Beware of hacked ISOs if you downloaded Linux Mint on February 20th! Or at least what they (from Mint) say.
Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it.
Does this affect you?
As far as we know, the only compromised edition was Linux Mint 17.3 Cinnamon edition.
If you downloaded another release or another edition, this does not affect you. If you downloaded via torrents or via a direct HTTP link, this doesn’t affect you either.
Finally, the situation happened today, so it should only impact people who downloaded this edition on February 20th.
How to check if your ISO is compromised?
If you still have the ISO file, check its MD5 signature with the command “md5sum yourfile.iso” (where yourfile.iso is the name of the ISO).
The valid signatures are below:
If you still have the burnt DVD or USB stick, boot a computer or a virtual machine offline (turn off your router if in doubt) with it and let it load the live session.
Once in the live session, if there is a file in /var/lib/man.cy, then this is an infected ISO.
What to do if you are affected?
Delete the ISO. If you burnt it to DVD, trash the disc. If you burnt it to USB, format the stick.
If you installed this ISO on a computer:
Put the computer offline.
Backup your personal data, if any.
Reinstall the OS or format the partition.
Change your passwords for sensitive websites (for your email in particular).
Is everything back to normal now?
Not yet. They took the server down while fixing the issue.
Who did that?
The hacked ISOs are hosted on 126.96.36.199 and the backdoor connects to absentvodka.com.
Both lead to Sofia, Bulgaria, and the name of 3 people over there.
So as you can see, Bulgarian hackers did this. Not so proud right now 🙂 If my people are gonna hack something, there are tons of websites that need to be removed. But Linux Mint .. come on 🙂
EDIT: infected backdoor file exposed on GitHub. Malicious Linux Mint iso file can be searched: find / -iname man.cy