LMDE-2 cinnamon bad iso?

[PattiM]

Was there complete resolution on LMDE-2 as to whether or not it was involved with the "backdoor" installed in the Cinnamon Mint ISO file (sometime in the last year or so)? I've read a lot, but unfortunately am not really able to decipher for sure whether the LMDE-2 install I did earlier this year (as guest under VirtualBox) was involved. I don't use Cinnamon, but rather KDE. I've kept all my patches current, but never read anything that said patches would fix the backdoor which was installed...

Thank You Very Much,
Patricia

[Fred Barclay]

Hi Patricia,
The only version of Mint that was backdoored and distributed was Linux Mint 17.3 Cinnamon 64-bit. We LMDE users were quite safe.
However, it is always a good idea to check a Linux iso for integrity when you download it, because these types of events have happened before and will happen again. You don't want to get an evil iso and not realise it. Also, sometimes downloads just go badly and you get a broken iso, which can behave improperly. Integrity checking will catch this and let you know before you install the iso.
Here are some links which may be useful:
https://linuxmint.com/verify.php (official instructions)
viewtopic.php?f=42&t=226092&p=1192608#p1192608 (instructions by a highly knowledgeable member of our community)
https://fred-barclay.github.io/VerifyLinuxMint/

You're right, no patches can be guaranteed to fix a computer with a backdoor.

[jimallyn]

The only version of Mint that was backdoored and distributed was Linux Mint 17.3 Cinnamon 64-bit.

And that was only up for a few hours on one day.

[PattiM]

Thank you very much for the replies. What made me ask was that I did notice that on... https://haveibeenpwned.com/ ...it listed both the Facebook and the Linux Mint hacks as references for my pwned email. I don't know how much information that site obtains, or how, but it made me think. So I thought I would ask.

Best,
Patricia

PS: Where are "backdoors" installed usually (e.g., in the kernel code?)? Is a reinstall (with format of the system drive) a fix, or must the /home partition also be formatted? Now that I think about that, I'm sure the answer is, "it depends..."

[Fred Barclay]

Now that I think about that, I'm sure the answer is, "it depends..."

Precisely.
It all depends on the backdoor author, how long a malicious actor has been present on the system, and what steps (if any) have been taken by that actor after gaining backdoor access, plus a whole bunch of other factors. The safest step is to nuke the entire system.
Even determining how long the attacker has had access to your system can be challenging. A lot of events in Linux are "logged", i.e they're written into some text files in your /var/log directory, and you can go back and read these logs to see what's been going on. Many things that the attacker might do would be logged.
But our hypothetical attacker isn't stupid and he knows about these logs... so he edits them to remove evidence of his activity. Now you're left with gaps in your logs that you might not notice, or you might notice but think are due to lack of system activity. And these log files tend to pile up so unless you have previous experience reading log files you're highly unlikely to figure out what's going on.
Long story short... even determining how long a malicious actor has been present can be challenging. And if you can't figure out how long he/she has been there, imagine the difficulty of figuring out what he/she has done to your system!

So yeah... nuking the computer and starting over is usually the safest step.

Where are "backdoors" installed usually (e.g., in the kernel code?)?

This also depends.
The Mint backdoor was installed as /var/lib/man.cy, which is not part of the kernel. It was written in C and was 926 lines long. It was also an extremely sloppy backdoor (to the backdoor author: feel free to take offence. )
Other backdoors could be in other locations. For instance, there was an attempt in 2003 to sneak a backdoor into the Linux kernel itself. The only change was adding these two lines:

Code: Select all

if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
        retval = -EINVAL;

into part of the kernel code. It's a rather clever backdoor because it looks as if it's just checking if the current process or user is root, but it's actually giving the current user root permissions:
current->uid == 0 check for root... what the backdoor author wanted the kernel devs to think was happening
current->uid = 0 set the user id ("uid") as root... what was really happening.
A single "=" mark can make a lot of difference!

But enough rambling on my part. Backdoors can be installed almost anywhere, but the good news is that writing a "good" backdoor is beyond the skill of many attackers. Even better news? You're running Linux... one of the strongest and best operating systems out there!

Cheers!