Linux Mint is one of the most popular desktop distributions of Linux in the world, so when the organization suffered a serious security breach late last month, it made waves in the open-source community.
Q: What, exactly, happened?
On Saturday, Feb. 20, somebody noticed that the download link for certain versions of the operating system on Mint’s official website had been changed. The fiddled-with link now pointed to a malicious website, hosted in Bulgaria.
Q. So what did this malicious website try to do?
It served up what appeared to be the file that people were trying to download – a disk image for installing Mint. However, it was a hacked copy, which included a backdoor into the installation. Simply put, if you installed Linux Mint using one of these corrupted images, you gave the hackers a direct line into your computer.
Q. Is that a complicated operation?
It sure was. In addition to creating the hacked version of Mint, the attacker had to compromise the website to ensure that the compromised copies could be distributed. So that’s a couple different moving parts to worry about. And while the whole thing was going on, the attacker grabbed complete copies of Mint’s forum data, including personally identifiable information and crackable passwords, selling the information online.
Q. How many installs were affected?
Hard to say exactly, although Level 3 Communications estimates in an analysis of the attack that “hundreds of users” may have downloaded the corrupted disk image.
Q. Who did it?
Apparently, a hacker going by the handle “Peace.” Peace gave an interview to ZDNet reporter Zach Whittaker, in which he or she explained that the idea was mainly just to get access to as many computers as possible, possibly for a botnet. Peace first gained access to the site in January, via a security vulnerability in a WordPress plugin.
Q. What did Mint do about it?
To its credit, the Mint team was pretty open about the whole thing, warning users as soon as they were aware of the hack and eventually taking down the site in order to halt the spread of the corrupted disk images.
Q. If I downloaded and installed Mint during the time the site was affected, how do I know if I’m vulnerable?
If you’ve got the .iso file still handy, you can compare the MD5 checksum to the one for legitimate copies listed at the official Mint blog. If not, check to see whether there’s a file in the folder /var/lib/man.cy. If the folder is empty, you should be OK. However, if there is a file in there, you probably have the compromised version, and should back up your personal data before wiping the hard drive and reinstalling your operating system.
Sign up for CIO Asia eNewsletters.