Beware of hacked ISOs if you downloaded Linux Mint on February 20th (opens in new tab)

(blog.linuxmint.com)

171 pointsty___ler10y ago61 comments

61 comments

I'll just leave this here

    forums.linuxmint.com pwd
  /root/hacked_distros/mint/var/www/forums.linuxmint.com
    forums.linuxmint.com cat config.php
  <?php
  // phpBB 3.0.x auto-generated configuration file
  // Do not change anything in this file!
  $dbms = 'mysql';
  $dbhost = 'localhost';
  $dbport = '';
  $dbname = 'lms14';
  $dbuser = 'lms14';
  $dbpasswd = 'upMint';

Perhaps the insanely secure db credentials had something to do with the breach?

But what would I know.

nickpsecurity10y ago

I was waiting for you to show up on this one esp how you called out Linode, etc. I figured you'd point out in detail just how behind the security curve they were. Haha.

nickpsecurity10y ago

Yo ryanlol, you made the press again except the pricks didn't mention your name:

http://news.softpedia.com/news/linux-mint-website-hack-a-tim...

ryanlol10y ago

I think calling softpedia "press" is an insult to every real journalist.

The fact that they're calling the bot "tsunami" just proves their incompetence. The bot isn't called tsunami, it's called kaiten and it's been open source for more than a decade.

https://packetstormsecurity.com/files/25575/kaiten.c.html

They also managed to confuse FTP and HTTP

>the hackers have only altered the man.cy [https://gist.github.com/Oweoqi/31239851e5b84dbba894] file, where they've added a new function called tsunami.

Doesn't look like they just added a new function called tsunami to me.

>Selling the forum's database for a meager $85 is a sign of their lack of vision. The group seems to have mishandled the entire hack, opting to distribute a silly IRC DDoS bot instead of more dangerous and lucrative malware like Bitcoin miners or banking trojans.

Stupid speculation by writer.

Linux Mint remains compromised despite the current events, it's rather unlikely that kaiten is used as a DDoS bot instead of just a stager to execute shell commands on the affected computers. The presence of DoS commands is meaningless, the only reason kaiten is still used today is because it runs everywhere so it seems fair to assume that that'd be why the attacker opted to just use it instead of writing their own. (No real benefit to that here)

Also, bitcoin mining stopped being lucrative ages ago.

edit: >One person seems to have bought the hackers' files and dumped the forum's config file on Hacker News discussions thread.

I neither bought nor sold the data.

2 more replies

cmurf10y ago

Might not hurt to post this in the comments section of the Mint blog.

orionblastar10y ago

If they used the same password on the forums and blog then they still have a problem. They need to be notified of this and change the password to a more secure one.

The config.php file should not be readable by an anonymous user, that is a security risk.

1 more reply

noisy_boy10y ago

I took the liberty of posting the link to that comment in Linux Mint blog comments. Hopefully they review that soon.

hackuser10y ago

You have an excellent point, but there's no reason to help attackers by giving them the credentials.

majewsky10y ago

Indeed. Instead of `cat`, OP could've used `sha256sum` on the config.php to prove the authenticity of your report without exposing the site to even more attacks.

1 more reply

btrask10y ago

I was trying to download Linux securely a month or so ago. It's actually embarrassingly difficult to do. The only two distros that did it right (that I could find) are Debian and Alpine Linux. The rest (including Mint and Ubuntu) had hashes (usually MD5) or GPG keys served over HTTP.

miscellaneous10y ago

I noticed last year that ubuntu.com - despite being the source from which most people download Ubuntu .isos - has no HTTPS capability and doesn't offer any checksums or gpg signatures on their download page. I believe you can find gpg signatures if you scratch around on their ftp server, but it is ridiculous to assume users will do this (especially when Ubuntu is trying to be a user-friendly distro).

Anyway, as a result I ended up emailing their webmaster asking why Ubuntu.com has no SSL cert. and I haven't heard anything back yet. I think it is pretty poor that a company like Canonical can have such a flagrant disregard for basic security practices, especially when it likes to market Ubuntu as a 'secure' OS.

RaleyField10y ago

It's a bit convoluted. Follow this guide - https://help.ubuntu.com/community/VerifyIsoHowto

If you are running Ubuntu then you already have signing key (run apt-key list), otherwise you can compare the full fingerprint with the one printed in terminal output in the guide that's hosted on https.

