ll get this all sorted soon.

    Try not to stress too much. Take some time to catch your breath and relax a bit. We’re all anxious to see your site back online, but not at the expense of your sanity or health, so take a break if you need to.

    Aloha, Tim (aka Lolo Uila)

  302. Guys i dont understand…

    So looks like i have downloaded and installed a linux mint 17.3 Cinnamon x86_64 iso from


    – On Virtualbox i’ve checked on Live DVD image from in /var/lib: not found (same thing on my laptop with that Linux Mint iso installed today)
    – I have checked with Wireshark: no connection to or others suspicious website
    – I have downloaded that iso on 19th february, not 20.
    – and that strange MD5sum.

    anyone can help me to understand ?

  303. Jedinovice says: “Mint users rally to support Clem with record number of donations”. Thinking along those same lines–and I like the idea!
    I pledge a donation to help when that link securely returns. Members and users should be thankful for the dedication of the Mint team, and for their expertise.

  304. Count me in! To stay with the distro, AND to make a donation. I’m liking Mint so much, and I don’t want it to go away.
    Those crackers can suck my toes. They’ve not scared me away from Mint. Let’s not let the bad guys win!

  305. Kudo’s to Clem & his fellow “minters” for saddling up. THIS LATEST HACK s/b a wake-up call to EVERY distro builder/maintainer/etc. If Mint’s .iso’s can be sabotaged/hijacked in that fashion, what is the propabilty of other distros’ live-CD/-DVD images of being compromised? Especially the live images of lesser-known, not-as-well managed distros? @ Clem & his troupe: i am in awe of your integrity, honesty AND diligence! Thank you sooo much …

  306. Wow, this guy/hacker is a terrorist. This isn’t hacking this is cyber terrorism, and Peace_of_xxxx should be treated as such.

  307. We were recently informed about your website being hacked.
    We are a dedicated servers/web hosting provider ( and the IP mentioned here belongs to us, it’s a customer who rented some servers.
    Do you have any other IPs from our networks?
    The servers were all suspended and we are investigating the matter as well.

    We wish you a fast recovery and a fast identification of the person(s) responsible.

    Edit by Clem: Hi, many thanks for getting in touch with us. We contacted the Bulgarian authorities and they’ll probably want to know who rented them. We don’t know for sure if the people involved were victims as well or involved in the crime yet.

  308. Hi All,

    First,tops for Clem@Co. Second i am staying with LM too. Its a great distro and after 3 months of use,i can say it works like a charm. No way back. And more important,the hack will not scare me away from LM. The way the team handled this crime,is reason for a big thumbs up and a donation,which i will make when everything is back to normal. I hope there will be more donations to come. Its worth it! And a way to show the appriciation for the team and Linux Mint. Hang in there folks. Don’t let it get ya down……

  309. im not happy with this hack, but why is comment 133 from ‘wow’ allowed to stand? Do you really want the “C” word on your site? Ladies dont like being called that.

  310. [i]”The hacker from Russia (could be a VPN of course) even DDOSed my personal IP to prevent me from taking the site down. “[/i]

    In USA that’s when you take laptop and cruise to local McDonald’s to bypass the IP denial of service, or a friend that lives more than a few miles away and preferably on another ISP.

  311. As a recent convert from XP I ask myself why i did not switch over years ago…This distro is the best by far over the other choices. Ive had trojan and malware issues with windows…nothing is bullet proof.
    Clem and his team do a great job i will stay with mint and fully support them. In the end the bad guys won’t win.

  312. I responded earlier… it was “pending moderation” for a long time & now it’s gone.

    Yes, I was effected! You said in this blog post to let you know if we were and this is the only way I know how to let you know.

    I had the same thought as Jerry… Can you imagine what the “big boys” would have done if this had happened to them. We’d most likely never have known about it AND would have had to pay them to provide support for the remedy.

    Do I have great timing or what? 🙁 I downloaded it Saturday (even did the md5 thingy), installed as dual OS on family laptop… and stayed up past 1am trying to figure out why Mint couldn’t access the internet but Win7 could. Took a break yesterday & got back to it today… only to find I have a corrupted version.

    Truly grateful that you’re on top of it and taking a hard stance to remedy the problem. Couple of questions:

    The question still remains: How do I get the corrupted Mint off the laptop? I tried to restore Win, but it only recognizes the size of the partition that was allocated to Windows during the Mint install (300 GB hard drive, but restore only sees the 90GB that contains Windows). Do not have a Windows installation CD. Considered the WinX upgrade, but that’ll only recognize the 90 GB allocated to windows, too. Even willing to wipe the hard drive and start over… if I knew how.

    I know you’re swamped and truly feel for ya, but could I get some help? Please? Keep checking your FB page, this blog, and my email for a response, and so far the only one I’ve gotten is that my comment on this blog has disappeared.

    Edit by Clem: Sorry, we’re just fighting this on so many fronts… the ISO, the servers, the new servers, purging the backdoors, hardening, and so many comments and press queries, we can’t keep up. I moderated this one in a hurry to let you know it’s not lost (your previous one is probably out there as well). We’ll moderate it all and reply as much as possible in due time. I hope you understand it’s taking more time than we’d like. We’re doing everything we can on this.

  313. Clem, you can count on me for an extra donation or two to help offset the costs of this TOTALLY UNDESERVED attack.

    What scumbags the crackers must be to attack the source of software that has made and, after recovery, will continue to make a real contribution to the world!

  314. I’ve been trying to migrate from windows for a long, long time..
    tried linux a few times, have had good experiences & am now ready to take the plunge, 100%..
    been comparing distros & desktops & decided on Mint, just this past weekend..

    i **LIKE** the way Clem & Co. are handleing this! THANK YOU!!!!


    after the dust settles, i’m donating $50.

    xx ‘piece_of_xxx’..

    good work, guys.. this actually makes me feel *safer*, because it *informs* me…

    Edit by Clem: Thanks, please do not swear though.

