Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Open Source Linux News Technology

Timeline Of Events: Linux Mint Website Hack That Distributed Malicious ISOs (softpedia.com) 188

An anonymous reader writes: The Linux Mint website was hacked last night and was pointing to malicious ISOs that contained an IRC bot known as TSUNAMI, used as part of an IRC DDoSing botnet. While the Linux Mint team says they were hacked via their WordPress site, security experts have discovered that their phpBB forum database was put up for sale on the Dark Web at around the same time of the hack. Also, it seems that after the Linux Mint team cleaned their website, the hackers reinfected it, which caused the developers to take it down altogether.
This discussion has been archived. No new comments can be posted.

Timeline Of Events: Linux Mint Website Hack That Distributed Malicious ISOs

Comments Filter:
  • The worst of the worst unless anyone can figure out that spaghetti called Drupal.

    It is the IE 6 of CMS and people keep using it.

    I swear we all should just give up and write our own cms.

    • by MightyMartian ( 840721 ) on Sunday February 21, 2016 @11:16AM (#51552425) Journal

      Which is how we got Joomla, which is the IE 7 of CMSs.

    • Re:WordPress ??? (Score:5, Interesting)

      by Anonymous Coward on Sunday February 21, 2016 @11:25AM (#51552463)

      Ah, Drupal. Drupal is amazing, in that it's clear the developers looked at PHP, said "this is a horrible insecure language" and then decided "let's create a giant platform on top of it to try and fix up the flaws" rather than "let's look for a language that isn't terrible."

      So now Drupal is its own language and library onto itself, and PHP has evolved to fix many of the problems Drupal attempts to solve but Drupal is stuck with their own implementations.

      The amount of code Drupal has to load to render a single webpage is hilarious and somewhat worrying. It's enough that Drupal has to have its own code caching system on top of Zend or whatever you use to try and get performance to reasonable levels.

      Which is probably the only reason you hear about WordPress getting hacked more than Drupal. Drupal has an impressive list of CVEs, but most people who try and use Drupal end up saying "fuck this" and using WordPress instead, because it's possible to get WordPress running without driving yourself insane.

      • Accidental downmod, sorry.
      • Says the anonymous coward who is probably still struggling with their first "Hello World" program in quick basic.

    • Please don't. There's about a million of them already. A CMS is the text editor of web development where someone thinks they can do better than the existing ones and is usually wrong.

    • Ever try to archive a WordPress site? Nothing but reams of PHP, and good luck finding the site's content.

  • by Anonymous Coward on Sunday February 21, 2016 @11:11AM (#51552409)

    They've got a serious breach with no idea how the attackers got in and continue to get in. They need to take EVERYTHING down including their name servers and verify that their registration with the root servers hasn't changed, until they have done a through post breach analysis. Only then can they bring up newly installed servers with whatever vulnerability fixed.

    This should take several days. Possibly even weeks, depending on the extent of their infrastructure.

  • by elrous0 ( 869638 ) on Sunday February 21, 2016 @11:14AM (#51552413)

    I mean, at least make the code available.

    • by Anonymous Coward

      OK, what should I used instead? Serious question.

      I need to set up a dynamic site with an e-store, blog, forum, and mailing list, ready to go out-of-the-box, without having to hack piles of code to set it up and modify it. I don't have an endless budget or endless development time to do this. What should I use?

      • by Anonymous Coward

        The question is why do you need all of those things if you're Linux Mint?

        An e-store is nice, because it brings in revenue. There's e-store code out there that's not as vulnerable as WP.

        A forum is not a bad idea - it allows your users to receive some kind of support and provides a place for announcements and FAQs. There's forum code out there that's not as vulnerable as WP.

        While these are not as easy to use as some kind of 'universal' solution like WP, they are also much more secure. Getting hacked in thi

      • I need to set up a dynamic site...

        Why? Seriously, why does the site need to be dynamic? Could you do what you need with a static site with a few dynamic pages? Thinking this way is how security works. Just going with some package downloaded off the Internet is how major compromises work.

