The Linux Mint team revealed today that compromised ISO images of Linux Mint have been distributed from the official website on February 20th, 2016.
According to the blog post, the intrusion happened on February 20th and was detected shortly thereafter and fixed. The official homepage of the project is down at the time of writing.
This means that the attackers had only a limited time frame in which they were able to distribute the compromised ISO image.
The attackers managed to hack the website and manipulated download links on it that they pointed to one of their servers offering the compromised ISO image of Linux Mint.
Update: New information came to light. The site's forum was compromised, and users are urged to change passwords on all sites they have shared it with. In addition, the hacker managed to change the checksum on the Linux Mint website so that the hacked ISO images would verify when checked.
Update 2: The Linux Mint team released an update for the Linux distribution today that introduces a TSUNAMI detection program which checks for traces of the backdoor. If an infection is found, the team suggests to download Mint anew from the official website to install the new safe version on the computer.
The investigative team found out that the compromised version contains a backdoor that connects to a website hosted in Bulgaria.
Only downloads of Linux Mint 17.3 Cinnamon seems to have been affected by the hack.
What's interesting here is that torrent links were not affected, only direct links on the Linux Mint website.
The reason is simple; popular torrents are distributed from several seeders and peers, and once they are in circulation, it is not possible to manipulate the data, say replace it with a hacked image.
What you can do
If you have downloaded Linux Mint on February 20th from the official website using direct links, or downloaded the Linux distribution earlier and want to make sure that it is clean, then you have the following options.
If you have the ISO image available, you can check its signature to make sure it is valid. If you run Linux, use the command md5sum nameofiso.iso, e..g md5sum linuxmint-17.3-cinnamon-64bit.iso.
The ISO image is clean if the signature matches one of those listed below.
You may want to check network traffic if you don't have access to the ISO image anymore. The compromised version of Linux Mint 17.3 connects to absentvodka.com (this may change, so check for any connections that don't seem right).
Obviously, if you have downloaded the ISO image just yesterday, you can go the safe route and download a legitimate ISO again from the official site (use torrents), and install it.
Doing so ensures that the system is clean and without backdoor access.
The official website is not accessible at the time of writing. The Linux Mint team seems to have taken it down in order to investigate the hack and clean up the site to ensure that other areas have not been compromised as well.
The two main torrent files you may be interested in are:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.