To try and clear things up I figured a Q&A guide as to the status of Mint Linux was needed and the posters asking "Is my version of Mint safe" can come here and air their fears. (They will come here. A lot of Mint users, even when they read the status, still need assurance and want to confirm that THEIR SPECIFIC install is safe - even if it is 32 bit XFCE 17.2! Let's be patient and deal with these folks gently. I will then keep linking to this post from the blog. Generally speaking, when people are nervous, there is no such thing as over explaining.)
So here is the status on Mint. Long post but I give am anticipating the FAQs that have appeared in the blog! IF YOU ARE WORRIED ABOUT YOUR MINT INSTALLATION - READ ON!
AM I SAFE?
*Almost* certainly.
99.8% of users of Mint were never in danger and are unaffected. The odds are that your installation is safe and you are fine as I will explain.
WHAT ACTUALLY HAPPENED? (AND DOES IT PUT ME AT RISK?)
On the 20th February 2016 a cracker/hacker managed to gain access to the Mint website. They then changed the link to the 64bit Cinnamon edition of Mint and made it point to an altered ('fake') version of Mint located in Bulgaria which had some nasty malware included.
If a user downloaded SPECIFICALLY the 64 bit edition of Cinnamon on EXACTLY the 20th February and installed Mint then they need to download the ISO image again - the link has been corrected - and re-install, formatting their hard drive.
Note the following:
If you are running any other version of Mint - MATE, KDE, XFCE, any 32 bit edition - you are completely safe and secure.
If you installed any version prior to the 20th February 2016 then you are perfectly safe.
If you are running any version of Mint 17.0 (Qiana) 17.1 or 17.2 you are fine.
If you are running any version of Mint 13 you are fine.
If you downloaded SPECIFICALLY the 64 bit edition of Cinnamon 17.3 on EXACTLY the 20th February then you need to run a check on the ISO image you installed from (details given further down)
This hack really only affects a very small number of people.
I DID NOT DOWNLOAD ANY VERSION OF MINT ON THE 20th. AM I SAFE?
Yes. The attack lasted no more than one day.
I DO NOT RUN MINT CINNAMON. AM I SAFE?
Yes. The hacker only targeted Mint Cinnamon edition.
I AM RUNNING MINT CINNAMON BUT VERSION 13, 17.0, 17.1, 17.2 AND NOT 17.3. AM I SAFE?
Yes. The hacker only targeted Mint 17.3.
I AM RUNNING MINT CINNAMON 17.3 32 BIT. AM I SAFE?
Yes. The hacker only targeted the 64 bit edition of Mint Cinnamon 17.3
I DID DOWNLOAD THE 64 EDITION OF MINT CINNAMON ON THE 20th February 2016. AM I SAFE?
Er, possibly not. You need to carry out the following check - but only if you did a direct download from the Mint Link and not a mirror or a torrent.
The check (as described on the blog)
How to check if your ISO is compromised?
If you still have the ISO file, check its MD5 signature with the command “md5sum yourfile.iso” (where yourfile.iso is the name of the ISO).
The valid signatures are below:
6e7f7e03500747c6c3bfece2c9c8394f linuxmint-17.3-cinnamon-32bit.iso
e71a2aad8b58605e906dbea444dc4983 linuxmint-17.3-cinnamon-64bit.iso
30fef1aa1134c5f3778c77c4417f7238 linuxmint-17.3-cinnamon-nocodecs-32bit.iso
3406350a87c201cdca0927b1bc7c2ccd linuxmint-17.3-cinnamon-nocodecs-64bit.iso
df38af96e99726bb0a1ef3e5cd47563d linuxmint-17.3-cinnamon-oem-64bit.iso
If you still have the burnt DVD or USB stick, boot a computer or a virtual machine offline (turn off your router if in doubt) with it and let it load the live session.
Once in the live session, if there is a file in /var/lib/man.cy, then this is an infected ISO. You need to reformat you hard drive and re-install Mint in this case.
[Note: A kind poster has given a detailed guide on how to check your ISO image further down this page.]
I DOWNLOADED MINT VIA A TORRENT. IS IT SAFE?
Yes. The faked version of Mint was not available via torrent at any time.
I DOWNLOADED MINT VIA A MIRROR. IS IT SAFE?
Yes. The faked version was only available from the hacked Mint website via one hacked link.