  315. In response to #135/Danni63:
    Get a copy of GParted, either the standalone live boot version or a Linux distro that includes it (like Mint if it’s possible to download it right now. I’m pretty sure GParted is included on Puppy Slacko, and I expect there are several others that have it.). Install to a CD/DVD/USB drive as you did with Mint when you installed it. Boot it live, and use GParted to format your Mint partition(s). If you want to resize your partitions, you can do so now, just be careful about shrinking Windows any more, it may not like it. Install a clean copy of Mint when you have one.

  316. Thank you Clem and your team for being so honest to us. As was mentioned earlier the big boys would of kept quiet about an intrusion. I raise a glass to you. cheers

  317. sorry about that.. not even a *little*.. ; )

    I’d like to donate now, if possible, using paypal.

    the donation page is down, so is there a am I can send to?


  318. Danni63,

    You could use Windows disk management to delete the Linux partition. Or you could download a 3rd party alternative, like GParted or any other partition manager.

    Your best bet, however, would be to wipe everything off the system and reinstall, even Windows. When you were running the corrupted Mint, you were vulnerable to attack, so it’s possible the hacker could have compromised your Windows install as well.

    Your Windows install may very well be fine (and it’s likely it is), but it’s better to be safe than sorry (especially where Windows is concerned).

    You should probably change passwords for sensitive sites as well.

    Sorry you got caught up in this. 🙁 Good luck.

    Aloha, TRP

  319. I have 17.3 cinnamon 32 bit and I do not have a /var/lib/ folder/file only a man-db. Am I affected? I downloaded the 32bit on 2/15/16

  320. Hello I downloaded linux mint on 19 feb.I had a few issues-
    1.system settings was not opening and crashing
    2.nemo was not opening and crashing
    3.i could not shutdown my pc.Got only black screen when trying to shutdown.i had to manually shutdown by pressing the power button.
    4.when i was trying to restart it would logout and won’t restart.
    Was my iso compromised?i deleted the iso out of fear and i did not check md5 please any help would be appreciated by this newbie.Hope everything gets sorted out luck to mint devs.i know 20 feb iso but these strange problems i never faced in mint 17.2.

  321. I have been posting a lot of recommends about Mint with Cinnamon. I am not even a Linux user, Windows is my preference. I am really even more impressed with you after this. OMG! A Linux guru who is not afraid to admit to being hacked however it was done. I hope they catch the guy.

    I was going to download Mint today but got sidetracked then saw this on Threatpost in today’s mail. I will monitor this and download when I see it is completely clear. The reason I was going to download and learn it is that I do tech fixes and disinfecting/tweaking computers for friends and acquaintances since my retirement. Many have boat anchor old XP machines and I wanted to see how it ran, and then how easy it is to install and maintain. Then I can load it and return the computers working with a little help on using it.

    Keep up the good work! I will never switch to Linux for everyday computing, I don’t get infections and frankly don’t see any BSODs. I am convinced lots of folks who rave about how bad Windows is haven’t run it seriously for themselves in a few years. That not said to try to get them to switch, only to ask that they check their premise first. And you have gotten a Windows guy to recommend your distro based on user comments and ZDNET articles about it.

  322. I appreciate the honesty, in regards to what happened. I don’t think anyone needs to be assigned blame for the community to move forward. What happened is spilled milk, and might help bring greater attention to security going forward.

    This incident shouldn’t lead people believe Mint Linux is any less secure than any alternatives. Logically that just doesn’t make sense.

    While you can make Linux become anything, there are limits to the amount of time and patience one has. Mint Linux, looks nice, has a nice feel, and has most of the general use cases for an OS covered out of the box. Mint is by far my favorite for these reasons.

    While I have already sent a donation already this month, I will be sending another one after the page comes up to help cover the additional costs this incident will have likely generated. As some people have already said, I encourage more of the community to do the same.

  323. recently moved from Windows to MINT and was amazed how slick it is! sick of Microsoft forcing apps on you, constantly changing your settings back, and tracking everything you do – so yea they must be worried about the popularity of MINT! – I would imagine many hours are being spent sorting this out, and will also be donating when site is back up – good luck! – thanks again

  324. First of all. Great distro.

    It’s a shame people do this kind of damage. Wasting time and resources.

    I am quite sure most people using this distro agrees you are handling a big problem which you are not responsible.

    Once the donation site is up again. I’m going to donate.

  325. Qbertopp,

    You should be okay, but to check you should verify the sha256sum hash of your ISO against the ones on the heanet mirror linked above. I also posted the hashes for the clean ISO images I have on my server below.

    46b8a14826a53f4cacf56d1132a5184c2132f274aef8103e5e8e8cae9e1cfde0 linuxmint-17.3-cinnamon-32bit.iso
    854d0cfaa9139a898c2a22aa505b919ddde34f93b04a831b3f030ffe4e25a8e3 linuxmint-17.3-cinnamon-64bit.iso
    506a8e88c83cddc7fadd2b7c5bf25b7e6a15f028e1628004dcd6470084430f17 linuxmint-17.3-mate-32bit.iso
    d02bfaae749db966778276a8ae364843c1ffb37b3e1990c205f938bda367ad2a linuxmint-17.3-mate-64bit.iso
    be64bf240a47df03fedca1b8aeb9357896e3dedd55446a0f87eca4f638c9d28c linuxmint-17.3-kde-32bit.iso
    aa33bf286e92556163c335b258fe5cbd9f65f4ab8490e277fed94cf20d3920e4 linuxmint-17.3-kde-64bit.iso
    cebff34e99b071d7237d2cfd2e24719f5a72e9e499a82d424007e850befc755b linuxmint-17.3-xfce-32bit.iso
    83c1796a37582bdea74117193cef369582d72093fd0b5278ae03016bd8685b04 linuxmint-17.3-xfce-64bit.iso

  326. So again I ask, as my email address is now showing up on pwned…

    If I upgraded to Rosa via the upgrade manager on the 20th and subsequently have no checksum to verify, how can I tell if my system is compromised?


  327. Clem, I am 100% stepping into a linux distro “seriously” for daily computing and not just for sh.. and giggles off a flash drive… for the first time. I did a little comparison over the last 2 months and decided on Mint. I had my new SDD arrive today (literally about 6 hours ago) to give this ordeal a whirl… plug it in, go look for a download and “hacked” oh snap!!

