Linux

9303 readers

307 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 2 years ago

MODERATORS

Ategon@programming.dev

anzo@programming.dev

dwraf_of_ignorance@programming.dev

Hacked PC - random sounds playing (sh.itjust.works)

submitted 3 days ago by LOLseas@sh.itjust.works to c/linux@programming.dev

68 comments fedilink hide all child comments

My fellow penguins,

I have been pwned. What started off as weeks of smiling everytime I heard a 7-10s soundbyte of Karma Factory's "Where Is My Mind" has now devolved into hearing dashes and dots (Morse Code) and my all-time favorite, a South Park S13: Dead Celebrities soundbyte of Ike's Dad saying, "Ike, we are sick of you talking about ghosts!"

It's getting old now.

I feel like these sounds should be grepable in some log somewhere, but I'm a neophyte to this. I've done a clean (secure wipe >> reinstall) already, the sounds returned not even a day later.

Distro is Debian Bookworm. So how do I find these soundbytes? And how do I overcome this persistence? UFW is blocking inbound connection attempts everyday, but the attacker already established a foothold.

Thank you in advance. LOLseas

you are viewing a single comment's thread
view the rest of the comments

[–] LOLseas@sh.itjust.works 3 points 2 days ago* (last edited 2 days ago) (2 children)

I would love to catch the event, but it's sporadic. I stumbled across the gnome-logs package and see concerning events such as "Warning: writing to insecure memory!" from a running service: tracker-extract-3.service. But that service, though named intimidatingly, just watches the file directory for updates/new files.

I'm dealing with Morse Code atm and it's a welcomed relief from the South Park or Karma Factory bytes.

Also, I installed Ventoy on my USB drive and put a Gentoo Live iso as well as Debian, Slax, and QubesOS. I intend to reinstall (thinking of starting with Gentoo).

Then I tried unmounting it. It hung with "device busy" for a solid 6 minutes, and finally ejected. New fear is the attacker is altering the iso files I'm putting on the drive. So I ran sha256sum -c [Gentoo.iso filename] against the SHA256 hash from gentoo.org and it completed as OK but bitched about 12 lines improperly formatted. I'm spitballing again on what to do.

Also, how can I get Lemmy to show codecommands formatting? I use Jerboa but don't see a code block option.

[–] PoolloverNathan@programming.dev 3 points 2 days ago (1 children)

Don't run sha256sum -c on your suspect file — it expects to be passed a file containing hashes and other filenames. sha256sum the iso itself instead and check by eye, or make such a hash file.

[–] LOLseas@sh.itjust.works 1 points 1 day ago (1 children)

Downloaded the Gentoo LiveUSB image again from a running Gentoo LiveUSB session, from gentoo.org and also the .iso.sha256 file. Ran 'sha256sum' on both files. They mismatch. Photo included.

[–] SkavarSharraddas@gehirneimer.de 1 points 1 day ago

I think you need to run sha256sum -c *.iso.sha256 (note the -c) to check the .iso file against the downloaded .sha256 file. Or just cat the .sha256 file and check that its content matches your output here.

[–] rudyharrelson@lemmy.radio 3 points 2 days ago (1 children)

Also, how can I get Lemmy to show codecommands formatting? I use Jerboa but don’t see a code block option.

For inline code like this, wrap the text in backticks `like this`.

For multi-line code, wrap the text in triple backticks ``` like this ```

[–] LOLseas@sh.itjust.works 1 points 2 days ago

Thanks so much!