Timeline Of Events: Linux Mint Website Hack That Distributed Malicious ISOs

An anonymous reader writes: The Linux Mint website was hacked last night and was pointing to malicious ISOs that contained an IRC bot known as TSUNAMI, used as part of an IRC DDoSing botnet. While the Linux Mint team says they were hacked via their WordPress site, security experts have discovered that their phpBB forum database was put up for sale on the Dark Web at around the same time of the hack. Also, it seems that after the Linux Mint team cleaned their website, the hackers reinfected it, which caused the developers to take it down altogether.

Re:WordPress ???

Ah, Drupal. Drupal is amazing, in that it's clear the developers looked at PHP, said "this is a horrible insecure language" and then decided "let's create a giant platform on top of it to try and fix up the flaws" rather than "let's look for a language that isn't terrible."

So now Drupal is its own language and library onto itself, and PHP has evolved to fix many of the problems Drupal attempts to solve but Drupal is stuck with their own implementations.

The amount of code Drupal has to load to render a single webpage is hilarious and somewhat worrying. It's enough that Drupal has to have its own code caching system on top of Zend or whatever you use to try and get performance to reasonable levels.

Which is probably the only reason you hear about WordPress getting hacked more than Drupal. Drupal has an impressive list of CVEs, but most people who try and use Drupal end up saying "fuck this" and using WordPress instead, because it's possible to get WordPress running without driving yourself insane.

Re:forum

[KGIII]

They were selling the database. The PMs aren't encrypted in most forums, I'm not sure about phpBB. The passwords are salted and hashed so they're not gonna be digging out rainbow tables and getting passwords. They'll have email addresses that tie in with usernames. They'll know a little about the person so spear phishing is a possibility as is just plain phishing.

I've got some data involved in this one. Nothing major, nothing important. I am not the least bit concerned. I did not download any of the torrents. I do have the legit versions of the .ISOs seeding - all current versions and some older versions - going back to at least v. 14. So, it sucks but it's not the end of the world - unless this damages their reputation so much that people bail on them.

I like Linux Mint. I call it Linux for Retards - which means that I can use it without even looking at the manual. They're well supported, give access to the Ubuntu ecosystem, a cautious and safe build, and not a horrible community. I have a laptop with me that has Cinnamon on it. They'll be okay.

But, there's a few things that make the database valuable. The emails and username combinations are a good start. They can then do some work and figure out more personal traits and then attempt some social engineering, phishing, and even targeted malware - if they want to invest enough energy.

Re:This is what happens when you use Linux

[houstonbofh]

No, WordPress is still insecure as shit on FreeBSD.

Re:forum

[KGIII]

Probably not. You know they like Linux, you've got a known working (verified) email address, you've got a username, you might be able to make some sort of personal profile based on forum comments. You can check locations with IP addresses but that's not always a certainty. You can probably narrow down which is their preferred Mint. Depending on what they've said in public (and maybe in private) then there's some potential to assign that profile to a person. If they've used the email and/or username elsewhere, they can put some more data together.

It really depends on what they're willing to put into it for effort. $85 is pretty cheap but they're probably not selling it as an exclusive so others will be targeting the users. They'll probably be coming through the data. It's a relational database so they may even automate some of this away (I would) and then simply start running reports. They might even have a way to weigh the data and find the more prominent posters and "mash up" what data they've shared. They'll potentially have some of the site's maintainers, admins, and even the dev team interacting with each other via PM. They might have even been dumb enough to PM passwords to each other.

But no, really that's not much. Not as far as data spillage goes, it's not much at all.

Re:old-school

If the website is compromised the md5 sums available for download on the same website are highly likely to be compromised, too...

Somebody wasn't doing their homework.

[Qbertino]

Now WP and PHP are going to get tons of flak, once again.

To put things into perspective: WordPress has north of 100 Million aktive installs. It powers more than a fourth of the entire web. That's orders of magnitude more than any other system on the planet ever has. For that, WP has an excellent security track record with the last new exploit infecting roughly 8000 websites. Once again of that type that weren''t following basic security procedures.

Using WP for a high-profile, high traffic website such as Linux Mint may be questionable due to load issues alone, but it is doable if you follow just the simplest security principles - such as disabling the login page, using non-standard garbled logins, de-coupling login and username and using a non-standard table prefix.

All this is SOP on any non-development WP installation and mitigates 99.999% of the standard attacks on WordPress. That, and not showering your install with tons of plugin-bloat perhaps.

WordPress is a system for quickly cobling together a high functionality website and for that it is excellent. But you have to know your basics about PHP and the LAMP stack, otherwise you have no business setting up a WP intallation and are way better of getting one at wordpress.com or some other apphoster for WP. Which, btw., is a perfectly viable option if you've got your hands full maintaining a Linux distro and couldn't

The Linux Mint people screwed up and prerhaps even compromised some boxes that have yesterdays fake ISOs installed on them. They didn't to their homework in terms of basic web-security and this is not the fault of WP or PHP.

I hope they learn their lesson.