Linux Mint hacked, ISO images compromised

The Linux Mint team revealed today that compromised ISO images of Linux Mint have been distributed from the official website on February 20th, 2016.

According to the blog post, the intrusion happened on February 20th and was detected shortly thereafter and fixed. The official homepage of the project is down at the time of writing.

This means that the attackers had only a limited time frame in which they were able to distribute the compromised ISO image.

The attackers managed to hack the website and manipulated download links on it that they pointed to one of their servers offering the compromised ISO image of Linux Mint.

Update: New information came to light. The site's forum was compromised, and users are urged to change passwords on all sites they have shared it with. In addition, the hacker managed to change the checksum on the Linux Mint website so that the hacked ISO images would verify when checked.

Linux Mint hacked

The investigative team found out that the compromised version contains a backdoor that connects to a website hosted in Bulgaria.

Only downloads of Linux Mint 17.3 Cinnamon seems to have been affected by the hack.

What's interesting here is that torrent links were not affected, only direct links on the Linux Mint website.

The reason is simple; popular torrents are distributed from several seeders and peers, and once they are in circulation, it is not possible to manipulate the data, say replace it with a hacked image.

What you can do

If you have downloaded Linux Mint on February 20th from the official website using direct links, or downloaded the Linux distribution earlier and want to make sure that it is clean, then you have the following options.

If you have the ISO image available, you can check its signature to make sure it is valid. If you run Linux, use the command md5sum nameofiso.iso, e..g md5sum linuxmint-17.3-cinnamon-64bit.iso.

Windows users can use a program like RekSFV or File Verifier for that instead.

The ISO image is clean if the signature matches one of those listed below.

6e7f7e03500747c6c3bfece2c9c8394f linuxmint-17.3-cinnamon-32bit.iso
e71a2aad8b58605e906dbea444dc4983 linuxmint-17.3-cinnamon-64bit.iso
30fef1aa1134c5f3778c77c4417f7238 linuxmint-17.3-cinnamon-nocodecs-32bit.iso
3406350a87c201cdca0927b1bc7c2ccd linuxmint-17.3-cinnamon-nocodecs-64bit.iso
df38af96e99726bb0a1ef3e5cd47563d linuxmint-17.3-cinnamon-oem-64bit.iso

You may want to check network traffic if you don't have access to the ISO image anymore. The compromised version of Linux Mint 17.3 connects to absentvodka.com (this may change, so check for any connections that don't seem right).

Obviously, if you have downloaded the ISO image just yesterday, you can go the safe route and download a legitimate ISO again from the official site (use torrents), and install it.

Doing so ensures that the system is clean and without backdoor access.

The official website is not accessible at the time of writing. The Linux Mint team seems to have taken it down in order to investigate the hack and clean up the site to ensure that other areas have not been compromised as well.

The two main torrent files you may be interested in are:

• Linux Mint 17.3 32-bit
• Linux Mint 17.3 64-bit