64
Hacked PC - random sounds playing (sh.itjust.works)
submitted 1 month ago* (last edited 1 month ago) by LOLseas@sh.itjust.works to c/linux@programming.dev
70 comments fedilink hide all child comments

My fellow penguins,

I have been pwned. What started off as weeks of smiling everytime I heard a 7-10s soundbyte of Karma Factory's "Where Is My Mind" has now devolved into hearing dashes and dots (Morse Code) and my all-time favorite, a South Park S13: Dead Celebrities soundbyte of Ike's Dad saying, "Ike, we are sick of you talking about ghosts!"

It's getting old now.

I feel like these sounds should be grepable in some log somewhere, but I'm a neophyte to this. I've done a clean (secure wipe >> reinstall) already, the sounds returned not even a day later.

Distro is Debian Bookworm. So how do I find these soundbytes? And how do I overcome this persistence? UFW is blocking inbound connection attempts everyday, but the attacker already established a foothold.

Thank you in advance. LOLseas

Update: post-reinstallation and monitoring incoming connections, I'm happy to say the sounds have not returned. This has given me the motivation to install a Netgate 1100 with pfSense ahead of the PC. Thank you all!

you are viewing a single comment's thread
view the rest of the comments
[-] LOLseas@sh.itjust.works 3 points 1 month ago* (last edited 1 month ago)

I would love to catch the event, but it's sporadic. I stumbled across the gnome-logs package and see concerning events such as "Warning: writing to insecure memory!" from a running service: tracker-extract-3.service. But that service, though named intimidatingly, just watches the file directory for updates/new files.

I'm dealing with Morse Code atm and it's a welcomed relief from the South Park or Karma Factory bytes.

Also, I installed Ventoy on my USB drive and put a Gentoo Live iso as well as Debian, Slax, and QubesOS. I intend to reinstall (thinking of starting with Gentoo).

Then I tried unmounting it. It hung with "device busy" for a solid 6 minutes, and finally ejected. New fear is the attacker is altering the iso files I'm putting on the drive. So I ran sha256sum -c [Gentoo.iso filename] against the SHA256 hash from gentoo.org and it completed as OK but bitched about 12 lines improperly formatted. I'm spitballing again on what to do.

Also, how can I get Lemmy to show codecommands formatting? I use Jerboa but don't see a code block option.

[-] rudyharrelson@lemmy.radio 3 points 1 month ago

Also, how can I get Lemmy to show codecommands formatting? I use Jerboa but don’t see a code block option.

For inline code like this, wrap the text in backticks `like this`.

For multi-line code, wrap the text in triple backticks ``` like this ```

[-] LOLseas@sh.itjust.works 2 points 1 month ago

Thanks so much!

[-] PoolloverNathan@programming.dev 3 points 1 month ago

Don't run sha256sum -c on your suspect file — it expects to be passed a file containing hashes and other filenames. sha256sum the iso itself instead and check by eye, or make such a hash file.

[-] LOLseas@sh.itjust.works 1 points 1 month ago

Downloaded the Gentoo LiveUSB image again from a running Gentoo LiveUSB session, from gentoo.org and also the .iso.sha256 file. Ran 'sha256sum' on both files. They mismatch. Photo included.

[-] SkavarSharraddas@gehirneimer.de 2 points 1 month ago

I think you need to run sha256sum -c *.iso.sha256 (note the -c) to check the .iso file against the downloaded .sha256 file. Or just cat the .sha256 file and check that its content matches your output here.

this post was submitted on 04 Sep 2025
64 points (100.0% liked)

Linux

9979 readers
306 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 2 years ago
MODERATORS
Ategon@programming.dev
anzo@programming.dev
dwraf_of_ignorance@programming.dev