Page 1 of 1

Linux Mint site got pwned

Posted: Mon Feb 22, 2016 6:59 am
by kode-niner
Personal forum details getting stolen by hackers is bad enough, but what's really sad is they managed to hack one of the releases' ISOs.
Beware of hacked ISOs if you downloaded Linux Mint on February 20th!
Written by Clem on February 21st, 2016

I’m sorry I have to come with bad news.
We were exposed to an intrusion today. It was brief and it shouldn’t impact many people, but if it impacts you, it’s very important you read the information below.
What happened?
Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it.
Does this affect you?
As far as we know, the only compromised edition was Linux Mint 17.3 Cinnamon edition.
If you downloaded another release or another edition, this does not affect you. If you downloaded via torrents or via a direct HTTP link, this doesn’t affect you either.
Finally, the situation happened today, so it should only impact people who downloaded this edition on February 20th.
Note: although Clem says that it only affects February 20th downloads, someone commented that he was still getting a hacked ISO on the 21st and that attacks might still be ongoing.

More info: http://blog.linuxmint.com/

Re: Linux Mint site got pwned

Posted: Tue Feb 23, 2016 8:04 pm
by Azrial
And they could not release a checksum verification tool?

Re: Linux Mint site got pwned

Posted: Tue Feb 23, 2016 9:25 pm
by Bill_TN
My ISO copies are from the 31st of Jan. I usually grab a new copy for the archives here, as soon as they come out. I know for sure that I got 32bit cinn. Also if you use an older version to do the inital install then the consecutive up grade is supposed to be not affected.

Re: Linux Mint site got pwned

Posted: Wed Feb 24, 2016 7:32 pm
by kode-niner
Azrial wrote:And they could not release a checksum verification tool?
md5sum is part of all distribution's core utils. People have to use it, though.

Besides that, the site got hacked through a Wordpress vuln, so the hash could be faked unless they take steps to protect its distribution or have it replicated on multiple sources to doublecheck its authenticity. It's just a lot for the average Joe to wrap his mind around when he's only trying to download the latest popular distro.