    I’m glad you are on this, honest about it, and providing alternatives in the mean time. I’m not giving up, I’m still going to install the “safe” copy you’ve linked here numerous times.

    I’ll check it against the known bad checksums (simple task) and going for a linux box finally. Wish me luck!

  328. Clem (when you have time) – I have emails showing I had a forum account back in 2013. But today when I try to log in so I can change my password it says it does pot recognize my username.

    I even did a search in the members page for my username and email address and it did not find it.

    Any chance you started a new forum after 2013 sometime so I don’t have an account in the “new” forum – or did my account disappear somehow.

    Trying to just wait till you all get some air so I know how to proceed. (Also need to know when it’s settled down as I’m rolling 17.3 out on MintBox Mini’s for our manufacturing plant (yeah! What an amazing piece of hardware!)


    Edit by Clem: Check

  329. First of all, thanks for this amazing distro! I’ve been using it as my only operational system for about 2 weeks now, both at home and at work, and I’m very satisfied ^_^

    I installed Mint in February 10, way before the date in which your site was compromised, but something is bugging me…

    In Ubuntu help site, they say that root login is disabled by default. Since this distro is based of Ubuntu, I assumed it was the same. But when I tested it, root login was enabled after installation. I could open a terminal, type “su -” (no need for sudo), enter my regular user password and gain root access.

    I’m pretty positive I didn’t enabled root login. Was my computer compromised? Or does Mint come with root login enabled by default? If Mint does enable root login by default, is there any rationale behind it? I disabled root login and I didn’t noticed any negative impact on the system.

  330. There is one more thing I would like to ask.

    This week the updater has been giving hashfail errors nonstop. Most problems seem to came from “” amd64 stuff. I tried to switch mirrors many times, but the errors persist.

    Is this in any way related to this invasion?

    Best regards and thanks for everything.

  331. For people who are left wondering if they have an infection:
    Correct me if I’m wrong here…
    The threat was stated to be “tsunami”, which is pretty old, so pretty much any virus scanner should pick it up?
    If someone cannot verify their ISO file, and the above mentioned thought is correct, then someone could just do the following to get peace of mind:

    Open a terminal window

    install clam anti-virus by entering:
    sudo apt-get install clamav

    update the virus definitions by typing:
    sudo freshclam

    scan the computer by entering:
    sudo clamscan -r /

    wait for your results..

  332. Emails to users to warn them would be nice, but that requires knowing an email address for everyone.
    I found out because the site was down and I did a search.
    The sha256sum hash of the infected download did not match, which should have stopped anyone from installing the download.
    The site was infected about 8 years ago, August 15, 2008.
    Both times Clem acted as soon as the problem was discovered, and was honest and open about it.
    This happens. It will happen again. Eight years between infections seems like a reasonable history.

  333. Yes I’m just wondering is it safe to update my Linux Mint? I downloaded and installed Mint awhile back so I know I have a good ISO. I just don’t know if I can safely update my system or not.

  334. I am a long time MS DOS & Windows user and got back into Linux recently as I decided XP would be my last MS OS. My previous Linux experience was with Mandriva 2008 which was very good. This time I decided on Mint 17.3 cinnamon (it was a DVD package on a Magazine). Things have certainly moved on!

    I thank all the people who gave us Mint – it is superb. Please do not feel the need to react to this episode by changing the fine balance between stability, security and function in your distribution because I think it is just right.

    Like others who have commented here I pledge to donate some money as a new user. I have been so impressed by this flavour of Linux. Maybe it’s too good, if it’s become a target 🙂 Best wishes.

  335. >I am considering switching to Debian or Fedora now.

    Well, you can if you like but they are MUCH harder distros to work with. Plus…

    a) This was nothing to do with Mint per say. It was the *website* that was cracked.
    b) I more than suspect that FUD regarding Mint was the crackers intended. Dropping Mint would be aiding the loons who did this and encouraging them to do such again – maybe to other distros.

  336. >”Sorry, we’re just fighting this on so many fronts… the ISO, the servers, the new servers, purging the backdoors, hardening, and so many comments and press queries, we can’t keep up.”

    I think I speak for the vast majority when I say we understand and are behind you. Take your time and get it right.

    Remember the programming adage, “First make it work then make it fast.”

  337. JM,

    The only thing OS related that was compromised were the ISO images (Cinnamon versions), and only for one day. If you did not install from a hacked ISO then your OS should be fine.

    However, the forums database was also stolen, so your email likely ended up on pwned from that. The hacker got usernames and emails, along with an encrypted (but crackable) password. If you use the same username, email and/or password anywhere else you should change them ASAP.

  338. Richard,

    Did you not read the subject of this entire blog post?

    Scroll up to the top and start reading.

    (hint: yes, it’s down due to being hacked)

  339. In Saturday i do upgrade my mint and on Sunday the system going to unstable state (my terminal background color changed and my working programs are closed and network was disconnect), after that i lose my personal data on my drive all of that are removed. Is that related to this hack?
    I didn’t use compromised ISO but upgrade system.

  340. I really don’t understand why people point out that the website should use sha256sum when either way, sha256sum or md5sum – WILL ALSO CHANGE BECAUSE THE FILE HAS CHANGED. -_- It really doesn’t help Clem and Co. What are they thinking? Automagically, sha256sum will protect everyone because it’s updated? c’mon. -_-

    Best of luck Clem, Mint is still. <3

  341. Hi. I downloaded Linux Mate 64 bit with codecs early Friday morning and burned it directly to cd. The Acer was fine till I restarted it Friday night and it crashed. I have some of my data backed to an external HDD, but the Acer won’t “accept” it. All recovery and restore functions are crippled. The ironic thing is this: this was the very first time I’ve ever tried a Linux OS. However, when I get this repaired, I will still try a Linux OS as I feel you were victimized and see no carelessness on your part.

  342. Website is hacked and this happens to all organisations, including most secure ones, Banks, Goverments, big ecommerce sites etc. Nothing related to product (Linux Mint). More related to PHP Scripting Language and lots of amateur applications built on top of it.

