Linux Mint site hacked, users unwittingly download backdoored operating system

I hope you weren’t one of the hundreds of people who downloaded a compromised version of the Linux Mint operating system on Saturday.

Because if you were, it’s possible that you’re not just running one of the more user-friendly flavours of Linux on your computer but also playing host to a Linux ELF trojan called Tsunami, that can be used to steal files from your system and launch distributed denial-of-service (DDoS) attacks.

In a blog post, Clement Lefebvre, leader of the Linux Mint project, warned that hackers had managed to break into the Linux Mint servers, and replace ISO download links to point to a compromised version of Linux Mint 17.3 Cinnamon edition, hosted on a Bulgarian FTP server.

Upon discovering the security problem, the Linux Mint team is thought to have cleaned-up its own site, only to have been compromised again via an insecure installation of WordPress. In response, and while it was trying to get a proper handle on its vulnerabilities, the Linux Mint team wisely took linuxmint.com offline.

At the time of writing the main Linux Mint website remains unavailable.

Linux Mint website down

Lefebvre offered the following advice to users who may have downloaded the compromised version of Linux Mint:

What to do if you are affected?

Delete the ISO. If you burnt it to DVD, trash the disc. If you burnt it to USB, format the stick.

If you installed this ISO on a computer:

  • Put the computer offline.
  • Backup your personal data, if any.
  • Reinstall the OS or format the partition.
  • Change your passwords for sensitive websites (for your email in particular).

Sadly, the problems do not appear to end there.

Fox-IT threat researcher Yonathan Klijnsma tweeted that he had found a hacker going by the moniker of “peace_of_mind” attempting to sell a phpBB forum database stolen from the Linux Mint server on an underground website.

In an interview with ZDNet reporter Zack Whittaker, the hacker claims to have compromised Linux Mint’s systems twice (on January 28 and February 18) stealing a complete copy of the site’s forum database, including the email addresses, birthdates, profile pictures, and hashed passwords of some 71,000 users.

There is no timeline yet for the return of Linux Mint’s website, but if I were a user who might have had their personal information exposed, or their computer compromised, I wouldn’t be wasting any time taking action to ensure that any damage was limited.

If your data may have ended up in the hands of the hacking underground, ensure that you are not using the same passwords anywhere else on the net.

And, of course, if your own computer might have downloaded a compromised version of Linux Mint follow the recovery instructions and consider scanning everything you download with an up-to-date anti-virus in future.

Linux users should not fool themselves into believing that they are somehow magically immune from malware attacks.

Author Graham Cluley, We Live Security

Follow us

Copyright © 2016 ESET, All Rights Reserved.