Xubuntu.org Might Be Compromised
Posted3 months agoActive2 months ago
old.reddit.comTechstoryHigh profile
calmnegative
Debate
70/100
LinuxSecurityMalware
Key topics
Linux
Security
Malware
The Xubuntu website may have been compromised, potentially distributing malware-infected ISO files, prompting discussions on security measures and the importance of verifying checksums.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
17m
Peak period
126
0-12h
Avg / period
25
Comment distribution150 data points
Loading chart...
Based on 150 loaded comments
Key moments
- 01Story posted
Oct 19, 2025 at 10:25 AM EDT
3 months ago
Step 01 - 02First comment
Oct 19, 2025 at 10:42 AM EDT
17m after posting
Step 02 - 03Peak activity
126 comments in 0-12h
Hottest window of the conversation
Step 03 - 04Latest activity
Oct 27, 2025 at 1:30 PM EDT
2 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45634367Type: storyLast synced: 11/20/2025, 8:37:21 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
Note too, that NextDNS blocks archive.is et al by default unless you manually add redirects.
Whatta world
I believe NextDNS is headquartered in the US, which may be related to the site nav issues we’re both experiencing.
Curiously, uBlock Origin and my blocklists seem to block content on archive.is from loading from mail.ru, which may be related to the blocks, but I have never heard anyone on HN or elsewhere mention this, so I am, so that it can be known and explained if any explanation exists for why mail.ru scripts on archive.is are present. I don’t seem to see those scripts on the Tor version of archive.today, which archive.is is a mirror of today; apparently the original domain is the .is one, in any case.
Consider my curiousity piqued!
More info about the archive.is|.today mirrors including the Tor (.onion) version of the site are on the Wikipedia entry for the site:
https://en.wikipedia.org/wiki/Archive.today
> archiveiya74codqgiixo33q62qlrqtkgmcitqx5u2oeqnmn5bpcbiyd.onion
https://bgp.tools/as/34939
> Note too, that NextDNS blocks archive.is et al by default unless you manually add redirects.
Can you explain a bit about what you had to do to get archive.is to work with NextDNS? I have used their service/app before, but I’ve never dug into redirects via NextDNS, as I didn’t even know that was a thing you could do via the service.
You simply add New rewrites;
archive.is > 165.140.202.54
In your Settings
Would definitely recommend.
Also, don’t install the app? Use Sink It instead: https://gosinkit.com/
[1] https://www.qubes-os.org/
EDIT: further comment below:
On second thought, Qubes OS does not prevent such types of malicious downloads; it can also happen to Qubes images. Verify your downloads with checksums and cryptographic signatures [2].
[2] https://doc.qubes-os.org/en/latest/project-security/verifyin...
[1] https://doc.qubes-os.org/en/latest/project-security/verifyin...
Getting the correct PGP public key appears to be an exercise left to the reader, but if you are already running e.g. Fedora, you can view the packaged QubesOS distro keys distributed by your current OS, cross-reference that with a second source such as a PGP keyserver, and unless you're being Mossaded upon you're probably good if they match.
Its not perfect... but its better than nothing.
Using Qubes would limit the blast radius for a scenario like this. In QubesOS, you would use disposable VMs (with no access to your crypto wallets or other user files) to download and flash an ISO. So even if this malware was targeting Linux, it wouldn't get zit and disappear when you finish flashing and shut down that VM (as long as there isn't an unpatched exploit breaking the VM isolation involved).
Of course, if the ISO is bad then this won't save you from compromise once you boot it. But that's not what happened here.
[1] https://doc.qubes-os.org/en/latest/project-security/verifyin...
Calling this a "slip-up" is an outrageous downplay. If anything this makes me suspicious of the moderator who posted the comment too. One does not accidentally prepare a zip file with a malicious exe and xubuntu-specific language, upload it to a server, and point a torrent link at it.
Indeed that is a suspicious or at least untrustworthy way to deflect the seriousness of a malware infection that potentially affects all users of an OS distribution.
How do you prove that the person hacking the website is not an associate of (or the same as) the person running the website?
If this were proprietary software then the software would be expected to die. Since this is open source, there is the option for the original project to die and for a fork to rise form the ashes.
You're making an assumption that this moderator is anything more than a Xubuntu enthusiast who wants to downplay outrage on Reddit. Keep in mind Xubuntu is mostly a community effort, not a large corporation with seniors who know how to handle this "best".
