My fellow penguins,
I have been pwned. What started off as weeks of smiling everytime I heard a 7-10s soundbyte of Karma Factory’s “Where Is My Mind” has now devolved into hearing dashes and dots (Morse Code) and my all-time favorite, a South Park S13: Dead Celebrities soundbyte of Ike’s Dad saying, “Ike, we are sick of you talking about ghosts!”
It’s getting old now.
I feel like these sounds should be grepable in some log somewhere, but I’m a neophyte to this. I’ve done a clean (secure wipe >> reinstall) already, the sounds returned not even a day later.
Distro is Debian Bookworm. So how do I find these soundbytes? And how do I overcome this persistence? UFW is blocking inbound connection attempts everyday, but the attacker already established a foothold.
Thank you in advance. LOLseas
You must log in or register to comment.
Run strace (or falco) and log every file open. When you hear the sound, reference the log of what files were accessed at that time.
Run tcpdump and capture all traffic. Analyze it in wireshark, searching for a time window around when the sounds happened.
FWIW putting pranks like this in con or systemd is a common way to haze people who have bad security practices. We also used to set the default run level to 3 or 6, but of course that doesn’t make sense in the era of systemd.
lmao this is a targeted campaign to fuck with you. Look at people in your circle of family/friends/acquaintances/enemies and you’ll find your suspect. Real viruses don’t do anything as remotely entertaining as this, they just steal your passwords/crypto/etc, ransomware your files, or turn your PC into a botnet for internet spam or mining.
Download a fresh install of debian, flash it onto a usb, and do a reinstall. Use different root/user passwords that you’re certain nobody knows, and ensure you lock the computer whenever you step away. Also, obviously, be careful with what software you’re installing.
Can you record the noise and share it? Consider outlook’s recent arbitrary webdav exploit that fetched a malicious payload from the internet to run if you said it was a custom notifocation sound. That directly attacked a sound producing function and is silent.
It’s not impossible this is an attack but it’s a very rube-goldberg scenario that leads to to suppose there is a literal noisy attacker who can persist through reimaging but can’t stop fucking up an existing sound channel.
I would love to catch the event, but it’s sporadic. I stumbled across the gnome-logs package and see concerning events such as “Warning: writing to insecure memory!” from a running service: tracker-extract-3.service. But that service, though named intimidatingly, just watches the file directory for updates/new files.
I’m dealing with Morse Code atm and it’s a welcomed relief from the South Park or Karma Factory bytes.
Also, I installed Ventoy on my USB drive and put a Gentoo Live iso as well as Debian, Slax, and QubesOS. I intend to reinstall (thinking of starting with Gentoo).
Then I tried unmounting it. It hung with “device busy” for a solid 6 minutes, and finally ejected. New fear is the attacker is altering the iso files I’m putting on the drive. So I ran sha256sum -c [Gentoo.iso filename] against the SHA256 hash from gentoo.org and it completed as OK but bitched about 12 lines improperly formatted. I’m spitballing again on what to do.
Also, how can I get Lemmy to show codecommands formatting? I use Jerboa but don’t see a code block option.
Also, how can I get Lemmy to show codecommands formatting? I use Jerboa but don’t see a code block option.
For inline code
like this, wrap the text in backticks `like this`.For multi-line code, wrap the text in triple backticks ``` like this ```
Thanks so much!
It’s just someone fucking with you on discord.
No discord.
Persistence should be near impossible; you most likely have a bad habit or other factor that makes you vulnerable. As others have said, check your router settings; make sure your router firmware is the latest to patch any vulnerabilities. Check devices on your network to make sure none are compromised.
My first guess, like others, is you’re doing something horribly wrong with your port forwarding, followed by you’re installing suspect software. Don’t go installing from random Github/Gitlab repositories without at least doing a bit of background research. Also, sometimes even legitimate open source projects get compromised. Ultimately, try to stick to the bare minimum, just stuff from the Debian repos, and see if it still happens.
If you still have the problem, then my last resort is to ask this (and this is really paranoid, hopefully an unlikely scenario for you): do you use your computer in a safe environment where only people you trust can access it?
I mostly ask because if not, maybe someone has physical access to your computer and is pulling an evil maid attack, installing the software when you’re not looking. Maybe it’s a jerk coworker. Maybe it’s a creepy landlord. A login password is not enough to defend against this; it may be possible for the attacker to boot off a USB stick and modify system files. The only way to prevent this is to reinstall and use full disk encryption, which I do on my laptop. You can try to use Secure Boot and TPM1 to add further protection, but honestly, your attacker just sounds like some script kiddie and probably won’t perform a complex attack on your boot partiton.
