forums.linuxmint.com cat config.php
// phpBB 3.0.x auto-generated configuration file
// Do not change anything in this file!
$dbms = 'mysql';
$dbhost = 'localhost';
$dbport = '';
$dbname = 'lms14';
$dbuser = 'lms14';
$dbpasswd = 'upMint';
But what would I know.
The fact that they're calling the bot "tsunami" just proves their incompetence. The bot isn't called tsunami, it's called kaiten and it's been open source for more than a decade.
They also managed to confuse FTP and HTTP
>the hackers have only altered the man.cy [https://gist.github.com/Oweoqi/31239851e5b84dbba894] file, where they've added a new function called tsunami.
Doesn't look like they just added a new function called tsunami to me.
>Selling the forum's database for a meager $85 is a sign of their lack of vision. The group seems to have mishandled the entire hack, opting to distribute a silly IRC DDoS bot instead of more dangerous and lucrative malware like Bitcoin miners or banking trojans.
Stupid speculation by writer.
Linux Mint remains compromised despite the current events, it's rather unlikely that kaiten is used as a DDoS bot instead of just a stager to execute shell commands on the affected computers. The presence of DoS commands is meaningless, the only reason kaiten is still used today is because it runs everywhere so it seems fair to assume that that'd be why the attacker opted to just use it instead of writing their own. (No real benefit to that here)
Also, bitcoin mining stopped being lucrative ages ago.
>One person seems to have bought the hackers' files and dumped the forum's config file on Hacker News discussions thread.
I neither bought nor sold the data.
Considering you're still on probation or whatever (I think?), is that really wise to say?
The config.php file should not be readable by an anonymous user, that is a security risk.
Yes usually unauthorized people having access to your server results in various security risks.
I strongly believe the users deserve to know just how incompetent these guys are, because next time it won't be some idiot swapping the iso links. It'll be someone slightly more competent that pushes a backdoored commit or gets into the apt repos, and then _every_ _single_ user will be affected...
Also, at the time of the posting the site was down. And it remains so.
Anyway, as a result I ended up emailing their webmaster asking why Ubuntu.com has no SSL cert. and I haven't heard anything back yet. I think it is pretty poor that a company like Canonical can have such a flagrant disregard for basic security practices, especially when it likes to market Ubuntu as a 'secure' OS.
If you are running Ubuntu then you already have signing key (run apt-key list), otherwise you can compare the full fingerprint with the one printed in terminal output in the guide that's hosted on https.
One minor suggestion would be to provide ISO hashes over HTTPS. It's just as secure as using GPG with fingerprints sent over HTTPS, and it's a lot easier.
The fingerprints (https://www.debian.org/CD/verify) could also be made more prominent (perhaps put on the main download page).
This is kind of in 'No magnet: links for bittorrent downloads on SSL'
Maybe there's something I'm missing?
SHA1/2 at least, but preferably a gpg signature would be much better.
"You can find them at http://ftp.heanet.ie/pub/linuxmint.com/stable/17.3/ also along with signed sha256sums."
>SHA1/2 at least, but preferably a gpg signature would be much better.
SHA1/2 isn't any better, you're never going to get hit by file corruption that magically also is a md5 collision.
I think you're saying MD5 is still a decent checksum for non-cryptographic purposes. Without a cryptographic signature or other authenticated integrity-checked distribution channel, there's very little advantage of using a cryptographic checksum.
-- TCP/IP Illustrated
I've grown obsessive about it. When you're conscious about that it's amazing (to put mildly) how many prominent projects don't bother with any authentication.
>Finally, the situation both happened and was solved today, so it should only impact people who downloaded this edition on February 20th.