this post was submitted on 04 Sep 2025
59 points (96.8% liked)

Linux

9303 readers
307 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 2 years ago
MODERATORS
Ategon@programming.dev
anzo@programming.dev
dwraf_of_ignorance@programming.dev
59
Hacked PC - random sounds playing (sh.itjust.works)
submitted 3 days ago by LOLseas@sh.itjust.works to c/linux@programming.dev
68 comments fedilink hide all child comments
 

My fellow penguins,

I have been pwned. What started off as weeks of smiling everytime I heard a 7-10s soundbyte of Karma Factory's "Where Is My Mind" has now devolved into hearing dashes and dots (Morse Code) and my all-time favorite, a South Park S13: Dead Celebrities soundbyte of Ike's Dad saying, "Ike, we are sick of you talking about ghosts!"

It's getting old now.

I feel like these sounds should be grepable in some log somewhere, but I'm a neophyte to this. I've done a clean (secure wipe >> reinstall) already, the sounds returned not even a day later.

Distro is Debian Bookworm. So how do I find these soundbytes? And how do I overcome this persistence? UFW is blocking inbound connection attempts everyday, but the attacker already established a foothold.

Thank you in advance. LOLseas

you are viewing a single comment's thread
view the rest of the comments
[–] CaptainBasculin@lemmy.bascul.in 14 points 3 days ago (1 children)

If the OS isn't using PulseAudio by default, then it's using PipeWire. I am not using it so cannot confirm how it'd work, but from what I understood from its documentation, replacing pacmd list-sink-inputs with pw-cli clients in the previously mentioned command should work.

[–] LOLseas@sh.itjust.works 1 points 2 days ago (1 children)

'pw-cli clients' didn't work. Maybe it's deprecated? I can't find mention of 'clients' in the pw-cli manpage.

[–] CaptainBasculin@lemmy.bascul.in 1 points 2 days ago (1 children)

https://linuxcommandlibrary.com/man/pw-cli I referred to here for clients. Does your manpage have anything similar to its definition there?

[–] LOLseas@sh.itjust.works 1 points 2 days ago (1 children)
[–] CaptainBasculin@lemmy.bascul.in 1 points 2 days ago* (last edited 2 days ago) (1 children)

from looking here, the thing that makes the most sense for me is pw-cli list-objects, could you try running pw-cli, then type list-objects and then play random sounds on an application? Could be anything, like a media player or web browser.

When no command is given, pw-cli starts an interactive session with the default PipeWire instance pipewire-0.

This would mean this should list any changes directly to the terminal, saving us from needing to log it externally

It should report quite a lot of data considering it reports everything related to audio there, but it should let you know about any changes. If you can trace back from the sounds you made to the application you've run it from, it should work.

[–] LOLseas@sh.itjust.works 1 points 2 days ago (1 children)

Thanks, I ran the above watch command with 'pw-cli list-objects' and will report back upon the next occurence. It's been quiet these past few hours. Thanks for helping a fellow penguin! Much appreciated, all of you.

[–] LOLseas@sh.itjust.works 1 points 2 days ago* (last edited 2 days ago) (1 children)

I couldn't wait for the next soundbyte, so I checked the running sound-inputs.log and noticed a few entries for Chromium. I don't use it, nor have I ever installed it on this system. Did a 'which chromium-browser' and got no hits. Yet it's mentioned a few times in the log. Thoughts?

Edit: typo

[–] CaptainBasculin@lemmy.bascul.in 2 points 2 days ago (1 children)

Different applications can use Chromium as their base and might not be configured to return their application name to PipeWire, which in that case, Chromium returns its name.

If you're using a web app like Discord/Vesktop that's likely it.

[–] LOLseas@sh.itjust.works 1 points 1 day ago

Thanks for your input!