Compromised: the Linux Mint with a hole in it
Users of Linux Mint and the official support forums, are being warned that both the site and the software were hacked over the weekend.
Linux Mint claims to be “the 3rd most popular desktop operating system in the World behind Microsoft Windows and Apple Mac OS” according to its Facebook support page.
That same page states that “our mission is to design the most elegant, powerful yet easy to use desktop operating system for office and home users.”
Now some observers are wondering if security should also have been on that list.
On 21st February, a statement appeared on the official Linux Mint blog with the news that “hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it.”
Yes, you read that right: the Linux Mint website was compromised and the perpetrators changed links pointing to the official download to their hacked, and back-doored, version somewhere in Bulgaria instead.
At least the source code itself wasn’t compromised, as the Mint repositories themselves were not hacked, and the same goes for the official Mint download ISOs and checksums.
Anyone who installed Linux Mint from an ISO image that was downloaded via the links on the official website, over the weekend, and didn’t validate the checksum against the official list will probably be running that compromised version.
The compromised edition in question was Linux Mint 17.3 ‘Cinnamon’ and the compromise window was restricted to 20th February.
Anyone downloading via a Torrent, or directly using a HTTP link, will not be impacted by this attack.
Anyone other than a newcomer to Mint is unlikely to have been hit as the distro in question is a few months old now, so it’s hardly still rush hour for downloading ISO images.
That said, if you did download a Mint ISO image over the weekend then you would be well advised to check the MD5 signature. This can be done using the ‘md5sum xxx.iso’ command (replacing xxx with the ISO filename of course).
Valid signatures are as follows:
Wim Remes from Rapid7 points out that the back-doored version can also easily be identified by “looking for the file /var/lib/man.cy, which is a backdoor that allows the attackers to interact with the system using IRC.”
The IRC-based DDoS client called Kaiten is apparently the bot in question. As well as being capable of acting as a DDoS flooder, it’s also a stager for executing shell commands on infected systems.
If all of this were not bad enough, it has also emerged that the during the site breach the user forums database at forums.linuxmint.com was compromised.
Someone posting to Hacker News with the username ryanlol mentions, tongue firmly in cheek, the “insanely secure db credentials” after quoting a username of lms14 (the same as the database name) and a password of upMint.
Linux Mint forum users are being advised to change their account passwords, and any sites where they have been reused, as a matter of urgency.
Linux Mint says that the compromised database included details such as email addresses, signature and profile information and copies of private messages and postings to private topics.
Forum passwords were encrypted, but obviously they remain at risk from brute-forcing. The risk being greatest where relatively short and simple passwords were used, and where they are the same as those used for email or other accounts.
At this moment in time it is unknown if data relating to Mint user donations has been compromised, the only statement relating to this being “they might have taken more, but we can’t confirm it.”
What is known appears to be that the attacker exploited flaws in WordPress to get a www-data shell courtesy of the Linux Mint site using a custom theme with, according to creator Clement Lefebvre “lax file permissions for a few hours.”
The combination of a less than fully hardened WordPress installation with phpBB powered user forums, also known for being vulnerable to security exploits over the years, has proven to be a costly one it seems.
Lefebvre says that his team have the names of three perpetrators, and that while “we don’t know their roles in this… if we ask for an investigation, this is where it will start.”
At the time of writing both the main Linux Mint site and the user forum remain down.