        • by Anonymous Coward

          Any idiot can make a site secure by serving up static content and web forms, but managing that content can be a big job. Making changes across a large site is a big job.

          It doesn't address the point anyway: people keep saying there are better languages than PHP that can do what PHP can do, only more securely. I seriously want to know what they are.

          • Any idiot can make a site secure by serving up static content and web forms, but managing that content can be a big job. Making changes across a large site is a big job.

            I guess we have different versions of "big job." Install WordPress internally. Let the internal devops idiots go wild. Run a script nightly that generates static content, pushes it in to a repository (like svn) for history, and then pushes it live. They break something and run a script to roll back SVN in push the last version live again while they fix it. Rocket science...

            (Oh shut up about git being better. No need for anyone to fork it... It is a backup!)

    • Does not have to be. Several very secure and respected firewalls (m0n0wall, SmallWall, t1n1wall, pfSense, OPNsense) use PHP and do not have these problems. Of course, programming securely is hard...
      • Respected how? Usability? Ok, fine. But did you know pfSense runs PHP as root? Not something I would expect from a security appliance. Fortunately the head of the project publicly acknowledged this and is planning a new architecure, i.e., one without PHP.
        • Yeah, Chris is talented as hell. (And actually a super nice guy.) But that is not a small amount of work. Also, there is a slight difference in that pfSense by default does not actually have a shell. That makes it a bit easier since you do not have the typical method of launching commands. (You can, but it is non-trivial)
  • by Anonymous Coward

    1. Not isolating download servers from forum/blog servers.

    2. Not auditing changes of all critical files with immediate reporting.

    3. Not instructing all users to check signature from various well-reputed third party locations.

    4. Using Wordpress when most people need sufficiently few features that they'd be better off rolling their own.

    • FTA:
      "During the second compromise, all Linux Mint ISO download mirrors were pointing to the same Bulgarian FTP site (IP: 5.104.175.212)"

  • by Anonymous Coward

    Anyone checked repositories ?

    • by Anonymous Coward

      If it were the repos, we'd be hearing about Ubuntu, not Mint.

  • The stubbornness of some people is just unbelievable. How many examples of Wordpress's bad security do you need?!?!?
  • by Anonymous Coward

    I read the article and man are these guys full of themselves.

    They were disappointed at being a "top shelf Linux distro" and getting hacked by amateurs, for a lowly IRC bot.
    "They hacked php-this and we thought they hacked php-that, they should have waited longer and really had us."
    The whole article could have been reposted from 1998 with a hashtag thrown in.

    You were burgled by amateurs, and your sysadmins should be embarrassed.

  • old-school (Score:2, Interesting)

    by lkcl ( 517947 )

    y'know... there's a reason why debian sticks with old-school mailing lists and why the mirrors keep it as utterly simple as possible. but the other question is, were users verifying the md5/sha1 checksums on the ISO images? how would they do that (when usually they will be downloading a check-program from the same website)? would they *know* to verify the checksums?

    • Re:old-school (Score:5, Informative)

      by Anonymous Coward on Sunday February 21, 2016 @12:36PM (#51552787)

      If the website is compromised the md5 sums available for download on the same website are highly likely to be compromised, too...

    • by Burz ( 138833 )

      but the other question is, were users verifying the md5/sha1 checksums on the ISO images? how would they do that (when usually they will be downloading a check-program from the same website)? would they *know* to verify the checksums?

      Seriously?? This is why public keys exist...

  • When I pressed the update icon in my toolbar (linux mint 17) I got a strange alert saying "cannot verify that the software is what it is supposed to be" (can't recall the exact wording, but everything I have read here and elsewhere said to me "don't install stuff you don't trust and can't verify"

    So, I clicked cancel. The updates were fishy, even though they were through a legitimate source, but who knows when that source could get hacked?

