Last night, the Linux Mint team announced that someone had hacked their servers and started pointing user downloads to malicious ISO images for the Linux Mint 17.3 Cinnamon edition. Our Linux editor already covered the initial details of the attack, which we recommend reading before going forward with this article.

Since then, in the last ten hours, the Linux and infosec communities have been working hard to investigate what happened and how the hackers operated.

Linux Mint Team: They hacked us via our WordPress site

The first to provide an answer was Clement Lefebvre, leader of the Linux Mint project, who acknowledged in a comment on the official announcement that the initial point of entry was their WordPress blog.

The hackers managed to escalate their access to the underlying server and finally get shell access to www-data, Lefebvre explained. From here they modified the Linux Mint download page to point to a malicious FTP server hosted in Bulgaria (IP: 5.104.175.212).

The Linux Mint team discovered the issue, cleaned up the links from their site, announced the data breach on their blog, and then it appears that the hackers re-compromised the download page again.

During the second compromise, all Linux Mint download mirrors were pointing to the same Bulgarian FTP IP

Seeing that they've failed to eliminate the hackers' true point of entry, the Linux Mint team decided to take down the entire linuxmint.com domain to avoid the ISO images from spreading to users that had not seen its security alert.

phpBB forum database was put up for sale on the Dark Web

Yonathan Klijnsma, senior threat intelligence analyst for Fox-IT, a Dutch security firm, has noticed that a few hours after the Linux Mint announcement, someone had posted an ad on the TheRealDeal Dark Web marketplace.

A user with the peace_of_mind nickname was selling the "Linuxmint.com shell, php mailer, and full forum dump" for 0.1910 Bitcoin (~$85) (image at the end of the article).

One person seems to have bought the hackers' files and dumped the forum's config file on Hacker News discussions thread.

code // phpBB 3.0.x auto-generated configuration file

// Do not change anything in this file!

$dbms = 'mysql';

$dbhost = 'localhost';

$dbport = '';

$dbname = 'lms14';

$dbuser = 'lms14';

$dbpasswd = 'upMint';

Malicious Linux Mint ISOs contained a DDoSing bot

As for the compromised ISOs, the hackers have only altered the man.cy file, where they've added a new function called tsunami. This is a well-known Linux ELF trojan named TSUNAMI that's a simple IRC bot used for launching DDoS attacks. The trojan was first spotted and analyzed in 2013. A technical write-up of its capabilities is available here.

The fact that the hackers opted to infect a top-shelf Linux distro with a simplistic IRC bot (something considered to be outdated in the early 2010s) leads us to conclude that this is the work of an inexperienced group.

Selling the forum's database for a meager $85 is a sign of their lack of vision. The group seems to have mishandled the entire hack, opting to distribute a silly IRC DDoS bot instead of more dangerous and lucrative malware like Bitcoin miners or banking trojans.

The fact that they've re-compromised the site after they've been originally discovered also shows the group's lack of experience. With site access still working, and with the Linux Mint team failing to detect their true entry point, all the hackers had to do was to wait.

Instead, they escalated the entire incident, placed ads on an underground hacking forum, which eventually caught the eye of security experts and forced the Linux Mint team to bring down their entire website, cutting off their access.

UPDATE: Just after our article went live, Mr. Lefebvre confirmed that the malicious Linux Mint ISOs contained the TSUNAMI IRC bot.

Its 2016 and a popular Linux distribution ISO was modified and a backdoor was added, an IRC bot.. just a plain IRC bot... — Yonathan Klijnsma (@ydklijnsma) February 21, 2016