A community for everything relating to the GNU/Linux operating system (except the memes!)
Also, check out:
Original icon base courtesy of lewing@isc.tamu.edu and The GIMP
Run strace (or falco) and log every file open. When you hear the sound, reference the log of what files were accessed at that time.
Run tcpdump and capture all traffic. Analyze it in wireshark, searching for a time window around when the sounds happened.
FWIW putting pranks like this in cron or systemd is a common way to haze people who have bad security practices. We also used to set the default run level to 3 or 6, but of course that doesn't make sense in the era of systemd.
lmao this is a targeted campaign to fuck with you. Look at people in your circle of family/friends/acquaintances/enemies and you'll find your suspect. Real viruses don't do anything as remotely entertaining as this, they just steal your passwords/crypto/etc, ransomware your files, or turn your PC into a botnet for internet spam or mining.
Download a fresh install of debian, flash it onto a usb, and do a reinstall. Use different root/user passwords that you're certain nobody knows, and ensure you lock the computer whenever you step away. Also, obviously, be careful with what software you're installing.
Get a carbon monoxide detector
I'm fiiiiiiiiiineeeeeeeee. I have one. Made me smile nevertheless. Thanks!
Run this command, it will record all audio activity until you stop it to the file sound-inputs.log.
watch -n0.5 'pacmd list-sink-inputs | tee -a sound-inputs.log'
When you hear the sound bites, take a look at it and see which process is triggering the sounds. Might help you discover its cause.
Alternatively you can watch playback streams on pavucontrol. It lists all programs that run sounds, but is less detailed.
So the pulseaudio package wasn't installed. Installed it, ran the command, and it reports, "No PulseAudio daemon running, or not running as session daemon."
I also lost sound. Checked into it, the Output switched from my HDMI to my USB Audio Interface. Switched it back to HDMI 5.1 and I've got audio back. If PulseAudio wasn't in use, should we consider another one-liner?
If the OS isn't using PulseAudio by default, then it's using PipeWire. I am not using it so cannot confirm how it'd work, but from what I understood from its documentation, replacing pacmd list-sink-inputs with pw-cli clients in the previously mentioned command should work.
It's very unlikely you're getting hacked, but if you wiped and then reinstalled using the same credentials again...who knows.
Can you tell a bit more about your setup? Do your speakers have Bluetooth? Do you have some other type of wireless devices hooked up to your machine?
Where does the sound come from? Your headphones, speakers, etc. Does it ever happen when your machine is off? You mentioned you only have wired audio peripherals - perhaps someone is playing a prank on you and has connected some kind of device inline.
Agreed. Persisting through a wipe and reinstall is extremely unlikely. That kind of persistence isn't used by people doing it for the lulz.
I'd definitely check for devices on the audio cable, suspicious USB devices, things like that. And we need more info about trying to isolate and identify the actual source of the sound itself (speakers, headphones, etc.)
Like you mentioned, if it happens even when the PC is off, then I'd look for some kind of annoyatron, not the PC.
I have an A/V Receiver that goes out to a 6.3mm/half-inch jack headphones, and I mostly listen through the 2-channel phones out. But sometimes I run my 5.1 surround sound. Does not happen when the PC is off. I checked all cables, everything seems in order. No tap.
Persistence should be near impossible; you most likely have a bad habit or other factor that makes you vulnerable. As others have said, check your router settings; make sure your router firmware is the latest to patch any vulnerabilities. Check devices on your network to make sure none are compromised.
My first guess, like others, is you're doing something horribly wrong with your port forwarding, followed by you're installing suspect software. Don't go installing from random Github/Gitlab repositories without at least doing a bit of background research. Also, sometimes even legitimate open source projects get compromised. Ultimately, try to stick to the bare minimum, just stuff from the Debian repos, and see if it still happens.
If you still have the problem, then my last resort is to ask this (and this is really paranoid, hopefully an unlikely scenario for you): do you use your computer in a safe environment where only people you trust can access it?