Start by googling the username of the account. They are the Xubuntu Marketing and Website lead. This is the domain they are responsible for and, given their long history, they should know better.
This sort of thing must risk harming Canonical's reputation, so you'd think they'd want to use whatever leverage they have to enforce better practices.
1. https://ubuntu.com/desktop/flavors
2. https://packages.ubuntu.com/search?keywords=xubuntu-desktop
Which is to say, I'm fairly sure that they're still just a volunteer community member.
which is why the whole distro zoo and "stick it to the man" theatre has always been a nightmare. Running some barely maintained operating system that is an nth-degree spin-off is like buying a pacemaker from craigslist. The people who go "I don't trust Canonical/Google" and then go download some binary blob browser fork/OS uploaded by an anonymous guy from the internet is way too large.
The real obnoxiousness is that Ubuntu doesn't keep these desktop and otherwise specialized variants partially in-house like they once did. It isn't like they don't have the money or the staff. It's just not part of their world takeover plan anymore; no deviation allowed.
Just get away from Ubuntu, install Debian, and choose XFCE when installing. Please.
That's because they don't have a world takeover plan anymore. That plan failed, so they came up with other ones (mobile! Subscriptions!) and those failed too - so now they're just trying to survive.
I honestly prefer for Ubuntu to be just another Linux player doing what most Linux players do (i.e. looking after n.1 and focusing on internal consistency), rather than their original borg-like form that tried to co-opt the entire ecosystem. As much as I enjoy a reliable Debian-like infrastructure everywhere, there is value in the fundamental diversity of distros focused on different ways to "do Linux".
If my options are between a barely maintained linux operating system which might compromise my data and a barely maintained windows operating system that is designed to compromise my data I'll take my chances with linux. At this point no one can be assured of their safety and all anyone can do is choose the lesser evil and hope for the best.
You're saying this literally a few days after Microsoft pushed out a Win11 update that broke localhost.
Oh, and that update - fairly sure it was optional.
The usual lesson applies, never install version 1.0. Install 1.0.5 or even better, 1.1.1.
Looking at the intentional degradation since Win7, I'd call it a "barely and maliciously maintained operating system".
But I have to use another MS product daily: Teams. It's a product with very poor usability. Even simple things like tracking which message you have read and which one you haven't don't get better upgrade after upgrade. I am sure they have a huge development budget and tons of paid developers. The number of paid developers can be completely uncorrelated to quality.
(I am sure zulip has just a little fraction of paid developers, but it is a program in the same domain that works muuuch better.)
Nobody spends energy worrying that the universe is an evil compiler that warps reality specifically to target us. Because 1) it's unlikely, and 2) if it were true there's no change in defensive posture that would help. It's the same for most individuals when considering being targeted by state actors. Unlikely, and not defensible, so no point hand wringing.
Though, I also doubt, they would just shelve these epic exploits, since a universal Linux backdoor likely puts themself at risk too, unless you can pull off a grand conspiracy, or deliver patched packages to your own people without questions asked. Maybe a completely locked down country like North Korea could do it. I doubt many other countries got an incentive, unless in preparation of a specific attack.
I have not heard that specific scenario yet, but indeed quite similar ones from very depressed/mentally ill people. Basically that the whole universe was created to torture them specifically. (Probably there is even a medical term for that)
But yes, a sane person should rather be concerned to not fall scam to one of the various criminal groups. That is a real cyber threat for most people and companies.
So minding basic security helps, even if the NSA will likely get past that in no time.
The present case also just seems malware easily detected by VirusTotal: https://old.reddit.com/r/xubuntu/comments/1oa43gt/xubuntuorg...
But nobody wants to talk about true security. For example, why does a Python module that renders progress bars (for example) need my full trust about what it does to the rest of my system? Etc.
Sorry, patient, why are we talking about setting your broken arm when you are genetically predisposed to cancer that's going to kill you anyway?
tqdm is pure Python and available as a wheel. Or is this a general complaint about sandboxing others' code at runtime?
Of course, there are people who disable built-in security scanning and don't use another antivirus software, and that's on them.
https://mirror.us.leaseweb.net/ubuntu-cdimage/xubuntu/releas...
