Q: What, exactly, happened
On Saturday, Feb. 20, somebody noticed that the download link for certain versions of the operating system on Mint’s official website had been changed. The fiddled-with link now pointed to a malicious website, hosted in Bulgaria.
+ALSO ON NETWORK WORLD: Google CSO peers out from the fishbowl to talk security + RSA president slams crypto backdoors as useful only against petty criminals
Q. So what did this malicious website try to do
It served up what appeared to be the file that people were trying to download – a disk image for installing Mint. However, it was a hacked copy, which included a backdoor into the installation. Simply put, if you installed Linux Mint using one of these corrupted images, you gave the hackers a direct line into your computer.
Q. Is that a complicated operation
It sure was. In addition to creating the hacked version of Mint, the attacker had to compromise the website to ensure that the compromised copies could be distributed. So that’s a couple different moving parts to worry about. And while the whole thing was going on, the attacker grabbed complete copies of Mint’s forum data, including personally identifiable information and crackable passwords, selling the information online.
Q. How many installs were affected
Hard to say exactly, although Level 3 Communications estimates in an analysis of the attack that “hundreds of users” may have downloaded the corrupted disk image.
Q. Who did it
Apparently, a hacker going by the handle “Peace.” Peace gave an interview to ZDNet reporter Zach Whittaker, in which he or she explained that the idea was mainly just to get access to as many computers as possible, possibly for a botnet. Peace first gained access to the site in January, via a security vulnerability in a WordPress plugin.
Q. What did Mint do about it
To its credit, the Mint team was pretty open about the whole thing, warning users as soon as they were aware of the hack and eventually taking down the site in order to halt the spread of the corrupted disk images.
Q. If I downloaded and installed Mint during the time the site was affected, how do I know if I’m vulnerable
If you’ve got the .iso file still handy, you can compare the MD5 checksum to the one for legitimate copies listed at the official Mint blog. If not, check to see whether there’s a file in the folder /var/lib/man.cy. If the folder is empty, you should be OK. However, if there is a file in there, you probably have the compromised version, and should back up your personal data before wiping the hard drive and reinstalling your operating system.