64
Hacked PC - random sounds playing (sh.itjust.works)
submitted 4 weeks ago* (last edited 2 weeks ago) by LOLseas@sh.itjust.works to c/linux@programming.dev
70 comments fedilink hide all child comments

My fellow penguins,

I have been pwned. What started off as weeks of smiling everytime I heard a 7-10s soundbyte of Karma Factory's "Where Is My Mind" has now devolved into hearing dashes and dots (Morse Code) and my all-time favorite, a South Park S13: Dead Celebrities soundbyte of Ike's Dad saying, "Ike, we are sick of you talking about ghosts!"

It's getting old now.

I feel like these sounds should be grepable in some log somewhere, but I'm a neophyte to this. I've done a clean (secure wipe >> reinstall) already, the sounds returned not even a day later.

Distro is Debian Bookworm. So how do I find these soundbytes? And how do I overcome this persistence? UFW is blocking inbound connection attempts everyday, but the attacker already established a foothold.

Thank you in advance. LOLseas

Update: post-reinstallation and monitoring incoming connections, I'm happy to say the sounds have not returned. This has given me the motivation to install a Netgate 1100 with pfSense ahead of the PC. Thank you all!

you are viewing a single comment's thread
view the rest of the comments
[-] CaptainBasculin@lemmy.bascul.in 19 points 4 weeks ago* (last edited 4 weeks ago)

Run this command, it will record all audio activity until you stop it to the file sound-inputs.log.

watch -n0.5 'pacmd list-sink-inputs | tee -a sound-inputs.log'

When you hear the sound bites, take a look at it and see which process is triggering the sounds. Might help you discover its cause.

Alternatively you can watch playback streams on pavucontrol. It lists all programs that run sounds, but is less detailed.

[-] LOLseas@sh.itjust.works 6 points 4 weeks ago

So the pulseaudio package wasn't installed. Installed it, ran the command, and it reports, "No PulseAudio daemon running, or not running as session daemon."

I also lost sound. Checked into it, the Output switched from my HDMI to my USB Audio Interface. Switched it back to HDMI 5.1 and I've got audio back. If PulseAudio wasn't in use, should we consider another one-liner?

[-] CaptainBasculin@lemmy.bascul.in 14 points 4 weeks ago

If the OS isn't using PulseAudio by default, then it's using PipeWire. I am not using it so cannot confirm how it'd work, but from what I understood from its documentation, replacing pacmd list-sink-inputs with pw-cli clients in the previously mentioned command should work.

[-] LOLseas@sh.itjust.works 1 points 4 weeks ago

'pw-cli clients' didn't work. Maybe it's deprecated? I can't find mention of 'clients' in the pw-cli manpage.

[-] CaptainBasculin@lemmy.bascul.in 1 points 4 weeks ago

https://linuxcommandlibrary.com/man/pw-cli I referred to here for clients. Does your manpage have anything similar to its definition there?

[-] LOLseas@sh.itjust.works 1 points 4 weeks ago
[-] CaptainBasculin@lemmy.bascul.in 1 points 4 weeks ago* (last edited 4 weeks ago)

from looking here, the thing that makes the most sense for me is pw-cli list-objects, could you try running pw-cli, then type list-objects and then play random sounds on an application? Could be anything, like a media player or web browser.

When no command is given, pw-cli starts an interactive session with the default PipeWire instance pipewire-0.

This would mean this should list any changes directly to the terminal, saving us from needing to log it externally

It should report quite a lot of data considering it reports everything related to audio there, but it should let you know about any changes. If you can trace back from the sounds you made to the application you've run it from, it should work.

[-] LOLseas@sh.itjust.works 1 points 4 weeks ago

Thanks, I ran the above watch command with 'pw-cli list-objects' and will report back upon the next occurence. It's been quiet these past few hours. Thanks for helping a fellow penguin! Much appreciated, all of you.

[-] LOLseas@sh.itjust.works 1 points 4 weeks ago* (last edited 4 weeks ago)

I couldn't wait for the next soundbyte, so I checked the running sound-inputs.log and noticed a few entries for Chromium. I don't use it, nor have I ever installed it on this system. Did a 'which chromium-browser' and got no hits. Yet it's mentioned a few times in the log. Thoughts?

Edit: typo

[-] CaptainBasculin@lemmy.bascul.in 2 points 4 weeks ago

Different applications can use Chromium as their base and might not be configured to return their application name to PipeWire, which in that case, Chromium returns its name.

If you're using a web app like Discord/Vesktop that's likely it.

[-] LOLseas@sh.itjust.works 1 points 3 weeks ago

Thanks for your input!

[-] LOLseas@sh.itjust.works 4 points 4 weeks ago

God-tier comment here. Will run this right away. Thanks so much, will post findings. What a nice one-liner!

this post was submitted on 04 Sep 2025
64 points (100.0% liked)

Linux

9621 readers
165 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 2 years ago
MODERATORS
Ategon@programming.dev
anzo@programming.dev
dwraf_of_ignorance@programming.dev