The hacker who attacked the Linux Mint portal explains how he did it

Linux Mint 17.2

We already announced in this blog that there was attacked Linux Mint servers to replace ISO images of the famous Linux distribution by other modified ones that this pirate had created. Thus, all those who have downloaded the ISO of the Linux Mint distribution will have installed on their machine a version that is not the original and that has been tampered with. At the moment the attack was known but the person responsible was not known, now the attacker is known who has even explained how he did it.

Furthermore, the hacker alleges that he not only affected the ISO images in the download area of ​​the official Linux Mint portal, but also other parts like forums, being able to have access to the usernames and passwords of all registered. Something that is a pretty serious security flaw. Having users and passwords from a registry in a forum may not be the worst, but being able to modify the ISOs so that users download modified distros with one purpose (to install a backdoor or backdoor to access the victim computer at will. ).

The person responsible for this, let me not call him "hacker", since "hacker" is quite another thing, he is hacker or cybercriminal calling himself Peace. Three days after his attack he has shown himself, also telling how he could take control of the Linux Mint servers. Something that has affected many, since Linux Mint is one of the most widely used Debian-based distros, behind the almighty Ubuntu. That is, it is not a rare distro that few use ...

But Peace has not shown neither his face nor his identity, it is only known that he lives in Europe and his name in the cyber world. He has also said that he does not belong to any known pirate group, he acts alone. And it all started when he was "walking around Linux Mint servers" in January and came across a vulnerability that allowed him to access the website's admin panel. And a few days later, the vulnerability still hadn't been fixed, so he went in and decided to compile his Linux Mint ISO with a backdoor and have everyone download this image from the mirror links he uploaded.

The ISO was uploaded to a Bulgarian file server. In addition, Peace encourages you to review the back door, as it is not too complex and is open source. So those affected already have entertainment ... Of course the MD5 signature was also varied by Peace to coincide with that of the modified ISO and thus leave those who downloaded it alone. Something that leads us to think if what we download is safe even if it has a verification of the sum of the MD5 hash (in addition, many do not even check it after downloading).

The database of forum logs of the Linux Mint website was also stolen twice and therefore user data has been compromised. But Peace does not stop there, it has also downloaded a whole copy of the forum, the first on January 28 and the second on February 18, so all those registered before this last date have their password and username in the hands of the pirated, since although they were encrypted, Peace says he has been able to decrypt them with ease by taking advantage of a PHPass flaw that managed the site's passwords.

Y Peace has put all the content up for sale: users, passwords, emails, scripts, etc. On the black market of the Deep Web, for a total of 0.197 Bitcoin, that is, $ 85. Above cheap ... If you want to check if your account has been compromised, visit HaveIBeenPwned. And if you have lowered the ISO by this time, your team will be compromised with the backdoor. Format and install a new trusted ISO.


The content of the article adheres to our principles of editorial ethics. To report an error click here!.

14 comments, leave yours

Leave a Comment

Your email address will not be published.

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   Asier said

    Hello, and thanks for sharing this info.
    There is an error in the link to HaveIBeenPwned, as it appears as haveibeedpwned (.com)
    Regards!

  2.   Luis said

    And how does that affect Albert Einstein himself?

  3.   Gibran barrera said

    An isolated fact !, I do not think so, although the Linux Mint developers have done an excellent job with this distribution, I dare to say that in some aspects it is even superior to Ubuntu; I believe that on more than one occasion Mint has shown that they do not have enough business acumen, as they are overly dependent on their community. But it does not have the experience of a Debian, with more than 20 years in the business, who has known how to design an organic structure, extremely effective and efficient, for its community.

    It has also not been able to capitalize on its success (if Ubuntu sets a goal or project, it has enough infrastructure to develop it), in Mint it is noticeable that the design of its main portal is very basic (I would even say archaic), which implies that its maintenance and tuning may not be adequate. The products and services it has available are not up to a second place in the distribution ranking, nor are the business relationships to position the distribution, (Ubuntu has eaten that cake and there is no one to stop it, with agreements with Hp, At & t, Bq, etc ...), in short I think that in MInt there is not enough money. This will obviously affect the quality, reliability and prestige of this distribution.

  4.   evilhack said

    Immediately they must change passwords for all the accounts, maybe they will unsubscribe those accounts ... surely he left a trace what he wanted was money that he kept that would do much good to damage linux a symbol of freedom and comparison has no shame

  5.   Jimmy olano said

    How delusional I am, I was one of those who immediately thought that the MD5 hash should be compared with the ISO ... but of course he already changed the password.

    THE FOLLOWING would be for us to check that the MD5 hashes of the "mirrors" all match, they should be the same, otherwise they snatched us again.

    I am researching the PHPass to have at least a notion of how it works.

    EYE THEREFORE to keep our servers always updated to MINIMIZE vulnerabilities.

  6.   mircocaloghero said

    Situations like these always come in handy as a slap on the wrist ...

  7.   phirus2 said

    Gentlemen, what a shit from the mint admins. A serious security flaw in the servers where the images are being replicated: | (no comment).

    PS: Why not call him a hacker ???? and if pirate ??? what is the difference???

    1.    Minsaku said

      «PS: Why not call him a hacker ???? and if pirate ??? what is the difference???"

      https://es.wikipedia.org/wiki/Hacker

      1.    phirus2phirus said

        Have you read the whole definition of hacker ???? It makes me laugh that people want to give you a meaning of goodness to the word hacker…. He's a guy with a skill

  8.   sea ​​water said

    Juas, I could have done it against the Ubuntu server…. at least they could fuck some fanboys XD

  9.   Angelo said

    Heh, They Backdoor Through Mirrors With 200 Commands

  10.   gerar said

    Hello, it's July 29, 2016, a couple of days ago, I installed my brand new Linux Mint distro, the last one, I was trying to activate, install, update etc etc my video driver or driver and it happens that I can't get tired of entering NOMODESET mode, I'm sad because I liked the distro, since 2008 I've been using some distros, now on my PC AMD Apu-HD6000D from 2011 it no longer accepts me to install these distros as it did before (the screen turns off after grub), no I know what the problem will be; The current installation progress is as follows: I managed to fully install and update the operating system always by entering nomodeset, I can not find the solution, I only know that as Mint says it only accepts open source drivers compatible with xorg and you have to look for the blessed video driver , I think I restarted my pc more than 50 times and still, if someone has a contribution, it is appreciated, slds

  11.   carlos rivafhy monterroso said

    I believe that it is very important to be well informed about the security of operating systems.