  343. Hello, I’m pretty sure I’ve installed all my Linux Mint 17.3 either in December 2015 or early January 2016. But I’ve not keeped the ISO and I’ve formatted the USB stick I used so I can’t be sure. There something I can do to be sure I didn’t got infected anyway? Some tool is can run?

  344. I’m using a newly-installed 17.3 LMDE 2 (cinnamon) and found the following file in my downloads dir on feb 19:

    Plugin-Message24328972347532.scr (possibly an executable related to mono runtime, which is an ECMA script interpreter ? )

    I did not d/l this and don’t know how it got into my d/l directory.

    Any thoughts ? Searching yields some Steam-related victims of related malware, but I don’t use Steam . . . and haven’t done much of anything with this sys since recently installing it fresh.

    Thank You

  345. Hi, I’m new to linux.

    I downloaded and installed 17.3 cinnamon 64bit on February 17th.

    I just checked the MD5 signature of my ISO and it doesn’t match with the official signature.

    My ISO MD5 signature is : b934f21d9a7ef1212ca5a9519e97e5cb

    I saw that some people who weren’t download the ISO on February 20th also have the same issue.

    Is it fine?

    Thank you.

  346. Linux Mint is the first choice for many Windows users, because of the easy learning curve and adaption.

    Since Qiana (17) I use Mint and everyone without exception is very happy and use Windows only if necessarily. Regularly maintenance as the tiresome Windows update, register/file cleaning, AV updates/upgrades, defragmentation are no longer required.
    The update manager is efficient & fast.

    I will continue to use Mint as I regard the situation as a wake-up call. I am glad that the news spread wide over the net reminding that security is always important.

    I think it is time for mint to collaborate with others like Fedora to understand better the strong and the weak of each other.

    As I have read from above, a fundraising might be a good idea to make Mint even more professional and become acknowledge to the public.

  347. @lumberjack,

    I checked one ISO from the heanet mirror a few hours back and it was okay. There are signed sha256 hashes on that mirror you can use to verify the ISO you download. I also posted the sha256 hashes from the clean ISO images I have on my personal server (which should match the ones on the mirror).

    46b8a14826a53f4cacf56d1132a5184c2132f274aef8103e5e8e8cae9e1cfde0 linuxmint-17.3-cinnamon-32bit.iso
    854d0cfaa9139a898c2a22aa505b919ddde34f93b04a831b3f030ffe4e25a8e3 linuxmint-17.3-cinnamon-64bit.iso
    506a8e88c83cddc7fadd2b7c5bf25b7e6a15f028e1628004dcd6470084430f17 linuxmint-17.3-mate-32bit.iso
    d02bfaae749db966778276a8ae364843c1ffb37b3e1990c205f938bda367ad2a linuxmint-17.3-mate-64bit.iso
    be64bf240a47df03fedca1b8aeb9357896e3dedd55446a0f87eca4f638c9d28c linuxmint-17.3-kde-32bit.iso
    aa33bf286e92556163c335b258fe5cbd9f65f4ab8490e277fed94cf20d3920e4 linuxmint-17.3-kde-64bit.iso
    cebff34e99b071d7237d2cfd2e24719f5a72e9e499a82d424007e850befc755b linuxmint-17.3-xfce-32bit.iso
    83c1796a37582bdea74117193cef369582d72093fd0b5278ae03016bd8685b04 linuxmint-17.3-xfce-64bit.iso

    Another way to get a good image is to use the torrents. Check or for the Mint torrent files. Oh, and make sure they are torrents from before the hack in mid January, just in case the asshats try to seed a fake torrent. You can then use the above sha256 hashes (or the ones from the mirror Clem posted a link to) to verify the ISO image before installing it.

    To use a signed sha hash download the ISO(s) you want along with the sha256sum.txt file as well as the sha256sum.txt.gpg file, then open a terminal in the folder with all those files and enter:

    gpg –verify sha256sum.txt.gpg sha256sum.txt

    You’ll get a response like this:

    gpg: Signature made Wed 06 Jan 2016 08:06:20 AM PST using DSA key ID 0FF405B2
    gpg: Can’t check signature: public key not found

    The key ID at the end of the first line is the key you’ll need to verify the integrity of the sha hash sums file. So now you need to get the key (we’ll use the Ubuntu key server to be safe).

    gpg –keyserver hkp:// –recv-keys 0x0FF405B2

    Note the hex number after the 0x is the ID of the key we got with the first gpg command (0FF405B2). You should see a response like this:

    gpg: requesting key 0FF405B2 from hkp server
    gpg: key 0FF405B2: public key “Clement Lefebvre (Linux Mint Package Repository v1) ” imported
    gpg: no ultimately trusted keys found
    gpg: Total number processed: 1
    gpg: imported: 1

    Next, you’ll want to verify the signature of the hash file to see if its bee altered, so enter:

    gpg –verify sha256sum.txt.gpg sha256sum.txt

    And look for “Good signature” in the output.

    gpg: Signature made Wed 06 Jan 2016 08:06:20 AM PST using DSA key ID 0FF405B2
    gpg: Good signature from “Clement Lefebvre (Linux Mint Package Repository v1) ”
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg: There is no indication that the signature belongs to the owner.
    Primary key fingerprint: E1A3 8B8F 1446 75D0 60EA 666F 3EE6 7F3D 0FF4 05B2

    This tells us that the sha256sum.txt hash file was signed by Clem ( The warning below that can be ignored (it just indicates your current GnuPG trust database does not have trust information for that signing key).

    So now we can check the ISO image(s) you have downloaded.

    sha256sum -c sha256sum.txt 2>&1 | grep OK

    After a moment you should see the name of each ISO file with its status.

    linuxmint-17.3-cinnamon-32bit.iso: OK
    linuxmint-17.3-cinnamon-64bit.iso: OK

    Which, hopefully will look like above.

    Aloha, TRP

  348. If any one wants to download ISO’s:


    via p2p torrent file then that can be done from here.

    I permanently seed these two ISO’s myself and can confirm that those ISO’s from that site as source for the torrent check out fine against MD5 and SHA256 checksums given at this Mint webpage:

    (I can’t comment if the “OEM” and “No Codecs” torrents for that site check as okay as I don’t have those ISO’s on HDD. However, I would assume that they are unaffected by the problems being discussed here. Just if you do download them remember to check the downloads against the MD5 and SHA256 checksums given at the Mint website.)