The whole attack was actually very isolated - but very high profile!
I HAVE RUN UPGRADES SINCE THE 20th FEBRUARY. AM I SAFE?
Yes. The ONLY thing altered by the hacker was the link to the Cinnamon edition of Mint.
Updates have always been perfectly safe and remain so.
I HAVE INSTALLED SOFTWARE FROM THE REPOS ON/AFTER THE 20th FEBRUARY. AM I SAFE?
Yes. The repos were not affected, All updates, all software is safe.
I HAVE PPAS FOR SOME SOFTWARE. HAVE THEY BEEN 'INFECTED?'
There never was an infection! This was not a virus or malware attack. It was a website attack!
PPAS are fine. Nothing has changed.
IS MINT LINUX SAFE?
Yes. Mint Linux remains as safe as it ever was. No viruses were sent to Linux.
There is no need to buy virus checking software or jump to another distro or run to Windows.
It was not Mint that was attacked, it was the WEBSITE! Yes, a messed up version of Mint was created and some users, a very small number, downloaded and installed it. But the hacker had to create his own 'version' of Mint, change the website link and have people install the entire operating system to install the malware.
He/they did not 'seed' software, create a virus or penetrate the security of Mint.
Mint remains as stable and safe as it ever was. (And that's why I am still using it.)
SO I AM SAFE?
Yes, unless you are one of the very few who just happened to download the fake version of Mint on the 20th then you need to check your ISO for the malware and re-install using the real Mint available from the usual place.
But if you did not download SPECIFICALLY the 64 bit Cinnamon edition of 17.3 on EXACTLY the 20th you have absolutely nothing to worry about.
If you are one of the unfortunate few to have installed using the fake Mint rendering then you need to format your hard drive - a pain, I know, and re-install using genuine Mint. But Mint remains as stable and secure as it always was and will be fine after a re-install using the real version of Mint.
NOTHING HAS CHANGED!
HAS THE MINT TEAM TAKEN ACTION SINCE THE HACK?
Absolutely. Exact details have yet to be forthcoming from Clem and co. as they have been busy trying to put things right. He has promised a full report in time but there are many factors in play - including legal and investigative, so Clem is not yet in a position to give all the technical details.
However, we do know that the hack was discovered on the same day it occurred. Clem immediately shut down the Mint website to prevent further download of the faked rendering of Mint.
The link to Mint was corrected and security checks run including obtaining 'traces' of the attack and information that may help lead to the prosecution of the attackers.
Clem has stated that the following have since taken place to make the Mint website more secure, and I quote:
Clem has promised more information later when everything is bedded down and, doubtless, when legal authorities have been consulted. This is a serious crime that requires investigation and, I would imagine, blurting out everything that has happened and is happening, could compromise an investigation. (That is surmise on my part but highly likely given the circumstances.)– We’ve hardened things
– We’re now behind a global firewall
– We’re now using new servers
– We’re now using https (which is forced for community and forums)
Please understand that this was a website attack and NOT a malware attack on Linux. No trojans, viruses or whatnot were released 'into the ether' to infect Mint installations.
This attack is being confused the more common virus, malware attacks one can pick up from general software installs or web browsing. This attack was nothing like that! The hacker attacked the website and replaced one download link, for a grand total of one day, for one very specific version of Mint for his own fake/doctored version of Mint that included malware.
That link has gone - done, vanished. Real Mint remains as secure as ever and nothing else is infected. You cannot pick up this malware any other way than by installing Mint from the doctored ISO image.
A LOT OF PEOPLE ONLINE ARE CLAIMING THAT MINT IS INSECURE AND NOT A FIT AND PROPER DISTRO FOR USE. IS THIS TRUE (BE HONEST!)
No - and that's being honest. Mint is one of the most popular Linux distros around and with good reason - and possibly the reason for the attack. If Linux was a 'broken' Linux distribution, insecure and prone to viruses and malware, not only would it be less popular, people on these forums would know about it. Mint has been extremely robust and remains so.
Again, the attack was on the website and not a general security breach for Mint itself.
There has been a huge amount of misunderstanding of the nature of the attack and lot of fear, rumor and hearsay. The fact is the Mint remains as solid as ever.
Hopefully this makes things clear. Nothing has changed in regards to the general operation of Mint and claims this proves Mint Linux is insecure, prone to infections, etc, etc are completely false.