[user@host]$ ls
SHA256SUMS SHA256SUMS.gpg xubuntu-24.04.3-desktop-amd64.iso
[user@host]$ cat SHA256SUMS
b61e083d8a5ab003bad6ef7ea31ec21d7bfdf19b99d75987ab3fa3bbe85ec1bf *xubuntu-24.04.3-desktop-amd64.iso
[user@host]$ sha256sum xubuntu-24.04.3-desktop-amd64.iso
b61e083d8a5ab003bad6ef7ea31ec21d7bfdf19b99d75987ab3fa3bbe85ec1bf xubuntu-24.04.3-desktop-amd64.iso
[user@host]$ echo $?
0
"Torrent downloads over at https://xubuntu.org/download/ are serving a zip file with a suspicious exe and a tos.txt inside. The TOS starts with Copyright (c) 2026 Xubuntu.org which is sus, because it is 2025. I opened the .exe with file-roller and couldn't find any .torrent inside."
... This is a thing?
But both implementations can be vulnerable to malicious exe files, so it's not a great idea to do this with a file you already suspect to be malicious.
It hadn't occurred to me that the .exe in question would be a self-extracting archive (or malicious code that also involves self-extracting an archive as part of the malicious working).
This url is on the main Xubuntu website, under "Xubuntu 24.04": click "Release page," then select United States. From there, you download the following files: SHA256SUMS, SHA256SUMS.gpg, xubuntu-24.04.3-desktop-amd64.iso
The output of the other checksum commands is shown here:
[user@host]$ gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS
gpg: Signature made Thu 07 Aug 2025 06:05:22 AM CDT
gpg: using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpg: Can't check signature: No public key
[user@host]$ sha256sum --check SHA256SUMS
xubuntu-24.04.3-desktop-amd64.iso: OK
(output omitted for results of Xubuntu minimal version, which was not downloaded)
The checksum is a cryptographic hash generated from the ISO file's contents. While the checksum for a specific, unchanged ISO file is fixed, the checksum that is published on a website could be deliberately altered by an attacker to hide a modified, malicious ISO.
Is there no way a download over HTTPS can be corrupted non-maliciously, or can fail to complete?
For security you want signatures with a known, trusted key.
Maybe in theory you could checksum the post installed filesystem, but Im not sure if any distros actually do that or not and it would require deterministic install layouts.
Lots of small, volunteer-run, low/zero-budget open-source projects cannot afford to pay for the server/CDN bandwidth they would need to host all their binary artifacts (ISOs, packages, etc.). They end up relying on mirrors provided for free by third parties instead. By publishing the checksums, they allow you to verify that the ISO image you downloaded from some mirror is the same one that they originally published.
It's a big bad dark scary Internet out there. Be careful.
They are empty as of now.
Instead of the .torrent files, the compromised website served a .zip file, which contained a .exe. When opened, it shows a GUI to select a Xubuntu version and a button to generate the link. When that button was clicked, the malware showed a download link to the user and, in the background, deployed a second stage to %APPDATA%\osn10963\elzvcf.exe and executed it.
The second stage monitors the clipboard for cryptocurrency addresses which it will replace with attacker-controlled ones. The second stage is also added to HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ to ensure it is run whenever the user logs in.
Both stages have some limited anti-debugging and anti-VM functionality.
:P
https://www.theregister.com/2025/08/07/opensuse_leap_16_reac...
https://wiki.xfce.org/releng/wayland_roadmap
Have not installed Lubuntu in a few years, so never noticed any of the news of the domain change and take-over. Did not really find anything more about it when searching today?
I have not used unlock in years, since NoScript as a side-effect of not running scripts tends to block almost everything anyway (in particular ads), but maybe I should install it again after all for things like this.
uBO has prevented the following page from loading:
"FAKElubuntu.net I wont give backlinks too"
The page was blocked because of a matching filter in uBlock filters – Badware risks.
also see Bloxstrap, a popular Roblox bootstrapper - its official URL is https://bloxstraplabs.com, but many fakes rank high in SEO (bloxstrap[.]net, blxstrap[.]com, bloxstrape[.]com, bloxstrapper[.]com, bloxstraps[.]net, bloxstrapp[.]com, thebloxstrap[.]net)
currently it isn't hosting malware, but this could obviously change
Since Xubuntu inception a decade ago, facts certainly have changed!
Linux mantra: Nothing wrong here, and if there is, someone will fix it eventually, probably, maybe..
I recall purchasing a textbook in September of year X and being surprised that it was "from the future" with a "Copyright X+1".
11 more comments available on Hacker News