  349. FYI: I did download and test the two files in my post above and they passed. So they are good images on the heanet mirror that you can use.

    But you should follow the procedure and verify them yourself.

    If you are really paranoid and want to verify the procedure itself, look here:

    And now the roosters are crowing outside because it’s morning and I have been up all night. So good luck everyone, I’m going to bed.

  350. Hi fellows! sorry about the hacking, i’m sure it’s producing some headaches. Is there any way to download the last version of linux mint while the server is down? i’ve just got a new computer and i was looking for it.

  351. As I have read on comments above, a fundraising would be good to help you cover any expenses you may have in making this more secure. At the end, we benefit from this great distro, and it’s only fair to donate something for it. You may publish something in your site asking for a donation to improve security, I guess everyone who uses this distro will be glad to help. I’d definitely do, even though it’s not too much, but it’s something.

  352. @Clem

    Thank you Clem and team for the quick response, transparency, and making the community a part of the team.

    You have my continued support and donations…

  353. I downloaded linuxmint-17.3-cinnamon-64bit.iso January 19th 2016. The server I don’t remember. The md5sum of the iso is 0327715c713369bedf52cd9c7d933226 i.e. invalid.
    Since I already installed Mint 17.3 I looked for the infection. There isn’t any “/var/lib/”. Of course I will format the disk and reinstall older version.

    Are you interested in the iso file or can I shredder it?

  354. @359 chanchullero
    You can download and get checksums files from here:

    If you would rather download via p2p torrent then that can be done from here:

    In both instances you should, of course, check the downloaded ISO(s) against the checksums information (MD5 and SHA256) available at the first mentioned download link.

    To check them use the following in a terminal:
    md5sum linuxmint-17.3-cinnamon-64bit.iso
    sha256sum linuxmint-17.3-cinnamon-64bit.iso

    (Obviously you would need to provide the correct path and filename for the ISO you actually want to check.)

  355. @jake
    I believe that ZDNet article is considered “erroneous” as in the “cracker” that was interviewed was a wannabe, not the real culprit.

  356. There is also the possibility that the hacker in the article is providing a “red herring” to distract from any possible corporate involvement. He might or might not have anything directly to do with it.

  357. Given that there were two breaches, the second after you became aware of the first, and the second one also compromised the mirrors, what assurances can you give us that the repositories and non-cinnamon desktops were not effected?

  358. +
    To the cracker: nice shot, but you failed miserably, you POS.
    To all the rats abandoning the ship: Good riddance.
    The Linux Mint ship is far from sinking, it is alive and well, and flourishing.
    Kudos to Clem and his team for transparency and quick action. That only strengthens the already mighty confidence I have in Linux Mint. I switched to Mint years ago and will continue using it, will NOT leave it because of a slimy POS cracker.
    Hope the website is back up soon, much safer and improved, so I can also make a donation.
    Thanks again Clem for all the good work.

  359. I updated my other computer from 17.2 to 17.3 cinnamon over the weekend and now when it boots up cinnamon crashes then get an error cinnamon crashed do you want to restart cinnamon then its just a cycle of crashes.

    Tried to go to the forums to ask for help and discovered the hack thing is my problem related to the hacking?

    Thought Linux and phpBB could not he hacked, what did phpBB say about the forums being hacked and the user info being compromised ?


  360. If January forum hack will confirmed then those who interviewed is really hacker himself or at least well informed.

  361. I updated the linux mint cinnamon 17.2 to 17.3 via terminal, it will have some security risk at being hacked mint cinamon 17.3?

  362. Hello, I’m truly just some old geezer who has become and more worried about what Windows 10 was doing, and what Apple is actually sharing. So I thought, ok ,I’ll try it – so Linux Mint, here I am, and I like it! But there has to be an easier way for me (an old geezer who is totally new to mint) to check the veracity of the file I get from you folks. How can a recovering windows user learn about PGP sigs and MD5 stuff? Shouldn’t this operating system have an easier way to do this? I want to tell my friends about Mint but…well, this virus thing worries me a little.


  363. Now is not the time to panic, in fact its time to put your money where your mouth is and show your support for the best distro out there! Help Clem pay for the new servers! Donations sent!


  364. I updated from 17.2 to 17.3 over the weekend and the computer keeps crashing when it boots up.

    Tried to get help on the Linux Mint forums but they are down, stumbled onto this hacking thing by a Google search for Linux Mint

  365. Thanks Linux Mint team for dealing with this in your usual stable and efficient way. Which is no surprise, since that’s what people love about the software.

  366. @Long Time Listener First Time Caller….In truth there is nothing to worry about, at least in the way you would have worried when you were a Windows user. I am a good ten years into using Linux and I have never had a virus or any other type of malware attack my machines in all that time. This is really a very isolated incident.

  367. So aside to cheking an ISO there isn’t a single way to know if my computer is infected, I cannot even be sure that the date of 20 is right for all we know Mint could have been messed up long before. How I’m suppose to trust Mint and Linux when this thing happen and you are basically left on guessing by using an Magical 8 ball?

  368. Donation sent!

    As I said on the other side, One Love. One Heart. Linux Mint can’t be beat! It’s called FRREEEDOMMM!!

  369. ElisaMasah: Check for the file, and see whether it’s present in /var/lib . If it cannot be found, your install is clean. It it’s there, you’ll need to reinstall.

  370. Clem has already said that the malare can easily remove the file once is istanlled so that is not a proof at all, you can still be infected even if you don’t have it.

  371. Is the Iso from Heise in its german version also corrupted or does this concern only the isos from the linuxmint website.

    Edit by Clem: The hacker didn’t hack the mirrors, he hacked our website and made it point to his ISO instead of the ones stored in the mirrors. In any case, no matter where you download it from, please check its hash before considering it safe.