1 more reply

chei0aiV10y ago

If you can think of any improvements Debian could make, please do suggest them via bug reports or on the mailing list. If you would like to work on fixing some of our issues, here are the ones we know about:

https://wiki.debian.org/Hardening/RepoAndImages

btrask10y ago

Debian is already outstanding in this regard (and others)!

One minor suggestion would be to provide ISO hashes over HTTPS. It's just as secure as using GPG with fingerprints sent over HTTPS, and it's a lot easier.

The fingerprints (https://www.debian.org/CD/verify) could also be made more prominent (perhaps put on the main download page).

Thanks again!

kbaker10y ago

Maybe in a GPG-signed release email add magnet URLs for the official torrents.

This is kind of in 'No magnet: links for bittorrent downloads on SSL'

bcl10y ago

Fedora publishes GPG signed SHA256's of the iso's. eg. https://dl.fedoraproject.org/pub/fedora/linux/releases/23/Wo...

btrask10y ago

Thanks! Fedora was one I didn't try (to install; I use it all the time). However there's still no way to use RPMFusion: http://rpmfusion.org/keys

Maybe there's something I'm missing?

2 more replies

Marqin10y ago

Arch Linux has HTTPS mirrors and provide their GPG signature on HTTPS site.

emergentcypher10y ago

What I don't get about publishing the hashes, etc... if they are serving up tampered .iso files, why wouldn't they also change the website to serve the appropriate hashes for the hacked isos? For the verification to work I would think it needs to be PGP-signed and you should have the public key in advance.

cheez10y ago

Are torrents more secure? I usually use the torrents option.

kuschkufan10y ago

Yes they are. No risk of man-in-the-middle with torrents.

antnisp10y ago

Why is that a problem? If the hash is signed and the public key is trusted shouldn't that be secure?

cwyers10y ago

Because someone can do a man-in-the-middle attack and intercept the right hash and replace it with another one. And how do you verify that the public key is trusted for the first time?

1 more reply

mcpherrinm10y ago

I am pretty sad they're posting MD5 sums of the correct images: It's pretty trivial to collide MD5 -- and when you've got an active attacker, this is something you should worry about.

SHA1/2 at least, but preferably a gpg signature would be much better.

cmurf10y ago

In the comments section...

"You can find them at http://ftp.heanet.ie/pub/linuxmint.com/stable/17.3/ also along with signed sha256sums."

sfilipov10y ago

Yes, but why mention MD5 by default? Most machines that have md5sum installed also have sha1sum/sha256sum.

ryanlol10y ago

>It's pretty trivial to collide MD5

... collisions=/=second-preimage attacks

>SHA1/2 at least, but preferably a gpg signature would be much better.

SHA1/2 isn't any better, you're never going to get hit by file corruption that magically also is a md5 collision.

KMag10y ago

I think I understand you, but I think you could be a bit more explicit in your assertion.

I think you're saying MD5 is still a decent checksum for non-cryptographic purposes. Without a cryptographic signature or other authenticated integrity-checked distribution channel, there's very little advantage of using a cryptographic checksum.

1 more reply

_jomo10y ago

How do you get hit by file corruption when downloading via TCP in 2016? I don't recall this ever happening to me.

4 more replies

Dylan1680710y ago

When talking about specific files the attacker used in the past, MD5 is good enough to show it's not those.

anishathalye10y ago

It's somewhat disappointing that this blog article is served over HTTP, and it's impossible to access it via HTTPS. How do we know that these new MD5s are to be trusted?

bogus-10y ago

Linux Mint doesn't seem to prioritize security in general. No TLS for ISOs, no easily spottable signatures for ISOs, marking security updates untrusted by default...

RaleyField10y ago

They also ignore (at least they used to) DNS servers from DHCP and use Google's public DNS servers completely oblivious of why users might not want this.

jtchang10y ago

Well that is scary. I personally don't check ISO checksums and signatures very often. Probably the only time I do is when I sometimes get install errors and wonder if I got all the bits and if anything got corrupted.

