Linux Mint has surprisingly became the most interested distribution according to statistics. It’s a Linux distribution based on Ubuntu. Many of the users are satisfied for its design and functionality until 20 February 2016. But then some bad news…

Linux Mint Events

Today (21 February), a shocking news has been announced about Linux Mint from distribution’s blog post. The post states that some of Linux Mint 17.3 ISO files were compromised. If you downloaded one of them during February 20, you should check the MD5 signature again. After some controls, it will be more secure to reinstall it if you want.

There were two connected events at the beginning.

Event 1: The hackers prepared changed ISO files. They upload it to a different server other than Linux Mint’s original one. The compromised ISO files has some sort of back door. When you install it, the malware also able to come alive.

Event 2: They also hacked Linux Mint Web site and changed the download link addresses to their fake server.

Shortly after the blog post published about the compromised ISO files, the news began to spread from twitter account. The Hackers start to sell Linux Mint web site database for $85K.

Mint blog post says the compromised ISOs are hosted on a server in Sofia, Bulgaria. As a precaution, the official web site has been closed down during the investigation.

“What we don’t know is the motivation behind this attack,” Mint states. “If more efforts are made to attack our project and if the goal is to hurt us, we’ll get in touch with authorities and security firms to confront the people behind this”.

Is $85K a good reason and motivation? We don’t know yet and following the advancements.

If you still have the ISO file, check its MD5 signature with the command “md5sum yourfile.iso” (where yourfile.iso is the name of the ISO).

The valid signatures are below:

If you still have the burnt DVD or USB stick, boot a computer or a virtual machine offline (turn off your router if in doubt) with it and let it load the live session.

Once in the live session, if there is a file in /var/lib/, then this is an infected ISO.

UPDATE: The second announcement has been made with another blog post. It advises to change forum pass and other necessary precautions.

“It was confirmed that the forums database was compromised during the attack led against us yesterday and that the attackers acquired a copy of it. If you have an account on, please change your password on all sensitive websites as soon as possible.

The database contains the following sensitive information:

  • Your forums username
  • An encrypted copy of your forums password
  • Your email address
  • Any personal information you might have put in your signature/profile/etc…
  • Any personal information you might written on the forums (including private topics and private messages)”

You can share your opinions and critics by using the comments section.