  372. @ElisaMasah
    If you like you can reinstall from a fresh ISO.
    there is a virus checker called ClamTk in the software store

  373. I downloaded the Rosa update exactly on the 20-th from the Update Manager. Checked for, the file is not there, also don’t seem to be connected to the malicious ftp’s. Should I just re-install or am I safe as long as I updated from the Update Manager? Hope the repo was not compromised as well

  374. Just checking….

    I know the web site is up, and donations are able to be sent. But has it been confirmed the only the ISO links were hacked, and that the information to make the donations through the website are safe from this guy?


  375. Clem, I suggest you have a look at Sucuri, they have a very nice WAF (and many other features.)

    I hear the hackers compromised your WordPress installation?

    Sucuri specifically focuses on protecting WP websites, but they can cover pretty much any website design, they’re much like Cloudflare.

    Their WAF is a lot more accurate and has way more sophisticated “Virtual Patching.” The graphs and statistics are great too…

    I wouldn’t suggest this to you if it wasn’t worth checking out.

    Sucuri was founded by Daniel Cid, he made the OSSEC HIDS.


    Edit by Clem: We joined Sucuri during the week-end, and I had a chat with Daniel today. I’ll talk more about this soon, but we’re going towards a partnership and using many of the services they provide.

  376. Sjur: same here, just saw an update to mintupdate, claiming it will detect Tsunami & warn the user. Just now.

    So far, the only changes I can see, compared to the earlier build, is a quick-and-dirty check for the tsunami malware files, and a new warning. Everything else looks pretty much the same, so far.

    @Clem, is this update from you, or should we be worried?

    Edit by Clem: It is.

  377. I did a live upgrade from 17.2 – 17.3 during the time in question, would this have affected my system and if so how can I tell?
    Thank you for being so upfront, honest, and quick to respond.

  378. Welcome back,LM-team. Donation is made,hope there will be many,many more donations to come. The force is strong with this one……

  379. Sorry for the dumb question here…but I searched for it and didn’t get any relevant hits.

    Update Manager has one update: mintupdate

    with a Change log of: “* Detect TSUNAMI and warn the user!”

    Presuming this to be valid, but didn’t see anyone talking about it other than Sjur at comment 388.

    Edit by Clem: Yes, please take the update.

  380. I wasn’t affected ISOwise -email, perhaps but,

    updates cpio and Level 5 linux -Linux Kernel Header for development, old: 13.3.0-77.121 to new: 13.3.0-79.123 are good to go then?

    I’m quite grateful for Mint and the Mint Team. My donation is my small way of saying thanks and hang in there guys. This too shall pass.

  381. Clem, I just noticed I neglected to thank you for getting on top of this situation so quickly, and keeping all of us in the loop! Yet another reason I keep Linux Mint on my main boxen, and I hope it stays that way!

    Keep up the great work!

  382. Well done for being open and transparent about this.

    Am I right in assuming that anyone who has been checking sha256sums that are signed by a consistent long-term GPG key (in this case E1A3 8B8F 1446 75D0 60EA 666F 3EE6 7F3D 0FF4 05B2) should be safe?

    If so, maybe this is a good moment to educate people in the importance of doing those sort of checks, while LM has the spotlight in the wake of this hack. It could also be a chance to publicly shame those distros that STILL don’t provide GPG-signed checksums.

  383. Thanks for sharing. I just installed a Linux Mint Rosa XFCE distribution at those days and am happy to know that everything is okay. I did still the m5 check, because why not and all is good 🙂

    Adding to that I remember a case in Germany like 1-2 years ago, where the government had known that a lot of e-mail adresses have been stolen. They did inform everyone about it in November and made a site public to check your mail adress in December. Then people found out, that the adresses have been stolen already in April/May and it took them 6 months to make it public!! There was so much bullshit involved and I am really happy for the Linux Mint team for making this honest blog post. Adding to that I agree with the way everything is being handled right now, as well as hoping for the correct decisions being made for it not to happen again.

    Asking the community for some kind of advice might also not be a stupid idea. More heads can figure out more stuff.

  384. Is everything fixed yet? Best advise currently for those wanting to download Linux Mint?

    Edit by Clem: No, forums are still down and there’s much more we decided to do. Best advice: Check the MD5, no matter where you get the ISO from.

  385. Also, as LTL points out, maybe we could do a better job of documenting (in a user-friendly way) how to check GPG-signed checksums?

  386. You should send flowers to whoever did this.

    They created a big free marketing campaign for you with this event and lighted up the security issue with website.

    I wish you the very best!

  387. Today I received this security update mintUpdate
    A description of the update reads as follows:
    Help installing security updates and new versions of packages.
    TSUNAMI detect and warn the user!
    What does that mean?

    It’s all quiet now? Concerned about the last invasion.
    Someone who received already updated and the system is normal?
    The Iso I used is from 01/23/16, is not about the hacked.

    Clem force and staff.

  388. We can count ourselves lucky I guess. A few years back, the official Linux kernel got hacked with malware. The infected code wasn’t distributed, but it took them 17 DAYS before figuring out something was wrong.

  389. For all those yammering birds who scream about “big bad WordPress” – that certainly could have happened with any other kind of CMS or content organization software as well.

    As the Linux Mint folks point out, its a faulty theme and lax file permissions. Eg. older versions of TimThumb, which was always a very helpful tool in the past, are known to be too lax with their access restriction. Or an outdated version of the rev slideshow, or just a misunderstanding on how to implement AJAX requests in the frontend ..

    .. could have been anything.

    But let’s see it from a positive point of view: If you don’t make any mistakes, you can’t learn from them. And even worse, if your mistakes never come to light, you will continue making them, until something worse happens.

    So hopefully the Linux Mint website division is going to be much, much more careful in future, of what they do with the website and how they implement new features 😉

    BTW: Dear Clem – WP has been supporting threaded comments for ages, and watching this editing orgy of yours has always been giving me headaches – why not help yourself to that feature? But better let it implement by s/o who knows his/their way around WP; maybe just ask the folks at Automattic politely 😉

    cu, w0lf.

    Edit by Clem: It’s another thing on my long list of todo things. But yes, I agree. Don’t be too quick to blame the theme though. There’s no indication that it was at fault.