RaleyField10y ago

> don't check ISO checksums

I've grown obsessive about it. When you're conscious about that it's amazing (to put mildly) how many prominent projects don't bother with any authentication.

detaro10y ago

If they managed to hack the site to point to the new iso, they probably also changed any checksums. Signatures help, if you have a way to verify that you are using the right key.

StavrosK10y ago

What other ways are there to download, apart from http and torrents?

praeivis10y ago

torrents cant get compromised so you are safe if downloaded via torrents.

khedoros10y ago

FTP?

StavrosK10y ago

I mean "what other ways do they have to download this?" All I saw is HTTP and Torrent, so I'm curious as to what exactly got compromised.

stock_toaster10y ago

maybe IRC and NNTP too.

i_have_to_speak10y ago

Looks like something is going on again. Their website is down currently. [21-Feb 02:55 UTC]

corvus_sapiens10y ago

"Edit by Clem: We shut down the server until we find the source of the second intrusion (probably something left by the first)."

http://blog.linuxmint.com/?p=2994

cdevs10y ago

Does anyone know the start date ? I had a friend install it for their laptop two weeks ago

detaro10y ago

>We were exposed to an intrusion today.

> [...]

>Finally, the situation both happened and was solved today, so it should only impact people who downloaded this edition on February 20th.

dghughes10y ago

Now you tell me.

j / k navigate · click thread line to collapse

61 comments

ryanlol10y ago

I'll just leave this here

    forums.linuxmint.com pwd
  /root/hacked_distros/mint/var/www/forums.linuxmint.com
    forums.linuxmint.com cat config.php
  <?php
  // phpBB 3.0.x auto-generated configuration file
  // Do not change anything in this file!
  $dbms = 'mysql';
  $dbhost = 'localhost';
  $dbport = '';
  $dbname = 'lms14';
  $dbuser = 'lms14';
  $dbpasswd = 'upMint';

Perhaps the insanely secure db credentials had something to do with the breach?

But what would I know.

nickpsecurity10y ago

I was waiting for you to show up on this one esp how you called out Linode, etc. I figured you'd point out in detail just how behind the security curve they were. Haha.

nickpsecurity10y ago

Yo ryanlol, you made the press again except the pricks didn't mention your name:

http://news.softpedia.com/news/linux-mint-website-hack-a-tim...

ryanlol10y ago

I think calling softpedia "press" is an insult to every real journalist.

The fact that they're calling the bot "tsunami" just proves their incompetence. The bot isn't called tsunami, it's called kaiten and it's been open source for more than a decade.

https://packetstormsecurity.com/files/25575/kaiten.c.html

They also managed to confuse FTP and HTTP

>the hackers have only altered the man.cy [https://gist.github.com/Oweoqi/31239851e5b84dbba894] file, where they've added a new function called tsunami.

Doesn't look like they just added a new function called tsunami to me.

Stupid speculation by writer.

Also, bitcoin mining stopped being lucrative ages ago.

edit: >One person seems to have bought the hackers' files and dumped the forum's config file on Hacker News discussions thread.

I neither bought nor sold the data.

2 more replies

cmurf10y ago

Might not hurt to post this in the comments section of the Mint blog.

orionblastar10y ago

If they used the same password on the forums and blog then they still have a problem. They need to be notified of this and change the password to a more secure one.

The config.php file should not be readable by an anonymous user, that is a security risk.

1 more reply

noisy_boy10y ago

I took the liberty of posting the link to that comment in Linux Mint blog comments. Hopefully they review that soon.

hackuser10y ago

You have an excellent point, but there's no reason to help attackers by giving them the credentials.

majewsky10y ago

Indeed. Instead of `cat`, OP could've used `sha256sum` on the config.php to prove the authenticity of your report without exposing the site to even more attacks.

1 more reply

btrask10y ago

miscellaneous10y ago

RaleyField10y ago

It's a bit convoluted. Follow this guide - https://help.ubuntu.com/community/VerifyIsoHowto

1 more reply

chei0aiV10y ago

https://wiki.debian.org/Hardening/RepoAndImages

btrask10y ago

Debian is already outstanding in this regard (and others)!

One minor suggestion would be to provide ISO hashes over HTTPS. It's just as secure as using GPG with fingerprints sent over HTTPS, and it's a lot easier.

The fingerprints (https://www.debian.org/CD/verify) could also be made more prominent (perhaps put on the main download page).

