My fellow penguins,
I have been pwned. What started off as weeks of smiling everytime I heard a 7-10s soundbyte of Karma Factory’s “Where Is My Mind” has now devolved into hearing dashes and dots (Morse Code) and my all-time favorite, a South Park S13: Dead Celebrities soundbyte of Ike’s Dad saying, “Ike, we are sick of you talking about ghosts!”
It’s getting old now.
I feel like these sounds should be grepable in some log somewhere, but I’m a neophyte to this. I’ve done a clean (secure wipe >> reinstall) already, the sounds returned not even a day later.
Distro is Debian Bookworm. So how do I find these soundbytes? And how do I overcome this persistence? UFW is blocking inbound connection attempts everyday, but the attacker already established a foothold.
Thank you in advance. LOLseas
You must log in or # to comment.
Get a carbon monoxide detector
I’m fiiiiiiiiiineeeeeeeee. I have one. Made me smile nevertheless. Thanks!
Run strace (or falco) and log every file open. When you hear the sound, reference the log of what files were accessed at that time.
Run tcpdump and capture all traffic. Analyze it in wireshark, searching for a time window around when the sounds happened.
FWIW putting pranks like this in cron or systemd is a common way to haze people who have bad security practices. We also used to set the default run level to 3 or 6, but of course that doesn’t make sense in the era of systemd.
lmao this is a targeted campaign to fuck with you. Look at people in your circle of family/friends/acquaintances/enemies and you’ll find your suspect. Real viruses don’t do anything as remotely entertaining as this, they just steal your passwords/crypto/etc, ransomware your files, or turn your PC into a botnet for internet spam or mining.
Download a fresh install of debian, flash it onto a usb, and do a reinstall. Use different root/user passwords that you’re certain nobody knows, and ensure you lock the computer whenever you step away. Also, obviously, be careful with what software you’re installing.
It’s very unlikely you’re getting hacked, but if you wiped and then reinstalled using the same credentials again…who knows.
Can you tell a bit more about your setup? Do your speakers have Bluetooth? Do you have some other type of wireless devices hooked up to your machine?
- Start by checking your auth logs for logins or executed commands
- Check and see if another user has been created
- Did you run scripts from anywhere during your setup? If so, like them here.
- Use the ‘w’ command to see if anyone else is logged into the machine when the noises happen
- Disable SSH on your machine temporarily and see if the sounds stop. If not, it’s unlikely your machine is compromised, but more likely the sound is coming from your speakers having wireless comms of some sort.
Oh. I know I’ve been compromised. It’s beyond reasonable doubt.
I run cabled headphones, no BT love. I get triplicate of my user account. Did not run any scripts post-install. Can’t find auth.log in /var/log One time I went down for a reboot, there was an SSH process hanging up the reboot, so I CTRL-C’d and the system successfully rebooted. Since then I disabled SSHD.
Thanks so far, you’re awesome.
Are you reusing credentials or something? It would be VERY weird to just get remotely compromised like that.
Some other questions:
- Does your network not have NAT or firewall of some sort?
- What packages are installing that would allow remote access? (SSH, RDP…etc?)
Guilty of reusing credentials. Strong password, but reused.
I use my ISP’s router and their built-in firewall is saying Enabled on the page.
Then I run UFW on my PC denying all incoming. It’s one of two rules (the other is port forwarding for CS:CZ server).
I thought running Mullvad VPN would be another good layer of obscurity, but whatever drive-by malware got through something somewhere. ClamAV reported no infections. No SSH and no RDP. I really am at a loss on how I got compromised.
Thanks for spitballing with me! I look forward to further insight.
Persistence should be near impossible; you most likely have a bad habit or other factor that makes you vulnerable. As others have said, check your router settings; make sure your router firmware is the latest to patch any vulnerabilities. Check devices on your network to make sure none are compromised.
My first guess, like others, is you’re doing something horribly wrong with your port forwarding, followed by you’re installing suspect software. Don’t go installing from random Github/Gitlab repositories without at least doing a bit of background research. Also, sometimes even legitimate open source projects get compromised. Ultimately, try to stick to the bare minimum, just stuff from the Debian repos, and see if it still happens.
If you still have the problem, then my last resort is to ask this (and this is really paranoid, hopefully an unlikely scenario for you): do you use your computer in a safe environment where only people you trust can access it?