1: Despite their obnoxious utilization by Microsoft, they can actually be quite useful to a Linux user, making it possible to set up auto-decryption on boot that doesn’t work if the boot partition has been tampered with (in which case you use a backup password).
I don’t believe Debian is susceptible to worms — it wasn’t even susceptible to last year’s xz attack — and if you have a network firewall with port forwarding disabled, there is no way in unless your router’s firmware is compromised. If you’re running any community driven software like, for example, game plugins for servers you’re hosting, those could be suspect. Anything not FOSS is also a suspect. Otherwise, if you’ve already done a secure wipe (using dd, hdparm/nvme, or your UEFI) and used another motherboard then it probably isn’t your firmware that is compromised. You mentioned SSH and credential reuse, so this leads me to think a device on your network, like an IoT device (thermometer, baby monitor, home assistant, Roku, etc.) could be infected with malware. You really can’t trust these things to have any security whatsoever and they need to be placed on a segmented or guest network. This attack honestly seems very immature, something a script kiddie would do, or perhaps it is automated. On that note, automation loves vulnerabilities, so if you forgot to change the default credential on your router for example, I would fix that. Make sure everything is on the latest version and patch everything. I would also start suspecting neighbors and juvenile kids around high school age. If nothing else works then I would do a full Mr. Robot wipe down ;)
Getting reinfected after a clean install is so weird, my bet’s on this ⤴️
Double check all your IoT, OP. Maybe your cheap crappy IP camera or Smart Lightbulb turned into a botnet
Did you try running a scan for malware? I usually use ClamAV. It’s a simple, FOSS anti-virus scanner for Linux. Can run it from the terminal or install a version with a GUI if you’d prefer that.
Where does the sound come from? Your headphones, speakers, etc. Does it ever happen when your machine is off? You mentioned you only have wired audio peripherals - perhaps someone is playing a prank on you and has connected some kind of device inline.
I have an A/V Receiver that goes out to a 6.3mm/half-inch jack headphones, and I mostly listen through the 2-channel phones out. But sometimes I run my 5.1 surround sound. Does not happen when the PC is off. I checked all cables, everything seems in order. No tap.
Agreed. Persisting through a wipe and reinstall is extremely unlikely. That kind of persistence isn’t used by people doing it for the lulz.
I’d definitely check for devices on the audio cable, suspicious USB devices, things like that. And we need more info about trying to isolate and identify the actual source of the sound itself (speakers, headphones, etc.)
Like you mentioned, if it happens even when the PC is off, then I’d look for some kind of annoyatron, not the PC.
If you’re confident that your system is compromised and it persists beyond re-installations, you can try to reduce the attack surface by switching up your setup a bit.
-
Try installing something like OpenBSD or FreeBSD if your hardware is supported. Software made for Linux often doesn’t even work on BSD flavors unless it’s recompiled specifically for those Operating Systems. Another alternative would be Alpine Linux. Software that relies on
glibcoften doesn’t work on Alpine thanks tomusl. -
If your network has been compromised, consider looking into your router’s settings. If you can, try to setup OPNSense so you have better control and visibility over network traffic. You can setup some pretty extensive firewall rules, and if you’re savvy with
pfyou can really go all out. Alternatively, you can setup an app like Wireshark to take a look at what ingress and egress traffic looks like for your device.
None of this has to be permanent unless you’re comfortable with a different setup. Hackers will eventually get bored and move on. You just need to outlast them with a setup they can’t do much with.
I am a networking neophyte. Though I bought a Netgate 1100 appliance (pfSense supported). I want to get it up and running, just want to solve the PC problem first.
I’ve done a few nMaps and saw lots of connections I didn’t recognize. I had a large WireShark pcap I was ferreting around in, but like I said, I don’t know enough to do it justice. I went downthre rabbit hole and before long I was considering Suricata as an IDS/IPS. I felt like I was reachjng a bit far, when up till now it’s localized to the PC and maybe (idk) the ISP router.
-
Run this command, it will record all audio activity until you stop it to the file sound-inputs.log.
watch -n0.5 'pacmd list-sink-inputs | tee -a sound-inputs.log'When you hear the sound bites, take a look at it and see which process is triggering the sounds. Might help you discover its cause.
So the pulseaudio package wasn’t installed. Installed it, ran the command, and it reports, “No PulseAudio daemon running, or not running as session daemon.”
I also lost sound. Checked into it, the Output switched from my HDMI to my USB Audio Interface. Switched it back to HDMI 5.1 and I’ve got audio back. If PulseAudio wasn’t in use, should we consider another one-liner?
