Linux Mint is one of the best distos around, but if you’ve installed it recently you might have done so using a compromised ISO image.
The Linux Mint team today reveals that hackers made a modified Linux Mint ISO with a backdoor in it, and managed to hack the Mint website so it pointed to this bad version.
There is some good news however, and that’s the Linux Mint team managed to discover the intrusion and take action quickly. The site is currently down.
It also only (as far as the team knows) affects the one edition -- Linux Mint 17.3 Cinnamon. If you downloaded a different release or version, or downloaded the OS via torrent or different direct HTTP link, you should be fine.
Also, the compromised version was only up on the site on the 20 February -- so if you downloaded Mint before or after then, you don't need to worry.
Mint says the hacked ISOs are hosted on 5.104.175.212 and the backdoor connects to absentvodka.com. Both are in Sofia, Bulgaria. The team is investigating the hack, but the reason for it remains a mystery for now.
"What we don’t know is the motivation behind this attack," Mint admits. "If more efforts are made to attack our project and if the goal is to hurt us, we’ll get in touch with authorities and security firms to confront the people behind this".
If you’re worried you might have downloaded and installed a compromised version Mint advises you check by following these instructions:
If you still have the ISO file, check its MD5 signature with the command "md5sum yourfile.iso" (where yourfile.iso is the name of the ISO).
The valid signatures are below:
6e7f7e03500747c6c3bfece2c9c8394f linuxmint-17.3-cinnamon-32bit.iso
e71a2aad8b58605e906dbea444dc4983 linuxmint-17.3-cinnamon-64bit.iso
30fef1aa1134c5f3778c77c4417f7238 linuxmint-17.3-cinnamon-nocodecs-32bit.iso
3406350a87c201cdca0927b1bc7c2ccd linuxmint-17.3-cinnamon-nocodecs-64bit.iso
df38af96e99726bb0a1ef3e5cd47563d linuxmint-17.3-cinnamon-oem-64bit.iso
If you still have the burnt DVD or USB stick, boot a computer or a virtual machine offline (turn off your router if in doubt) with it and let it load the live session.
Once in the live session, if there is a file in /var/lib/man.cy, then this is an infected ISO.
You can read more about the hack here.
Photo credit: v.gi / Shutterstock