Language Selection

English French German Italian Portuguese Spanish

Linux Mint Website Hacked, Users Tricked Into Downloading ISOs with Backdoors

Filed under
GNU
Linux
Security
Web

Just a few moments ago, Clement Lefebvre, leader of the Linux Mint project, informes users of the popular, Ubuntu-based distribution that the servers where the Linux Mint website is hosted have been hacked to point the download links to specially crafted ISOs.

According to Mr. Lefebvre, it appears that a group of hackers created a modified Linux Mint ISO, which included a backdoor. Then, they hacked into the Linux Mint website and modified the download links to trick users into downloading the malicious ISO image.

Read more

More on the Story

  • Linux Mint hacked, ISO images compromised

    The Linux Mint team revealed today that compromised ISO images of Linux Mint have been distributed from the official website on February 20th, 2016.

  • Linux Mint website hacked, malicious ISO offered on Saturday

    In a surprising announcement, Clement Lefebvre -- head of the Linux Mint project -- said that the Linux Mint website had been compromised and that the hackers were able to edit the site to point to a malicious ISO of Linux Mint 17.3 Cinnamon edition on Saturday 20th, February.

    If you downloaded the Cinnamon edition prior to Saturday or downloaded a different version/flavour (including Mint 17.3 Cinnamon via torrent or direct HTTP link) you aren't affected. It's worth mentioning that since the issue was caught, everything has since returned back to normal now so it's safe to download the Linux Mint ISOs again.

  • Beware of hacked ISOs if you downloaded Linux Mint on February 20th!

    We were exposed to an intrusion today. It was brief and it shouldn’t impact many people, but if it impacts you, it’s very important you read the information below.

  • Linux Mint downloads (briefly) compromised

Latest on Linux Mint

Response and Lessons

  • All forums users should change their passwords.
  • Backdoored Linux Mint, and the Perils of Checksums

    Someone hacked the website of Linux Mint — which, according to Wikipedia’s traffic analysis report is the 3rd most popular desktop Linux distribution after Ubuntu and Fedora — and replaced links to ISO downloads with a backdoored version of the operating system. This blog post explains the situation.

    [...]

    Besides the fact that the website isn’t available over HTTPS so network attackers could change those MD5 checksums to whatever they want as you load the blog post, MD5 is entirely broken and has been for many years. MD5 should never be relied on for verifying that you have the legitimate version of a file. It would not be difficult for someone to generate a backdoored Linux Mint ISO that has the same MD5 checksum as the legitimate ISO. Likewise, while SHA1 is considerable stronger, it also should not be used for security purposes anymore. Wikipedia’s SHA1 article says: “SHA-1 is no longer considered secure against well-funded opponent.”

  • Lessons from the Linux Mint Hack

    Unless you’re completely unplugged from the Linux news media, by now you’ve heard about the exploit that affected both the Linux Mint WordPress site and the Linux Mint 17.3 Cinnamon edition.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Red Hat Enterprise Linux 7.3 Beta Adds NVDIMM Support, Improves Security

Today, August 25, 2016, Red Hat announced that version 7.3 of its powerful Red Hat Enterprise Linux operating system is now in development, and a Beta build is available for download and testing. Red Hat Enterprise Linux 7.3 Beta brings lots of improvements and innovations, support for new hardware devices, and improves the overall security of the Linux kernel-based operating system used by some of the biggest enterprises and organizations around the globe. Among some of the major new features implemented in the Red Hat Enterprise Linux 7.3 release, we can mention important networking improvements, and support for Non-Volatile Dual In-line Memory Modules (NVDIMMs). Read more Also: CentOS 6 Linux OS Receives Important Kernel Security Update from Red Hat Release of Red Hat Virtualization 4 Offers New Functionality for Workloads

Ubuntu 16.10 Beta 1 Released, Available to Download Now

The Ubuntu 16.10 Beta 1 releases are now available to download. You know the drill by now: {num} Ubuntu flavors, some freshly pressed ISOs, plenty of new bugs to find and no guarantees that things won’t go boom. Read more Also: Ubuntu 16.10 Beta Launches for Opt-in Flavors, Adds GCC 6.2 and LibreOffice 5.2

Games for GNU/Linux

PC-BSD Becomes TrueOS, FreeBSD 11.0 Reaches RC2

  • More Details On PC-BSD's Rebranding As TrueOS
    Most Phoronix readers know PC-BSD as the BSD operating system derived from FreeBSD that aims to be user-friendly on the desktop side and they've done a fairly good job at that over the years. However, the OS has been in the process of re-branding itself as TrueOS. PC-BSD has been offering "TrueOS Server" for a while now as their FreeBSD-based server offering. But around the upcoming FreeBSD 11.0 release they are looking to re-brand their primary desktop download too now as TrueOS.
  • FreeBSD 11.0-RC2 Arrives With Fixes
    The second release candidate to the upcoming FreeBSD 11 is now available for testing. FreeBSD 11.0-RC2 ships with various bug fixes, several networking related changes, Clang compiler fixes, and other updates. FreeBSD 11.0 is bringing updated KMS drivers, Linux binary compatibility layer improvements, UEFI improvements, Bhyve virtualization improvements, and a plethora of other work. Those not yet familiar with FreeBSD 11 can see the what's new guide.