Linux Mint hacked, ISO images compromised

Martin Brinkmann
Feb 21, 2016
Updated • Jan 4, 2018
Linux, Linux Mint

The Linux Mint team revealed today that compromised ISO images of Linux Mint have been distributed from the official website on February 20th, 2016.

According to the blog post, the intrusion happened on February 20th and was detected shortly thereafter and fixed. The official homepage of the project is down at the time of writing.

This means that the attackers had only a limited time frame in which they were able to distribute the compromised ISO image.

The attackers managed to hack the website and manipulated download links on it that they pointed to one of their servers offering the compromised ISO image of Linux Mint.

Update: New information came to light. The site's forum was compromised, and users are urged to change passwords on all sites they have shared it with. In addition, the hacker managed to change the checksum on the Linux Mint website so that the hacked ISO images would verify when checked.

Update 2: The Linux Mint team released an update for the Linux distribution today that introduces a TSUNAMI detection program which checks for traces of the backdoor. If an infection is found, the team suggests to download Mint anew from the official website to install the new safe version on the computer.

Linux Mint hacked

The investigative team found out that the compromised version contains a backdoor that connects to a website hosted in Bulgaria.

Only downloads of Linux Mint 17.3 Cinnamon seems to have been affected by the hack.

What's interesting here is that torrent links were not affected, only direct links on the Linux Mint website.

The reason is simple; popular torrents are distributed from several seeders and peers, and once they are in circulation, it is not possible to manipulate the data, say replace it with a hacked image.

What you can do

If you have downloaded Linux Mint on February 20th from the official website using direct links, or downloaded the Linux distribution earlier and want to make sure that it is clean, then you have the following options.

If you have the ISO image available, you can check its signature to make sure it is valid. If you run Linux, use the command md5sum nameofiso.iso, e..g md5sum linuxmint-17.3-cinnamon-64bit.iso.

Windows users can use a program like RekSFV or File Verifier for that instead.

The ISO image is clean if the signature matches one of those listed below.

6e7f7e03500747c6c3bfece2c9c8394f linuxmint-17.3-cinnamon-32bit.iso
e71a2aad8b58605e906dbea444dc4983 linuxmint-17.3-cinnamon-64bit.iso
30fef1aa1134c5f3778c77c4417f7238 linuxmint-17.3-cinnamon-nocodecs-32bit.iso
3406350a87c201cdca0927b1bc7c2ccd linuxmint-17.3-cinnamon-nocodecs-64bit.iso
df38af96e99726bb0a1ef3e5cd47563d linuxmint-17.3-cinnamon-oem-64bit.iso

You may want to check network traffic if you don't have access to the ISO image anymore. The compromised version of Linux Mint 17.3 connects to (this may change, so check for any connections that don't seem right).

Obviously, if you have downloaded the ISO image just yesterday, you can go the safe route and download a legitimate ISO again from the official site (use torrents), and install it.

Doing so ensures that the system is clean and without backdoor access.

The official website is not accessible at the time of writing. The Linux Mint team seems to have taken it down in order to investigate the hack and clean up the site to ensure that other areas have not been compromised as well.

The two main torrent files you may be interested in are:

Linux Mint hacked, ISO images compromised
Article Name
Linux Mint hacked, ISO images compromised
The Linux Mint team revealed today that compromised ISO images of Linux Mint have been distributed from the official website on February 20th, 2016.
Ghacks Technology News

Previous Post: «
Next Post: «


  1. Techsolveprac said on July 2, 2019 at 2:20 pm

    You can verify Integrity and Authenticity of Linux Mint ISO in following 7 steps:
    Step 1: Download ISO Image File
    Step 2: Download SHA256 Sum and Signing files
    Step 3: Prepare your system to check Linux Mint ISO
    Step 4: Open Application to execute verification commands to check Linux Mint ISO
    Step 5: Run SHA256 sum generation command
    Step 6: Check Linux Mint ISO File’s Integrity
    Step 7: Check Linux Mint ISO File’s Authenticity

    I would like to suggest an article which mentions details of each of the above mentioned steps to check Linux Mint ISO file for Integrity and Authenticity for latest version Linux Mint 19.1 ‘Tessa’

  2. George P. Burdell said on February 22, 2016 at 2:02 pm

    In “Multi Commander”, “File Checksum” is found under “Tools”. Maybe that will help you a little.