I mostly ask because if not, maybe someone has physical access to your computer and is pulling an evil maid attack, installing the software when you're not looking. Maybe it's a jerk coworker. Maybe it's a creepy landlord. A login password is not enough to defend against this; it may be possible for the attacker to boot off a USB stick and modify system files. The only way to prevent this is to reinstall and use full disk encryption, which I do on my laptop. You can try to use Secure Boot and TPM^1^ to add further protection, but honestly, your attacker just sounds like some script kiddie and probably won't perform a complex attack on your boot partiton.
1: Despite their obnoxious utilization by Microsoft, they can actually be quite useful to a Linux user, making it possible to set up auto-decryption on boot that doesn't work if the boot partition has been tampered with (in which case you use a backup password).
I'd say wipe and reinstall again, but this time with a different Distro and user password, just to eliminate a bunch of variables at once, including suspect install media.
Try Fedora this time. It usually gets the latest security patches in its repos quite quickly, and it has spins for all the myriad desktop environments out there.
Last time I heard about weird audio playing it was Steam's built-in soundtrack player picking up all kinds of weird stuff and randomly playing it (or getting triggered through some shortcut or something)... just to rule it out, do you have Steam installed?
I do. But I counter with this: I had never even heard of the band Karma Factory until that soundbyte played. With the help of an F-droid app on my phone, "Audile", I was able to quickly mic the soundbyte and that helped me figure out the song clip. There is absolutely no chance Steam factored into this lolfest.
I mean, that's what that guy who had the issue back then also thought. IIRC he had morse code and whispering at random times.
Maybe just quickly check what Steam's audio player has listed as soundtracks, just to rule it out (assuming you haven't found the cause yet).
Could be schizophrenia or something related too.
Or... ya know... not. Hence me wanting to track this down. Hence this post. Mental health is very important though. Everyone agree to take care of themselves, mkthanks.
Ik it's a long shot and wasn't really what you were asking for. I've just had family with schizophrenia and it's important to like... Idk leave the door open to it sometimes
I'm a sappling in the Linux world, so I'm useless to you, but I'm following this thread just in case I start hearing "Ike, we are sick of you talking about ghosts!" coming from my speakers.
How do you think you were compromised? And what have you been doing to make sure you're not leaking your information to a memelord shit poster of a hacker in the meantime while you're working on getting this fixed?
No ideer. And no ideer. I'm finally trying to do some serious damage control, but it's been a real headscratcher. I was amused at first, I have a good sense of humor. Until they started with "long dash- dot dot... dot dot... dot". I'll save you looking it up, they told me to off myself. That's not funny anymore. Thus Lemmy post.
There are a lot of ways that the attacker could persist... maybe try a different distro, just to see if it stops? What did you redownload/install when you did your wipe? Do you have any computers on the network besides yours?
Obviously worst case for 'persisting' would be your hardware. Do you have a friend who can plug in or connect to your internet and see if they get the same blocked requests? Maybe try a different router/modem.
I don’t believe Debian is susceptible to worms — it wasn’t even susceptible to last year’s xz attack — and if you have a network firewall with port forwarding disabled, there is no way in unless your router’s firmware is compromised. If you’re running any community driven software like, for example, game plugins for servers you’re hosting, those could be suspect. Anything not FOSS is also a suspect. Otherwise, if you’ve already done a secure wipe (using dd, hdparm/nvme, or your UEFI) and used another motherboard then it probably isn’t your firmware that is compromised. You mentioned SSH and credential reuse, so this leads me to think a device on your network, like an IoT device (thermometer, baby monitor, home assistant, Roku, etc.) could be infected with malware. You really can’t trust these things to have any security whatsoever and they need to be placed on a segmented or guest network. This attack honestly seems very immature, something a script kiddie would do, or perhaps it is automated. On that note, automation loves vulnerabilities, so if you forgot to change the default credential on your router for example, I would fix that. Make sure everything is on the latest version and patch everything. I would also start suspecting neighbors and juvenile kids around high school age. If nothing else works then I would do a full Mr. Robot wipe down ;)
Getting reinfected after a clean install is so weird, my bet's on this ⤴️
Double check all your IoT, OP. Maybe your cheap crappy IP camera or Smart Lightbulb turned into a botnet