    Thanks slashdot for all the paranoia over security for the past 15 yea

    • by Burz ( 138833 )

      When I pressed the update icon in my toolbar (linux mint 17) I got a strange alert saying "cannot verify that the software is what it is supposed to be" (can't recall the exact wording, but everything I have read here and elsewhere said to me "don't install stuff you don't trust and can't verify"

      So, I clicked cancel. The updates were fishy, even though they were through a legitimate source, but who knows when that source could get hacked?

      Thanks slashdot for all the paranoia over security for the past 15 years, it's paid off, just last night. :) Cheers!

      To all the jerks that say I have a tinfoil hat, have fun with your viruses!

      That's exactly what you were supposed to do! And its properly called precaution, not paranoia.

  • Disclaimer, I like WordPress.

    While the culprit turned out to be something else, I think it speaks volumes that the folks at Mint jumped straight to the conclusion that it was a WordPress hack. WordPress must be among the must frequently targeted and compromised systems on the web. To a large degree, you can pin this on market share. But over the years, the many cries pointing out the insecurities in WordPress have not been entirely without merit. Hence the first conclusion. The great thing of course about
    • I see your points, but the first thing a WP redo should do is redesign the architecture. It's the classic mess done by people who started developing in the first web-boom and never learned to normalise a DB correctly.

      The security problems with WP are somewhat inherent to the LAMP stack and not so much WP. A proper Webapp Server built in some serious PL such as C++ or Go would to the trick, but that would kill the huge advantages of these awesome products cobbled together in PHP.

      It's a tradeoff, and for that

  • by Qbertino ( 265505 ) <moiraNO@SPAMmodparlor.com> on Sunday February 21, 2016 @01:17PM (#51552985)

    Now WP and PHP are going to get tons of flak, once again.

    To put things into perspective: WordPress has north of 100 Million aktive installs. It powers more than a fourth of the entire web. That's orders of magnitude more than any other system on the planet ever has. For that, WP has an excellent security track record with the last new exploit infecting roughly 8000 websites. Once again of that type that weren''t following basic security procedures.

    Using WP for a high-profile, high traffic website such as Linux Mint may be questionable due to load issues alone, but it is doable if you follow just the simplest security principles - such as disabling the login page, using non-standard garbled logins, de-coupling login and username and using a non-standard table prefix.

    All this is SOP on any non-development WP installation and mitigates 99.999% of the standard attacks on WordPress. That, and not showering your install with tons of plugin-bloat perhaps.

    WordPress is a system for quickly cobling together a high functionality website and for that it is excellent. But you have to know your basics about PHP and the LAMP stack, otherwise you have no business setting up a WP intallation and are way better of getting one at wordpress.com or some other apphoster for WP. Which, btw., is a perfectly viable option if you've got your hands full maintaining a Linux distro and couldn't

    The Linux Mint people screwed up and prerhaps even compromised some boxes that have yesterdays fake ISOs installed on them. They didn't to their homework in terms of basic web-security and this is not the fault of WP or PHP.

    I hope they learn their lesson.

    • by Anonymous Coward

      Switch up the login page and mildly obfuscate the SQL table names? THAT'S supposed to protect a WP site from 99.999% of attacks? I'll grant you these are some of the first baby steps to securing a WP site, but this is a far cry from the 99.999% you're throwing around.

    • by CRC'99 ( 96526 )

      such as disabling the login page, using non-standard garbled logins, de-coupling login and username and using a non-standard table prefix.

      All this is SOP on any non-development WP installation and mitigates 99.999% of the standard attacks on WordPress

      <Location /wp-login.php>
      Order Allow,Deny
      Allow From 1.2.3.0/24
      </Location>
      <Location /wp-admin>
      Order Allow,Deny
      Allow From 1.2.3.0/24
      </Location>

      This is enough to secure most installs for brute force / stolen credentials.

  • by Anonymous Coward

    And not be challenged?

I do not fear computers. I fear the lack of them. -- Isaac Asimov

Working...