Hacked PC - random sounds playing (sh.itjust.works)

submitted 1 month ago* (last edited 1 month ago) by LOLseas@sh.itjust.works to c/linux@programming.dev

70 comments fedilink hide all child comments

My fellow penguins,

I have been pwned. What started off as weeks of smiling everytime I heard a 7-10s soundbyte of Karma Factory's "Where Is My Mind" has now devolved into hearing dashes and dots (Morse Code) and my all-time favorite, a South Park S13: Dead Celebrities soundbyte of Ike's Dad saying, "Ike, we are sick of you talking about ghosts!"

It's getting old now.

I feel like these sounds should be grepable in some log somewhere, but I'm a neophyte to this. I've done a clean (secure wipe >> reinstall) already, the sounds returned not even a day later.

Distro is Debian Bookworm. So how do I find these soundbytes? And how do I overcome this persistence? UFW is blocking inbound connection attempts everyday, but the attacker already established a foothold.

Thank you in advance. LOLseas

Update: post-reinstallation and monitoring incoming connections, I'm happy to say the sounds have not returned. This has given me the motivation to install a Netgate 1100 with pfSense ahead of the PC. Thank you all!

you are viewing a single comment's thread
view the rest of the comments

[+] BCOVertigo@lemmy.world 1 points 1 month ago

[deleted]

[-] LOLseas@sh.itjust.works 3 points 1 month ago* (last edited 1 month ago)

I would love to catch the event, but it's sporadic. I stumbled across the gnome-logs package and see concerning events such as "Warning: writing to insecure memory!" from a running service: tracker-extract-3.service. But that service, though named intimidatingly, just watches the file directory for updates/new files.

I'm dealing with Morse Code atm and it's a welcomed relief from the South Park or Karma Factory bytes.

Also, I installed Ventoy on my USB drive and put a Gentoo Live iso as well as Debian, Slax, and QubesOS. I intend to reinstall (thinking of starting with Gentoo).

Then I tried unmounting it. It hung with "device busy" for a solid 6 minutes, and finally ejected. New fear is the attacker is altering the iso files I'm putting on the drive. So I ran sha256sum -c [Gentoo.iso filename] against the SHA256 hash from gentoo.org and it completed as OK but bitched about 12 lines improperly formatted. I'm spitballing again on what to do.

Also, how can I get Lemmy to show codecommands formatting? I use Jerboa but don't see a code block option.

[-] PoolloverNathan@programming.dev 3 points 1 month ago

Don't run sha256sum -c on your suspect file — it expects to be passed a file containing hashes and other filenames. sha256sum the iso itself instead and check by eye, or make such a hash file.

[-] LOLseas@sh.itjust.works 1 points 1 month ago

Downloaded the Gentoo LiveUSB image again from a running Gentoo LiveUSB session, from gentoo.org and also the .iso.sha256 file. Ran 'sha256sum' on both files. They mismatch. Photo included.

[-] SkavarSharraddas@gehirneimer.de 2 points 1 month ago

I think you need to run sha256sum -c *.iso.sha256 (note the -c) to check the .iso file against the downloaded .sha256 file. Or just cat the .sha256 file and check that its content matches your output here.