Juha Saarinen
Feb 22 2016

A popular Linux distribution has fallen prey to unknown attackers over the weekend, who redirected users to their own site hosting hacked ISO disk images of the operating system.

The compromised edition was Linux Mint 17.3 "Cinnamon", with both 32 and 64-bit variants of the operating system affected.

According to a Linux Mint project leader Clement Lefebvre, the attackers took advantage of liberal file permissions in a theme for the Wordpress content management system on the distribution's website, and redirected users to their own servers which contained the hacked ISO images.

However the attack appears to have expanded beyond the distribution of hacked ISO images, with the distribution’s user forum database being compromised as well.

Lefebvre later warned that attackers had acquired a copy of the database, containing forum usernames, encrypted passwords, email addresses, and potentially personal information that users might have entered into profiles and private messages.

While the passwords are encrypted, they can be be cracked with brute-force guessing, and Lefebvre advised users to change their passwords as a precaution.

Lefebvre has shut down the Linux Mint server after a second attack, to prevent further downloads of the compromised files. Torrents of the distribution, and direct downloads via HTTP were not affected .

A remote access backdoor was added to the Linux Mint images, that connects to the absentvodka.com domain in Bulgaria's capital Sofia.

Lefebvre suggested that users check for the presence of the malicious code with their computer or virtual machine offline. If a file called /var/lib/man.cy is found, the ISO was infected, he said.

If an infected system is found, Lefebvre advised users to take it offline, backup personal data, change passwords for sensitive websites and email accounts - and to reinstall the operating system.

He also advised users to delete the infected ISO files and if they'd been burnt to DVDs, bin the optical discs.

The absentvodka.com domain has anonymised registration details but appears not to be active currently, and doesn't resolve to an internet-reachable host.

Later investigation by Linux Mint users pointed to a commercial motive for the attack, with one person advertising shells or remote access to installations, and a PHP email sending applications for spamming on internet forums for 0.191 Bitcoin.

As of publishing, the Linux Mint website remains down.