Hacked site Linux Mint distributed distributions with a "backdoor"

On February 21, the Linux Mint project manager, Clement Lefebre [Clement Lefebvre], notified users of the popular distribution that the project’s official website had been hacked by unidentified individuals . The download links for the distribution kit led to modified images of the system into which the Trojan was embedded.

The project manager reported that only the Linux Mint 17.3 Cinnamon edition, referenced to which existed on the site on February 20, was compromised. The few users who downloaded it are advised to delete this file - and, of course, do not install it anywhere. To check the downloaded files, you can use MD5 hashes, which Lefebre indicated in the blog entry.
')
So far, it is known that the modified ISO-files are hosted in Bulgaria, and the names of the three people involved in their placement have already surfaced.

According to the preliminary results of the investigation, the Linux Mint team concluded that the hackers had penetrated the server through a hole in WordPress, and as a result got the control of www-data. Then they were able to change the page with links so that they began to point to the Bulgarian server with IP 5.104.175.212

However, after the Linux Mint team corrected the links and reported it on their blog, the hackers again changed the link page. As a result, it was decided to temporarily completely close linuxmint.com, since it became obvious that the threat was not eliminated.

Security specialist Jonathan Klijnsma from Fox-IT offered his version of what happened. He noticed that a few hours before the announcement of the Linux Mint blog about hacking, someone had put up for sale on TheRealDeal website (located in the “dark” part of the Internet, on Tor hidden services) access to the linuxmint website.

The hacker under the nickname peace_of_mind offered shell access, php mailer and full forum dump for 0.1910. Someone has already managed to buy it and put on the Hacker News configuration file forum phpBB:

// phpBB 3.0.x auto-generated configuration file // Do not change anything in this file! $dbms = 'mysql'; $dbhost = 'localhost'; $dbport = ''; $dbname = 'lms14'; $dbuser = 'lms14'; $dbpasswd = 'upMint'; 

In the “fake” ISO files, only one change was found - the tsunami Trojan was added to the man.cy file, which works as an IRC bot and is used for DDOS attacks. He has been known since 2013.

IRC bot .. just a plain IRC bot ...

- Yonathan Klijnsma (@ydklijnsma) February 21, 2016

Judging by the fact that the hackers built such a frivolous “back door” into the distribution, put up access to the site for sale, and then also gave themselves away, re-changing the page when the site owners thought they had eliminated the problem - a very inexperienced group or one amateur. And, given the popularity of this distribution, the outcome of the case can be called successful.