If the OS isn’t using PulseAudio by default, then it’s using PipeWire. I am not using it so cannot confirm how it’d work, but from what I understood from its documentation, replacing
pacmd list-sink-inputswithpw-cli clientsin the previously mentioned command should work.‘pw-cli clients’ didn’t work. Maybe it’s deprecated? I can’t find mention of ‘clients’ in the pw-cli manpage.
https://linuxcommandlibrary.com/man/pw-cli I referred to here for clients. Does your manpage have anything similar to its definition there?
Sadly not. Debian Bookworm pw-cli manpage
from looking here, the thing that makes the most sense for me is
pw-cli list-objects, could you try runningpw-cli, then typelist-objectsand then play random sounds on an application? Could be anything, like a media player or web browser.When no command is given, pw-cli starts an interactive session with the default PipeWire instance pipewire-0.
This would mean this should list any changes directly to the terminal, saving us from needing to log it externally
It should report quite a lot of data considering it reports everything related to audio there, but it should let you know about any changes. If you can trace back from the sounds you made to the application you’ve run it from, it should work.
Thanks, I ran the above watch command with ‘pw-cli list-objects’ and will report back upon the next occurence. It’s been quiet these past few hours. Thanks for helping a fellow penguin! Much appreciated, all of you.
God-tier comment here. Will run this right away. Thanks so much, will post findings. What a nice one-liner!
I’m a sappling in the Linux world, so I’m useless to you, but I’m following this thread just in case I start hearing “Ike, we are sick of you talking about ghosts!” coming from my speakers.
How do you think you were compromised? And what have you been doing to make sure you’re not leaking your information to a memelord shit poster of a hacker in the meantime while you’re working on getting this fixed?
No ideer. And no ideer. I’m finally trying to do some serious damage control, but it’s been a real headscratcher. I was amused at first, I have a good sense of humor. Until they started with “long dash- dot dot… dot dot… dot”. I’ll save you looking it up, they told me to off myself. That’s not funny anymore. Thus Lemmy post.
Could be schizophrenia or something related too.
Or… ya know… not. Hence me wanting to track this down. Hence this post. Mental health is very important though. Everyone agree to take care of themselves, mkthanks.
Ik it’s a long shot and wasn’t really what you were asking for. I’ve just had family with schizophrenia and it’s important to like… Idk leave the door open to it sometimes
I have a friend that struggles with delusional disorder, so I’m no stranger to such disorders. But I assure you, having had to listen to these 7-10s soundbytes, find out the sources (Karma Factory/South Park/Morse Code) for weeks now… of sound mind (didja see what I did there lol), it’s real and it sucks.
Still hoping someone can point me to a log file I can grep against for sounds.
Okay ah see to me it was almost a tell that you already knew the sources, didn’t know you had to figure out where they were from.
Okay I’m trying to think:
- Attach a debugger to your kernel, break right when you hear the noise, and then do a full memory dump. Then share it with us here. If you have to be crafty, write a script to send a break right when sound emits. You might need a second computer for this.
Get a carbon monoxide detector
I’m fiiiiiiiiiineeeeeeeee. I have one. Made me smile nevertheless. Thanks!
I’d say wipe and reinstall again, but this time with a different Distro and user password, just to eliminate a bunch of variables at once, including suspect install media.
Try Fedora this time. It usually gets the latest security patches in its repos quite quickly, and it has spins for all the myriad desktop environments out there.
Sound advice. It’s been a long time since I spun up a Fedora install. I always seemed to return to Debian. Been running it since Squeeze (2013).
Try Nobara, theyve done a great job
There are a lot of ways that the attacker could persist… maybe try a different distro, just to see if it stops? What did you redownload/install when you did your wipe? Do you have any computers on the network besides yours?
Obviously worst case for ‘persisting’ would be your hardware. Do you have a friend who can plug in or connect to your internet and see if they get the same blocked requests? Maybe try a different router/modem.
QubesOS is looking mighty nice, if only I wasn’t a gamer and had another GPU to dedicate to the VM’s/qubes (dom0 is the baseline qube/VM, and it hijacks the GPU for itself).
I redownloaded Debian Bookworm and checked the hash, it validated. So I reinstalled with that iso from the official website.
I swapped hardware, figuring it stemmed from a SecureBoot Key ransom against MSI not too long ago. So I swapped out an MSI X570s Edge Max mobo for an Asus ROG Crosshair VIII Dark Hero. Issues came back.
There’s the https://en.wikipedia.org/wiki/Sinkclose vulnerability which afaiu could compromise the CPU itself. Haven’t heard about it being actually exploited, but who knows.