  390. @Clem
    What would be the down side of encrypting the Linux Mint ISOs with GPG against a public-user, whose public and private certificates would be made available on your server, so that anyone who wants to decrypt your distribution can first acquire the user certificates (once and for all), and is 100% sure that it’s coming from your team and nobody else? This way there will be no “option” to check signatures, or checksums, etc. This is something that I’ve been doing for quite some time for my documents, albeit they are far smaller than your ISOs. But computers are fast enough nowadays and it’s a one time thing for each user. Plus, the file needs to be “scanned” in its entirety for the checksum anyways, so it probably makes little difference in terms of creating additional burden on the user’s hardware.

  391. “Detect TSUNAMI and warn the user” – i downloaded this but got no warning at all…how am i supposed to see the results and see if i am safe??

  392. Hi gang. I posted at 374 already, but forgot to mention something. After I unknowingly downloaded the infected ISO, I received a perplexing phone call from a call centre identifying themselves as “Microsoft Tech Support” (an obvious bogus moniker), but he warned me that I had just downloaded a malicious virus. I laughed at him and hung up. Later that day, I started my Acer and the C: drive crashed. Could this call have been from the same hackers trying to cash in with some expensive bogus “Virus removal” sceme? Did anyone else get this call?

  393. Thank you for responding, Clem. Donation made.

    I’m not much of a technical person when it comes to computing, but have been hammering at keys and tinkering since DOS was on a 5 1/4″ floppy for a Z-100. I have to say without a doubt, my recent transition to Linux has been the most comfortable and enjoyable experience I’ve ever had computing. It’s a learning curve, no doubt, but it does what I want it to do, and essentially without flaw comparatively. Many thanks to you and all the others for all that you have done/are doing. Much appreciated!

  394. “Once in the live session, if there is a file in /var/lib/, then this is an infected ISO.”

    sorry for the silly question, but in /var/lib i only see a folder called man-db, in /var/lib/man-db there is a 0kb text file called auto-update, is this what the quote speaks of?

    Edit by Clem: No, /var/lib/man-db is OK.

  395. Thankyou for the quick response, one other question, probably unrelated, but how come when I go into my account settings my camera light flashes on my laptop? I just noticed :S curious if it is normal. still hands down, Mint is an awesome distro 🙂 sorry if I’m waisting your time.

  396. Thankyou for the notification. I did indeed download the hacked ISO. I recieved an email from google notifying me my email account had been accessed on a samsung galaxy s and also a windows PC. The same day I read your warning. I changed my passwords on another debian machine I have, then formatted and re-installed an older Mint 17.2 DVD I’d been using previously.

  397. Wow, one guy or gal from Bulgaria caused all this? Sure makes me feel unsafe using Mint, and I am an 8 year user and donator. For now though I’m going to stay on my Debian 8 partition until I hear the “all clear” bell. Sorry.

  398. Hello, I am a certifi9ed green noobie to Linux Mint Cinimon…. I have been disgusted with MS Win for some time and thought my wishes were answered when I read about Linux MINT.
    I downloaded both a 32 and 64 ISO as I have both types of machines. I don’t know how to check if mine is affected, sorry, I’m new. BUT….
    I ran the 32 on my older Dell from the DVD. When I was on the web I tried to open a sight and a blue screen come up, telling me to call a number that there was a bad file on my machine…. Am I affected here or what the heck is going on.
    I did run the 64 on my LENOVO from the DVD and did not have any abnormal operations.
    So today is the 23 and I would have downloaded a day or two ago.
    I am hoping to make Linux my new op sys and I have a friend that is waiting for a copy as well but I am waiting now until I know my ISOs are not affected.
    Thanks for your thoughts….

  399. Bob Says: “Correct me if I’m wrong, but doesn’t the user still have to check the signatures? That is, if they don’t bother to check MD5SUM or SHA256, will they bother checking a signature?”

    Yes, they still have to check the signatures.

    Smokey Says: “I’m just as lazy as the average computer user, and just paranoid enough to still check MD5 sums. It’s not like I can verify the PGP/GPG signature anyway, since I don’t have the necessary web of trust. So MD5 it is, or sha1 or even sha256 if that is available.”

    We can ask Clem for both hashes (sha256 hopefully) and signatures (detached .sig files). They are not mutually exclusive. Also, the user/verifier doesn’t need to be in the web of trust, it’s only important for the signer to be in the web of trust.

  400. As Clem mentioned earlier, switching MD5s to sha256 wouldn’t have prevented this attack. However, it needs to be done. Defaulting to HTTPS wouldn’t have prevented this attack. However, it needs to be done. Authenticating ISOs with PGP signatures wouldn’t have prevented this attack. However… you get the idea.

    Linux Mint could simply follow the majority of security practices of TAILS Linux as a start. It shouldn’t take more than a week or so to implement, and it would solve a lot of anxiety and heartache.

    To the Linux Mint dev team, if you are reading this, we still have faith in you. Keep up the good work.

  401. Just made a donation to help. Happy to see things are returning to normal. Forums will need some work but it’ll be worth it once it goes back up again and be better than ever.

    To the entire Linux Mint dev team keep up the great work!! Looking forward to the next version of Linux Mint!

  402. I noticed that the linuxmint site is back up, I assume by this that everything is back to normal and it is safe to download the latest version?

  403. i just finished my first full install of Linux, other than Canonical Ubuntu, namely Mint.

    This may not be the correct thread, but does anyone know how to reliably disable the admin password, so I can install packages without being driven crazy?

    That was the breaking point for me & MS, in Vista.

    I really & truly would like to use Linux, but this is a deal breaker.



  404. I read the part that said it was just 17.3 Cinnamon. Decided to check my 17.2 Mate installation disk anyway.
    I’ve upgraded from 17.2 to 17.3 Mate

    In terminal, inside the main directory of the installation disk, I entered
    md5sum c- MD5SUM

    Got a lot of Directory and file listings each followed by OK. Then I got

    md5sum: WARNING: 6 lines are improperly formatted

    ISO is long gone so can’t check that, is this related?

  405. Squinty, welcome to Mint. You’re right, this is not the correct thread, and to be honest it’s not the right question either. If you disable Mint asking your password before letting you make changes to the system, you’re disabling basic security. You won’t find many users willing to help you break your nice new Mint install that way. So I hope you’ll reconsider.

