A hacker posted a tampered Linux Mint 17.3 Cinnamon edition on the official website on February 21, bundling a backdoor into the ISO that would have allowed attackers to gain remote access to infected systems via IRC servers.
The attacker goes under the alias of “Peace,” and it is believed that the Tsunami backdoor had been used in an attempt to build a botnet.
“Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it,” said Clem Lefebvre, creator of the Linux Mint distribution. “Finally, the situation happened today, so it should only impact people who downloaded this edition on February 20th.”
The attacker also claimed that the official website’s forum had been copied twice, gaining access to some personally identifiable information, such as passwords, email addresses, and birthdates. The dump was allegedly posted in the Dark Web for 0.197 bitcoin, which is about $85 per download.
He claimed it all started with him “just poking around,” and said he found a vulnerability that allowed him authorized access to the website and to replace the download with his own tampered ISO. Using a server in Bulgaria, Peace planted his ISO and added the mirror to the hacked website.
While the hacker’s motivation seems to have been “just having access in general,” it is yet unclear how many users downloaded the tampered Linux distribution. One way of figuring out whether you downloaded the right Linux Mint distribution is to check your ISO’s MD5 signature with the one displayed on the official website.
“If you still have the ISO file, check its MD5 signature with the command “md5sum yourfile.iso” (where yourfile.iso is the name of the ISO),” said Lefebvre.
Those of you who have already installed the tampered ISO on your machine are encouraged to put your computers offline, back up any stored data, reinstall the OS using the official ISO, and change all passwords as an extra precaution.