I’m sorry I have to come with bad news.
We were exposed to an intrusion today. It was brief and it shouldn’t impact many people, but if it impacts you, it’s very important you read the information below.
What happened?
Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it.
Does this affect you?
As far as we know, the only compromised edition was Linux Mint 17.3 Cinnamon edition.
Code: Select all
# cd Isos
#ls
AntiX
ChromiumOS_i386
puppy_shibaInu_1.1.3-k_3.18_noPAE_08022016.iso
puppy_shibaInu_1.1.3-k_3.18_noPAE_08022016.iso.part
shibalnu_md5
#cat shibalnu_md5
525138e4cb58ca6896dfd1d93c5c9b26
So Wordpress isn't secure? Oh hell. I've no reason to doubt your word on this, but I've set up a website for somebody else using Wordpress and post on a couple of others.rokytnji wrote:Yep. What Ted said. Mints problem? Wordpress.
Code: Select all
# cd Isos #ls AntiX ChromiumOS_i386 puppy_shibaInu_1.1.3-k_3.18_noPAE_08022016.iso puppy_shibaInu_1.1.3-k_3.18_noPAE_08022016.iso.part shibalnu_md5 #cat shibalnu_md5 525138e4cb58ca6896dfd1d93c5c9b26
A lone hacker who duped hundreds of users into downloading a version of Linux with a backdoor installed has revealed how it was done...The hacker responsible, who goes by the name "Peace," told me in an encrypted chat on Sunday that a "few hundred" Linux Mint installs were under their control -- a significant portion of the thousand-plus downloads during the day....
Peace also claimed to have stolen an entire copy of the site's forum twice -- one from January 28, and most recently February 18, two days before the hack was confirmed...It later emerged that the hacker had placed the "full forum dump" on a dark web marketplace, a listing we were also able to verify that exists. The listing was going for about 0.197 bitcoin at the time of writing, or about $85 per download...About 71,000 accounts have been loaded into breach notification site HaveIBeenPwned, it announced on Sunday. Just less than half of all accounts were already in the database. (If you think you might be affected by the breach, you can search its database for your email address.)...On Saturday, the hacker replaced one of the 64-bit Linux distribution images (ISO) with one that was modified by adding a backdoor, and later decided to "replace all mirrors" for every downloadable version of Linux on the site with a modified version of their own....But the best way to get users to download the backdoored version was by changing the checksum -- used to verify the integrity of a file -- on the website with the checksum of the backdoored version...The hacker said there was no specific goal to their attack, but said that their prime motivation for the backdoor was to build a botnet. The hacker used malware dubbed Tsunami, an easy-to-implement backdoor, which when activated quietly connects to an IRC server where it waits for commands... "[Tsunami] is a simple manually configurable bot which talks to an IRC server and joins a predefined channel, with a password if set by the creator," said Klijnsma. But it isn't just used to launch web-based attacks, it can also allow its creator to "execute commands and download files to the infected system to later execute, for example," he added.
Not just that, the malware can uninstall itself on affected machines to limit traces of evidence it leaves behind, said Klijnsma, who helped me to review and verify some of the hacker's claims.
For now, the hacker's motive was "just having access in general," but they did not rule out using the botnet to carry out data mining or any other nefarious means. In the meanwhile, the hacker's botnet is still up and running, but the number of infected machines "dropped significantly since the news broke obviously," Peace confirmed..
Don't take my word but maybe this will help you shore up things better for your "setup for somebody else". Give you some peace of mind.So Wordpress isn't secure? Oh hell. I've no reason to doubt your word on this, but I've set up a website for somebody else using Wordpress and post on a couple of others.
Lefebvre confirmed the site was hacked through its outdated WordPress installation, but he denied that using HTTPS site encryption would have mitigated the attack.
I think it wise to make all and post all, including one or more not done on orginal build system to make sure build environments are not already bugged. When GIT changed over occurred there where some unexpected and unexplained sources of code within linux build and storage databased systems.bark_bark_bark wrote:Forget MD5s, you want SHA256 or ideally SHA512
I've spent a bit of time with gdmap in /usr. Yep, just like libsnd 1.0.24 --> 26, need to remove the old and create a symlink. This will take a while to sort out. 
