InformAction Forums

http://blog.linuxmint.com/?p=2994
http://arstechnica.com/security/2016/02 ... ck-attack/

barbaz wrote:http://blog.linuxmint.com/?p=2994

Says connection refused, seems like a bad link.

On Firefox


On Chrome


On Edge


IsUp.me

Yeah, looks like they might have taken that entire server down - that server (Wordpress) is the route by which the haxxors gained entry.
I'll try to summarize what I remember:
- On 20 Feb., Linux Mint servers were hacked via Wordpress issue / permissions issue. Haxxor got a shell as user (or group?) www-data via a Wordpress PHP backdoor
- Linux Mint project used same server to host downloads as blog
- Download links to Linux Mint ISOs were swapped by links to compromised ISOs. The bad links use IP addresses (I think with first octet of 5? don't remember) as domain.
- Only Linux Mint Cinnamon 17.3 (both 32-bit and 64-bit) are known to have been compromised. Repository servers and other editions of Linux Mint are believed to be OK
- Linux Mint was hacked twice
- Linux Mint project is taking servers down while they investigate the issue.

Sounds about right, that might be why its down.

Hmm...Wordpress has a long history of Swiss cheese security. Putting crucial files like operating system ISOs on the same server wasn't a good move.

I'm not clear on whether it was like that or was just the download links that were hosted on the same server.

@thrawn: Not at all wise. Although I personally use a highly customized version of Wordpress for myself and I do secure temporary files for mission critical distribution (of course there is extensive rewrite on the server side php code) but I still wouldn't put anything on there that I wasn't willing to lose and still be ok; and I certainly wouldn't open it up to the ENTIRE public, even if they fine it on their own, little damage they could do - if any at all.

@barbaz: Given PHP's very powerful server side capabilities, anyone writing code that doesn't adhere to the strongest security parameters will leave the code wide open to being maliciously used and with absolute server side owner permissions. Very dangerous unless you know what you are doing. Just because people can't see the raw php source, an intelligent enough developer can exploit it relatively easily.

barbaz wrote:I'm not clear on whether it was like that or was just the download links that were hosted on the same server.

Good point, the attackers don't necessarily have to tamper with the real files.

Thrawn wrote:

barbaz wrote:I'm not clear on whether it was like that or was just the download links that were hosted on the same server.

Good point, the attackers don't necessarily have to tamper with the real files.

Correct, a man in the middle -esque hijacking of a CDN or secondary domain DNS and voila, you can intercept the requests and fulfill them anyway you wish.