  3. A different Martin said on February 22, 2016 at 7:07 am

    Speaking of checking signatures/checksums, does anyone have a recommendation for a decent Windows Explorer shell extension for checking checksums? I usually use the one that’s built in to the Download Status Bar extension, immediately after I finish the download. I like it because you can pick the hash type (MD5, SHA1, MD2, SHA256, SHA384, or SHA512), it calculates the hash for you, you copy and paste the correct hash in a little box, and you get a green checkmark icon if it’s a match and a red exclamation mark icon if it isn’t. Unfortunately, once the download has been cleared from the Download Status Bar, the checksum feature isn’t available any more. I’ve got NirSoft’s HashMyFiles utility for stuff that’s already been downloaded and cleared, but it requires manually pasting the result and doing a visual comparison. I’m looking for something that’s as easy as the Download Status Bar utility. So — any recommendations?

    1. Martin Brinkmann said on February 22, 2016 at 7:24 am
      1. A different Martin said on February 22, 2016 at 8:59 pm

        @ Martin Brinkmann, anon, and George P. Burdell:

        Thanks! HashTab and Hash Check look good. I find HashTab’s “Hash Comparison” feature a little less visually taxing than Hash Check’s “Search” feature, even if HashTab is more resource heavy. As for Multi Commander, I work on other people’s computers moderately often, so on my own computer I avoid replacing standard Windows utilities like Windows Explorer with third-party ones (sometimes even when the third-party utilities are demonstrably superior). I have to be judicious about how many “non-standard” habits I develop and especially about losing touch with the default way of getting something done. I already get frustrated enough when the browser extensions I’ve come to depend on are missing…

      2. anon said on February 22, 2016 at 8:10 pm

        I’d recommend HashCheck instead.

  4. Pants said on February 22, 2016 at 3:55 am

    The md5 hashes on the site were altered to match the back-doored isos on the server in Bulgaria. Plus a whole heap of other info in that article. Micah Lee raises excellent points – they should be digitally signed (PGP) and MD5 and SHA-1 can be compromised (collisions).

  5. BillBlagger said on February 22, 2016 at 12:17 am

    Mint forums database compromised. “If you have an account on, please change your password on all sensitive websites as soon as possible.” On the Linux Mint blog.

    1. Martin Brinkmann said on February 22, 2016 at 7:31 am

      Thanks, I have updated the article.

  6. Robert said on February 21, 2016 at 10:30 pm

    Hahaha. At least Mint is being targeted instead of Ubuntu. This shows that Mint is more popular than Ubuntu.

  7. Costelloem said on February 21, 2016 at 8:00 pm

    How Horrible Do You Have To Be To Target Linux Mint! Whats Next, Kali Linux? I Would Have Been Fine Just Getting One Of The ISOs Through The Links Above However I Need The Virtualbox Images For A Little Project Im Working On. Thats Real Nice!

    I Think Those Hackers Should Go To Hell For This!

    1. Gonzo said on February 21, 2016 at 9:12 pm

      The Mint folks are completely at fault here. They didn’t follow best practices and have put their users at risk.

      Mint withholds, sometimes omitting security updates for stability reasons. They remove AppArmor (or used to, I haven’t kept up with what they’ve been doing) from the kernel. They altogether seem to have it backwards with regards to security.

      Mint users aren’t the most knowledgeable so they may not know or even care. This is what makes it worse IMO. Mint should take an approach of “my users are dumb, let’s protect them” not “my users are dumb, they’ll never know if we cut corners”.

      1. Jason said on February 23, 2016 at 12:03 am

        @Gonzo: I agree with your first two paragraphs, but your argument unravels into unfairness toward the LM devs and users in the last paragraph.

        I’ll be the first to point out that the devs are complacent in regards to security. (Sadly I suspect they *still* have not grasped this.) But I do not see evidence that they have ever tried to intentionally mislead their users as you suggest. Also, by what standard are you judging LM users’ level of knowledge? I would argue that they have shown a certain technical proficiency just by installing a Linux distro in the first place. Is the average LM user more tech-savvy than the average Gentoo user? I doubt it. But I don’t think we’re dealing with a community that needs to have everything done for them through automation and dumbing-down. (In fact such an approach would contradict one of the big attractions of Linux, which is the degree of user control it offers. No forced updates here!).

  8. CHEF-KOCH said on February 21, 2016 at 6:58 pm

    Can we skip the win vs linux BS ? Thanks.

    I think everything can be compromised. So over and over re-spell switch to xyz and be ‘secure’ is a lie/joke. According to latest market-share linux got 4%, I bet if everyone would use Linux it would be more attractive to hackers and then everyone would say exactly the opposite. It’s starts with the user, a simply look at signatures had could avoid this, Tails shows how to so that even the dumbest user understand to protect against faked stuff like this.

    I’m thankful for the news/notice so let’s keep an eye on the SHA1 and let’s compare and everything will be okay.

