Linux Mint servers hacked, malware'd ISOs being distributed

Talk about internet security, computer security, personal security, your social security number...
Post Reply
barbaz
Senior Member
Posts: 9140
Joined: Sat Aug 03, 2013 5:45 pm

Linux Mint servers hacked, malware'd ISOs being distributed

Post by barbaz » Tue Feb 23, 2016 5:07 pm

Last edited by barbaz on Tue Feb 23, 2016 11:47 pm, edited 1 time in total.
Reason: add Ars Technica link
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Linux Mint servers hacked, malware'd ISOs being distribu

Post by GµårÐïåñ » Tue Feb 23, 2016 10:39 pm


Says connection refused, seems like a bad link.

On Firefox
Image

On Chrome
Image

On Edge
Image

IsUp.me
Image
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36

barbaz
Senior Member
Posts: 9140
Joined: Sat Aug 03, 2013 5:45 pm

Re: Linux Mint servers hacked, malware'd ISOs being distribu

Post by barbaz » Tue Feb 23, 2016 10:58 pm

Yeah, looks like they might have taken that entire server down - that server (Wordpress) is the route by which the haxxors gained entry.
I'll try to summarize what I remember:
- On 20 Feb., Linux Mint servers were hacked via Wordpress issue / permissions issue. Haxxor got a shell as user (or group?) www-data via a Wordpress PHP backdoor
- Linux Mint project used same server to host downloads as blog
- Download links to Linux Mint ISOs were swapped by links to compromised ISOs. The bad links use IP addresses (I think with first octet of 5? don't remember) as domain.
- Only Linux Mint Cinnamon 17.3 (both 32-bit and 64-bit) are known to have been compromised. Repository servers and other editions of Linux Mint are believed to be OK
- Linux Mint was hacked twice
- Linux Mint project is taking servers down while they investigate the issue.
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Linux Mint servers hacked, malware'd ISOs being distribu

Post by GµårÐïåñ » Wed Feb 24, 2016 12:56 am

Sounds about right, that might be why its down.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Linux Mint servers hacked, malware'd ISOs being distribu

Post by Thrawn » Wed Feb 24, 2016 4:03 am

Hmm...Wordpress has a long history of Swiss cheese security. Putting crucial files like operating system ISOs on the same server wasn't a good move.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0

barbaz
Senior Member
Posts: 9140
Joined: Sat Aug 03, 2013 5:45 pm

Re: Linux Mint servers hacked, malware'd ISOs being distribu

Post by barbaz » Wed Feb 24, 2016 4:10 am

I'm not clear on whether it was like that or was just the download links that were hosted on the same server.
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Linux Mint servers hacked, malware'd ISOs being distribu

Post by GµårÐïåñ » Wed Feb 24, 2016 6:29 pm

@thrawn: Not at all wise. Although I personally use a highly customized version of Wordpress for myself and I do secure temporary files for mission critical distribution (of course there is extensive rewrite on the server side php code) but I still wouldn't put anything on there that I wasn't willing to lose and still be ok; and I certainly wouldn't open it up to the ENTIRE public, even if they fine it on their own, little damage they could do - if any at all.

@barbaz: Given PHP's very powerful server side capabilities, anyone writing code that doesn't adhere to the strongest security parameters will leave the code wide open to being maliciously used and with absolute server side owner permissions. Very dangerous unless you know what you are doing. Just because people can't see the raw php source, an intelligent enough developer can exploit it relatively easily.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Linux Mint servers hacked, malware'd ISOs being distribu

Post by Thrawn » Wed Feb 24, 2016 11:57 pm

barbaz wrote:I'm not clear on whether it was like that or was just the download links that were hosted on the same server.

Good point, the attackers don't necessarily have to tamper with the real files.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Linux Mint servers hacked, malware'd ISOs being distribu

Post by GµårÐïåñ » Thu Feb 25, 2016 3:12 am

Thrawn wrote:
barbaz wrote:I'm not clear on whether it was like that or was just the download links that were hosted on the same server.

Good point, the attackers don't necessarily have to tamper with the real files.

Correct, a man in the middle -esque hijacking of a CDN or secondary domain DNS and voila, you can intercept the requests and fulfill them anyway you wish.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36

Post Reply