I mostly ask because if not, maybe someone has physical access to your computer and is pulling an evil maid attack, installing the software when you’re not looking. Maybe it’s a jerk coworker. Maybe it’s a creepy landlord. A login password is not enough to defend against this; it may be possible for the attacker to boot off a USB stick and modify system files. The only way to prevent this is to reinstall and use full disk encryption, which I do on my laptop. You can try to use Secure Boot and TPM1 to add further protection, but honestly, your attacker just sounds like some script kiddie and probably won’t perform a complex attack on your boot partiton.
1: Despite their obnoxious utilization by Microsoft, they can actually be quite useful to a Linux user, making it possible to set up auto-decryption on boot that doesn’t work if the boot partition has been tampered with (in which case you use a backup password).
Run this command, it will record all audio activity until you stop it to the file sound-inputs.log.
watch -n0.5 'pacmd list-sink-inputs | tee -a sound-inputs.log'When you hear the sound bites, take a look at it and see which process is triggering the sounds. Might help you discover its cause.
Alternatively you can watch playback streams on pavucontrol. It lists all programs that run sounds, but is less detailed.
So the pulseaudio package wasn’t installed. Installed it, ran the command, and it reports, “No PulseAudio daemon running, or not running as session daemon.”
I also lost sound. Checked into it, the Output switched from my HDMI to my USB Audio Interface. Switched it back to HDMI 5.1 and I’ve got audio back. If PulseAudio wasn’t in use, should we consider another one-liner?
If the OS isn’t using PulseAudio by default, then it’s using PipeWire. I am not using it so cannot confirm how it’d work, but from what I understood from its documentation, replacing
pacmd list-sink-inputswithpw-cli clientsin the previously mentioned command should work.‘pw-cli clients’ didn’t work. Maybe it’s deprecated? I can’t find mention of ‘clients’ in the pw-cli manpage.
https://linuxcommandlibrary.com/man/pw-cli I referred to here for clients. Does your manpage have anything similar to its definition there?
Sadly not. Debian Bookworm pw-cli manpage
from looking here, the thing that makes the most sense for me is
pw-cli list-objects, could you try runningpw-cli, then typelist-objectsand then play random sounds on an application? Could be anything, like a media player or web browser.When no command is given, pw-cli starts an interactive session with the default PipeWire instance pipewire-0.
This would mean this should list any changes directly to the terminal, saving us from needing to log it externally
It should report quite a lot of data considering it reports everything related to audio there, but it should let you know about any changes. If you can trace back from the sounds you made to the application you’ve run it from, it should work.
Thanks, I ran the above watch command with ‘pw-cli list-objects’ and will report back upon the next occurence. It’s been quiet these past few hours. Thanks for helping a fellow penguin! Much appreciated, all of you.
Could be schizophrenia or something related too.
Or… ya know… not. Hence me wanting to track this down. Hence this post. Mental health is very important though. Everyone agree to take care of themselves, mkthanks.
Ik it’s a long shot and wasn’t really what you were asking for. I’ve just had family with schizophrenia and it’s important to like… Idk leave the door open to it sometimes
I have a friend that struggles with delusional disorder, so I’m no stranger to such disorders. But I assure you, having had to listen to these 7-10s soundbytes, find out the sources (Karma Factory/South Park/Morse Code) for weeks now… of sound mind (didja see what I did there lol), it’s real and it sucks.
Still hoping someone can point me to a log file I can grep against for sounds.
Okay ah see to me it was almost a tell that you already knew the sources, didn’t know you had to figure out where they were from.
Okay I’m trying to think:
- Attach a debugger to your kernel, break right when you hear the noise, and then do a full memory dump. Then share it with us here. If you have to be crafty, write a script to send a break right when sound emits. You might need a second computer for this.
Sending a dump of entire system memory seems incredibly unsafe, to say the least.
Last time I heard about weird audio playing it was Steam’s built-in soundtrack player picking up all kinds of weird stuff and randomly playing it (or getting triggered through some shortcut or something)… just to rule it out, do you have Steam installed?
I do. But I counter with this: I had never even heard of the band Karma Factory until that soundbyte played. With the help of an F-droid app on my phone, “Audile”, I was able to quickly mic the soundbyte and that helped me figure out the song clip. There is absolutely no chance Steam factored into this lolfest.
I mean, that’s what that guy who had the issue back then also thought. IIRC he had morse code and whispering at random times.
Maybe just quickly check what Steam’s audio player has listed as soundtracks, just to rule it out (assuming you haven’t found the cause yet).
