http://blog.linuxmint.com/?p=2994
http://arstechnica.com/security/2016/02 ... ck-attack/
Linux Mint servers hacked, malware'd ISOs being distributed
Linux Mint servers hacked, malware'd ISOs being distributed
Last edited by barbaz on Tue Feb 23, 2016 11:47 pm, edited 1 time in total.
Reason: add Ars Technica link
Reason: add Ars Technica link
*Always* check the changelogs BEFORE updating that important software!
-
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: Linux Mint servers hacked, malware'd ISOs being distribu
Says connection refused, seems like a bad link.barbaz wrote:http://blog.linuxmint.com/?p=2994
On Firefox
On Chrome
On Edge
IsUp.me
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36
Re: Linux Mint servers hacked, malware'd ISOs being distribu
Yeah, looks like they might have taken that entire server down - that server (Wordpress) is the route by which the haxxors gained entry.
I'll try to summarize what I remember:
- On 20 Feb., Linux Mint servers were hacked via Wordpress issue / permissions issue. Haxxor got a shell as user (or group?) www-data via a Wordpress PHP backdoor
- Linux Mint project used same server to host downloads as blog
- Download links to Linux Mint ISOs were swapped by links to compromised ISOs. The bad links use IP addresses (I think with first octet of 5? don't remember) as domain.
- Only Linux Mint Cinnamon 17.3 (both 32-bit and 64-bit) are known to have been compromised. Repository servers and other editions of Linux Mint are believed to be OK
- Linux Mint was hacked twice
- Linux Mint project is taking servers down while they investigate the issue.
I'll try to summarize what I remember:
- On 20 Feb., Linux Mint servers were hacked via Wordpress issue / permissions issue. Haxxor got a shell as user (or group?) www-data via a Wordpress PHP backdoor
- Linux Mint project used same server to host downloads as blog
- Download links to Linux Mint ISOs were swapped by links to compromised ISOs. The bad links use IP addresses (I think with first octet of 5? don't remember) as domain.
- Only Linux Mint Cinnamon 17.3 (both 32-bit and 64-bit) are known to have been compromised. Repository servers and other editions of Linux Mint are believed to be OK
- Linux Mint was hacked twice
- Linux Mint project is taking servers down while they investigate the issue.
*Always* check the changelogs BEFORE updating that important software!
-
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: Linux Mint servers hacked, malware'd ISOs being distribu
Sounds about right, that might be why its down.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36
Re: Linux Mint servers hacked, malware'd ISOs being distribu
Hmm...Wordpress has a long history of Swiss cheese security. Putting crucial files like operating system ISOs on the same server wasn't a good move.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0
Re: Linux Mint servers hacked, malware'd ISOs being distribu
I'm not clear on whether it was like that or was just the download links that were hosted on the same server.
*Always* check the changelogs BEFORE updating that important software!
-
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: Linux Mint servers hacked, malware'd ISOs being distribu
@thrawn: Not at all wise. Although I personally use a highly customized version of Wordpress for myself and I do secure temporary files for mission critical distribution (of course there is extensive rewrite on the server side php code) but I still wouldn't put anything on there that I wasn't willing to lose and still be ok; and I certainly wouldn't open it up to the ENTIRE public, even if they fine it on their own, little damage they could do - if any at all.
@barbaz: Given PHP's very powerful server side capabilities, anyone writing code that doesn't adhere to the strongest security parameters will leave the code wide open to being maliciously used and with absolute server side owner permissions. Very dangerous unless you know what you are doing. Just because people can't see the raw php source, an intelligent enough developer can exploit it relatively easily.
@barbaz: Given PHP's very powerful server side capabilities, anyone writing code that doesn't adhere to the strongest security parameters will leave the code wide open to being maliciously used and with absolute server side owner permissions. Very dangerous unless you know what you are doing. Just because people can't see the raw php source, an intelligent enough developer can exploit it relatively easily.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36
Re: Linux Mint servers hacked, malware'd ISOs being distribu
Good point, the attackers don't necessarily have to tamper with the real files.barbaz wrote:I'm not clear on whether it was like that or was just the download links that were hosted on the same server.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: Linux Mint servers hacked, malware'd ISOs being distribu
Correct, a man in the middle -esque hijacking of a CDN or secondary domain DNS and voila, you can intercept the requests and fulfill them anyway you wish.Thrawn wrote:Good point, the attackers don't necessarily have to tamper with the real files.barbaz wrote:I'm not clear on whether it was like that or was just the download links that were hosted on the same server.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36