    1. user said on February 22, 2016 at 1:50 pm

      Linux, as FLOSS, pushes users to understand their system and learn best practices. Patches for security holes in FLOSS projects are usually released ASAP, not queued until the next “Patch Tuesday” or equivalent rolls around… or worse, kept open at the behest of more powerful entities until the public gets wind of it. FLOSS isn’t and cannot be lorded over by a single government pressing its will upon a company or development team or threatening them with financial retribution. Development is easily allowed to be distributed and endowed with legal assurances to do so. Another major difference is that hackers, performing in the moment with malicious intent or not, have the choice to release their energy and consistently gain recognition by improving the software, not simply by being locked out where the quickest emotional release is to tear it down or toy with unpatched users until the corporation decides it’s worth their while.

      Yes, it would be more attractive than it is now, and hackers could even become more abundant thanks to its license, but many of those same hackers are and would be developers among a community more supportive and accessible to those with hacking interest and veering them to use it in a way that is not only benevolent but helps the hacker himself and returns the favor millions-fold.

  9. anon said on February 21, 2016 at 3:33 pm

    You mean “cracked”. Hacking is a legitimate hobby.

    1. Pants said on February 21, 2016 at 4:44 pm

      Hacking is a perfectly acceptable terminology .

      A “malicious hacker” can also be called a cracker

      It’s an interesting argument, and I partially blame the media for screwing things up so much, that the definitions become blurred. This is normal, it’s the evolution of language. If “hackers” are white hats, then why is cyber-terrorism the domain of hacktivists?

  10. lolz said on February 21, 2016 at 3:24 pm

    hi Martin, colud you make review how turn off windows logs/events/performance counters/boot prefetch stuff/explorer thumbinals/sheduler tasks/etc stuff to lower disk access?
    from my point of view it will not only reduce fragmentation, it will increase some sort of privacy, increase propability on recovery in case of accidental file deletion, lower noise and prolond ssd’s life if one have any.

    1. Pants said on February 21, 2016 at 4:53 pm

      Off the top of my head – prolonging SSDs (and I am not an expert) – my understanding is that with the latest/more recent generations of SSDs (I read some ArsTechinca article I think on some extreme SSD testing) basically mean that you will basically not wear them out before they are obsolete/replaced. The article tested a number of makes/models and wrote them to death .. to the DEATH!

      Here’s the article .. I went and found it for you

      One thing you can do, is if you use Firefox, set it to not use disk cache (it will just use RAM). If you’re like most people, this will be the bulk of your activity. There’s probably a setting for this in Chrome as well. Think of the hundreds of thousands of little read/writes of little files every week. Portable FF uses this setting specifically to save those on a USB stick wear and to speed up the process (rather than bottle-necking the web data thru a USB connection).

      1. lolz said on February 21, 2016 at 7:56 pm


  11. juju said on February 21, 2016 at 11:56 am

    What is the url of that website in bulgaria? probably just CIA homos doing diversion from rainbows.

    1. Steve said on February 21, 2016 at 12:22 pm

      Seems like they used fake data for the origin of the hack. I live in Bulgaria and the address provided for the mentioned IP is fake (obviously fake).

  12. Pants said on February 21, 2016 at 10:32 am

    I actually downloaded and installed linuxmint-17.3-cinnamon-64bit.iso two days ago. I grabbed it via bittorent (I used the torrent file from the website). The iso is clean (MD5 hash matches). Always check iso signatures.

    But, who’s to say in future that if a source is compromised, that the website also doesn’t have its public info on hashes and/or links to torrent files compromised as well. The torrent file doesn’t really matter (as a security hole) if you check hashes, and the hash info is in numerous locations. Always check signatures.

    tl;dr: Always check signatures. Oh yeah, did I mention, always check signatures.

    PS: Always check signatures

    PPS: ..aaaaaand queue S2015 with his spammy incomprehensible comments and link to his BS site

  13. Adithya FRK said on February 21, 2016 at 9:12 am

    Another reason to see Bittorrent as a more efficient way to share files than seeing it as a crime in itself.

    1. Jason said on February 22, 2016 at 3:37 am

      That’s an important point. This kind of attack would be very difficult with a torrent download, which is why the torrent option remained unaffected.

      Anyway, torrents are definitely NOT seen as shady behaviour in the Linux community. Most Linux distributions are available via torrents these days, and lots of people download them that way (myself included). It’s usually faster, it saves the distro developer some bandwidth costs, and it has some inherent security advantages over the straight download.

  14. yoav said on February 21, 2016 at 8:52 am

    So Microsoft has started hacking Linux sites? (just kidding…probably)

    1. Sais said on February 22, 2016 at 7:42 am

      I doubt if Microsoft has to.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.