  406. Am looking to dual boot my windows 10 with Linux, looking at this thread am worried.

    @ Clem : Can i go ahead and download and install it now ? or you suggest me to wait ? please and thanks.

  407. I don’t understand the people who want to abandon the ship in the light of this: also the Adobe website was hacked, and it’s not that Adobe run out of business. Actually, in it’s at the top of the list, with 153 million Adobe accounts breached.

    Said this, as Linux Mint is a distribution that ends up in the hands of grass roots Linux users, why not implementing as standard clamTK for example?

    But one thing worries me: yes, there has been transparency, but to a certain extent. Given the fact that you should have the email accounts of all the people registered in the forum, couldn’t a mass email be sent to warn users? The website down or even this blog post don’t necessarily reach all the users… many (like me) use Mint because it works (brilliantly) straight out of the box, and for this reason they don’t need to go and check their distribution’s website every day, or to end up in this blog. Pretty much like any Windows user never went to the Microsoft website. Only difference is that if something similar happens to, it would be covered broadly by the mainstream news.

  408. Hi Clem and others,

    I haven’t read all 536 comments, so apologies if someone already mentioned this – I’m ( hosted by A2Hosting ( They offer optimized WordPress and extra security features for WordPress. Could you take a look at what they offer? If you were hosted by them with all their extra security layer for WordPress (or an equivalent host with the same security) could the hacker have got in?

    I’m not super tech and only average with Linux etc. but I thought this 2 cents worth might be a valuable alternative strategy. Good luck. J

  409. Hi, I follow this distro from the start even if I use OSX/W7 combo last 5 years. Used to install it on old PCs for friends to avoid viruses and extensive use of CPU by AVs. MATE version served the best. Its a shame to see my beloved user-first oriented distro being the target of some bad guys. I appreciate your honest work and handling of this incident. My servers are targedet every day, some attacks were even succesful /aka Drupalgedon story…/. I am admin too, even a lame one, so hacker penetration is mostly my fail /permissions etc/. I donated small euros and I hope it serves well for you to recover. Keep up your good work Clem and all Linuxmint developers !

  410. Is now sure download a Cinnamon release ISO? I downloaded a Cinnamon ISO on febreary 20th and I delete the ISO after installing, so I can’t verify if I have an infected installation.

    So I want to known if is sure to download a new ISO. Thank you four your information.

  411. @squinty

    I’m afraid Mint (or any Linux distro) isn’t an environment for you if something as simple as entering a password for system maintenance drives you crazy. After logging in, I need to enter my password maybe once a day, if even that. I wish you good luck with Microsoft or whatever system you end up with.

  412. Squinty,

    The previous 533 replies were dealing with how to tighten the security of the system, not remove it!

    “Same answer I’ve heard repeatedly. Sounds like microsoft”

    Ouch! That hurts.

    In windows8 at least, you can do it:

    In a linux system it is also possible, but usually a VERY BAD IDEA. Why is it such a deal breaker?

    Hint: if you google [linux running sudo command without password]
    you will find the answer on how to do it.

    Remember that Free Will is like giving razer blades to toddlers.

  413. >This may not be the correct thread, but does anyone know how to reliably disable the admin password, so I can install packages without being driven crazy?

    It’s done to you what you do but this is THE MOST BASIC security and what keeps Linux from being the sieve that Windows has been/is.

    *However,* the request for admin password in Mint is FAR less intrusive than in Vista. It may also be that you are using the software manager to install software one app at a time and being asked for the password each time. I can see how that would get annoying But if you use synaptic – which I do, you can queue installs and only have to input the admin password once or twice. I also store the .deb files so I can install offline if needed. That will reduce the pain and maintain security.

  414. Hello Clem

    is it safe now to download the ISO’s or should we wait for your confirmation? i just want to upgrade to Qiana 17 now i have been using Petra 16 for quite a long time.


  415. @sqinty, welcome to Mint. You can do it, right. You can log in as “root” instead of “squinty” or what user name you use. But then you are the Overlord. Root can do all. Even destroy the system and the data.
    Microsoft has learned from Linux, not the other way.
    Do you really wish to have a system where one wrong click let you destroy your system?
    Wish you luck. But never blare in our ears, after you have destroyed your system.
    No one will pity you.

    HughW Mint user since Mint 4 Daryna

    they said: “use windows xp or better”. So I installed Linux Mint

  416. Is there any possibility that system updating through the update manager can affect the os? I have done a complete update on these days. I found a folder man-db in /var/lib.

  417. @539 Curiousworry: You’re correct that this incident did not affect the MATE versions.

    The MD5 (and SHA256) hashes are to verify the integrity of the ISO that you download prior to installation. If the ISO that you downloaded is already deleted, then nothing on your system will return the hash you’re looking to validate.

    The -c switch (not c-) is for verifying a subsequent .md5 file of hash/file pairs, not for generating the initial hash you’re looking to validate.

    MD5SUM will return a hash for any file. For an ISO, in the directory where the file exists, type: MD5SUM TheFileNameOfTheISOYouWantToValidate.iso

    Doing so will return the hash/file pair for you to compare the hash that’s provided. SHA256SUM works similarly.

  418. For the security of the general public, would it not be a better idea to publish SHA integrity checksums instead of MD5.
    SHA-1 or SHA256 is far more secure than MD5

  419. I am a new Linux user, and I do not exactly know how to check if I am in danger. I have the pendrive I used for install. So I connected it to my computer which is may be infected.
    Reboot, press F12, select USB, then I got this.
    I have selected the option below the Default. I only found man-db folder with auto-update file.
    Am I do everything well in checking the infection?
    Is it mean I am in secure?

  420. Hello, are updates as mintupdate sure? I do not know what to do … am a little confused. Maybe you should have some information about the now following updates give until the situation returns to normal (relaxed) has. Thanks Clem and team for your fantastic performance! Greetings from Germany.

  421. Downloaded yesterday,installed, and checked the ISO’s Md5sum: e71a2aad8b58605e906dbea444dc4983
    Apparently my LM17.3 Cinnamon 64bit is fine.