Hackers Breach Linux Mint Distribution, Forums

Attackers manage to breach Linux Mint's security, adding a backdoor to the distribution and even stealing information from user forums.

Linux Mint

The Linux Mint operating system community is reeling today after the public disclosure on Feb. 21 that hackers managed to infiltrate the popular Linux distribution and plant a backdoor in the system. Adding further insult to injury, hackers were also able to compromise the Linux Mint user forum, stealing username and password information. As a result of the attack, the LinuxMint.com Website is now offline as the distribution scrambles to restore confidence and security.

Linux Mint has emerged in recent years to become one of the most popular desktop Linux distributions in the world. A key part of Linux Mint's popularity is its Cinnamon desktop, which provides users with a different user interface from the more standard GNOME desktop. Linux Mint does, however, offer other desktop choices to users as well.

It appears that on Feb. 20 the attackers were only able to impact the most recent Linux Mint 17.3 Cinnamon edition (which eWEEK reviewed here), according to Clement Lefebvre, founder of Linux Mint.

Lefebvre noted the intrusion was brief and quickly discovered. "Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it," he wrote.

In addition to the hacked Linux Mint 17.3 Cinnamon Edition download, the attackers also compromised the user forums site (forums.linuxmint.com), stealing a copy of the entire database. Hackers now have usernames and passwords used on the Linux Mint forum Websites, and so it is imperative that users make sure they aren't using the same username/password combination on other sites.

In terms of root cause for the breach of Linux Mint's security, the finger is being pointed at a security issue with a poorly configured WordPress content management system (CMS) component.

"We found an uploaded php backdoor in the theme directory of a wordpress installation, which was one day old and had no plugins running," Lefebvre commented.

Lefebvre explained that the WordPress theme was new and was set up with incomplete file permissions. the vulnerability was not an exploit of the WordPress core application and that Linux Mint is running the latest version of WordPress, he said. The WordPress 4.4.2 update debuted at the beginning of February, patching a pair of security flaws.

After gaining access to the Linux Mint Website by way of the vulnerable WordPress theme component, the attackers were able to point the Linux Mint 17.3 Cinnamon edition download link to a malicious version of the operating system that embeds the Tsunami Trojan. Tsunami is not a new form of malware, and it's not unique to Linux either. Back in 2011, Tsunami was able to hijack Apple Mac OS X systems in order to launch distributed denial-of-service (DDoS) attacks.

In regard to who is responsible for the attack, Linux Mint has identified that the hacked versions of its operating system were pointed to servers located in Sofia, Bulgaria.

"What we don't know is the motivation behind this attack," Lefebvre wrote. "If more efforts are made to attack our project and if the goal is to hurt us, we'll get in touch with authorities and security firms to confront the people behind this."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.