Thanks again!

kbaker10y ago

Maybe in a GPG-signed release email add magnet URLs for the official torrents.

This is kind of in 'No magnet: links for bittorrent downloads on SSL'

bcl10y ago

Fedora publishes GPG signed SHA256's of the iso's. eg. https://dl.fedoraproject.org/pub/fedora/linux/releases/23/Wo...

btrask10y ago

Thanks! Fedora was one I didn't try (to install; I use it all the time). However there's still no way to use RPMFusion: http://rpmfusion.org/keys

Maybe there's something I'm missing?

2 more replies

Marqin10y ago

Arch Linux has HTTPS mirrors and provide their GPG signature on HTTPS site.

emergentcypher10y ago

cheez10y ago

Are torrents more secure? I usually use the torrents option.

kuschkufan10y ago

Yes they are. No risk of man-in-the-middle with torrents.

antnisp10y ago

Why is that a problem? If the hash is signed and the public key is trusted shouldn't that be secure?

cwyers10y ago

Because someone can do a man-in-the-middle attack and intercept the right hash and replace it with another one. And how do you verify that the public key is trusted for the first time?

1 more reply

mcpherrinm10y ago

I am pretty sad they're posting MD5 sums of the correct images: It's pretty trivial to collide MD5 -- and when you've got an active attacker, this is something you should worry about.

SHA1/2 at least, but preferably a gpg signature would be much better.

cmurf10y ago

In the comments section...

"You can find them at http://ftp.heanet.ie/pub/linuxmint.com/stable/17.3/ also along with signed sha256sums."

sfilipov10y ago

Yes, but why mention MD5 by default? Most machines that have md5sum installed also have sha1sum/sha256sum.

ryanlol10y ago

>It's pretty trivial to collide MD5

... collisions=/=second-preimage attacks

>SHA1/2 at least, but preferably a gpg signature would be much better.

SHA1/2 isn't any better, you're never going to get hit by file corruption that magically also is a md5 collision.

KMag10y ago

I think I understand you, but I think you could be a bit more explicit in your assertion.

1 more reply

_jomo10y ago

How do you get hit by file corruption when downloading via TCP in 2016? I don't recall this ever happening to me.

4 more replies

Dylan1680710y ago

When talking about specific files the attacker used in the past, MD5 is good enough to show it's not those.

anishathalye10y ago

It's somewhat disappointing that this blog article is served over HTTP, and it's impossible to access it via HTTPS. How do we know that these new MD5s are to be trusted?

bogus-10y ago

Linux Mint doesn't seem to prioritize security in general. No TLS for ISOs, no easily spottable signatures for ISOs, marking security updates untrusted by default...

RaleyField10y ago

They also ignore (at least they used to) DNS servers from DHCP and use Google's public DNS servers completely oblivious of why users might not want this.

jtchang10y ago

RaleyField10y ago

> don't check ISO checksums

I've grown obsessive about it. When you're conscious about that it's amazing (to put mildly) how many prominent projects don't bother with any authentication.

detaro10y ago

If they managed to hack the site to point to the new iso, they probably also changed any checksums. Signatures help, if you have a way to verify that you are using the right key.

StavrosK10y ago

What other ways are there to download, apart from http and torrents?

praeivis10y ago

torrents cant get compromised so you are safe if downloaded via torrents.

khedoros10y ago

FTP?

StavrosK10y ago

I mean "what other ways do they have to download this?" All I saw is HTTP and Torrent, so I'm curious as to what exactly got compromised.

stock_toaster10y ago

maybe IRC and NNTP too.

i_have_to_speak10y ago

Looks like something is going on again. Their website is down currently. [21-Feb 02:55 UTC]

corvus_sapiens10y ago

"Edit by Clem: We shut down the server until we find the source of the second intrusion (probably something left by the first)."

http://blog.linuxmint.com/?p=2994

cdevs10y ago

Does anyone know the start date ? I had a friend install it for their laptop two weeks ago

detaro10y ago

>We were exposed to an intrusion today.

> [...]

>Finally, the situation both happened and was solved today, so it should only impact people who downloaded this edition on February 20th.

dghughes10y ago

Now you tell me.

j / k navigate · click thread line to collapse