​Has your Linux Mint desktop been backdoored?

It was a lousy day for Linux Mint, a popular Linux desktop distribution. Clement Lefebvre, head of Linux Mint, revealed that the Mint web site had been hacked.


Lefebvre wrote on Sunday, “Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it.”

Specifically, the hacker, whom we now know goes by Peace, cracked into the site via a security flaw in a WordPress plugin. Once there, according to Lefebvre, “they got a www-data shell.”

Inside the site, Peace edited the download page. The result was that when a user tried to download 64-bit version of the Linux Mint 17.3 with the Cinnamon desktop, the most popular edition, they were directed to a rogue download server.

Once there, a user would be sent a hacked copy of Mint containing the Tsunami malware program. This backdoor enables the controller to remotely access the system. When used in a botnet, Tsunami has often been used in distributed denial of service (DDoS) attacks.

Scary stuff, but the good news is that Linux Mint users spotted the problem early. Lefebvre took down the site to prevent the polluted Mint ISO images from being distributed any further.

Lefebvre reported that while the hackers were ready to deploy a corrupted 32-bit version of the Linux Mint 17.3 with the Cinnamon desktop, they did not redirect those links. None of the other versions of Linux Mint were affected.

If you tried to download Linux Mint directly from the Mint web site or from BitTorrent, you’re safe. You also can’t get infected by patching your already good Mint desktop.

In short, the only way you could have gotten a bad version was if you used a mirrored site to download the 64-bit version of the Linux Mint 17.3 with the Cinnamon desktop on Saturday.

To make sure your copy of the Linux Mint ISO is safe run the command “md5sum yourfile.iso” from a Linux shell (replacing “yourfile.iso” with the name of the downloaded file).

The following are the valid MD5 signatures:

  • 6e7f7e03500747c6c3bfece2c9c8394f — linuxmint-17.3-cinnamon-32bit.iso
  • e71a2aad8b58605e906dbea444dc4983 — linuxmint-17.3-cinnamon-64bit.iso
  • 30fef1aa1134c5f3778c77c4417f7238 — linuxmint-17.3-cinnamon-nocodecs-32bit.iso
  • 3406350a87c201cdca0927b1bc7c2ccd — linuxmint-17.3-cinnamon-nocodecs-64bit.iso
  • df38af96e99726bb0a1ef3e5cd47563d — linuxmint-17.3-cinnamon-oem-64bit.iso

If you see a different alphanumeric signature, delete the file. It’s either corrupt or infected. In either case you don’t want it.

Already have the ISO on a DVD or USB stick but you haven’t installed Mint yet? Then, disconnect your PC from the Internet and start up a Mint live session. Once in the live session, look for a file in the directory “/var/lib/man.cy.” If you see one, you have an infected ISO. Then, toss the DVD or reformat the USB stick as needed.

Let’s say you’re one of the few hundred who were infected. If that’s your sad case, take the following steps:

  • Disconnect your computer from the Internet.
  • Backup your personal data in the home directory
  • Format the partition.
  • Install a new, clean copy of Mint or some other operating system.
  • Change your passwords for sensitive websites (for your email in particular).
  • Restore your personal data.

It’s a nuisance, but it shouldn’t take long and very few of you will need to do this.

More troubling for most of us is the hacker also stole personal data from the web site’s forum. The hacker swiped the data twice: Once on January 28, and once on February 18, two days before the hack was confirmed.

This data includes:

  • Your forums username
  • An encrypted copy of your forums password
  • Your email address
  • Any personal information you might have put in your signature or profile
  • Any personal information you might written on the forums (including private topics and private messages)

The real problem here is that the passwords were encrypted with phpass, the popular WordPress encryption library that is no longer considered secure. If you used a weak password, it’s all too likely that a cracker can get your password with a program such as phpass-crack.

The real security problems aren’t the less than a thousand people who may have downloaded the corrupt ISO. The real issue is the more than 70,000 people who’ve had their information exposed.

You can check to see if your data has already been revealed to the world on the Have I Been Pwned web site. Even if this gives you a clean bill of health, you should still reset your Mint password. Once, that is, the site is back up.

As of Monday the website is still closed.

If you’ve used that same password on multiple sites, you’ll want to change those passwords as well. Based on my long, bitter experience with security, I’m sure many of you are using the same password on multiple sites.

Once that’s done, you’ll be fine and ready to face the next security threat. We can be dead certain there will be another one.