My fellow penguins,

I have been pwned. What started off as weeks of smiling everytime I heard a 7-10s soundbyte of Karma Factory’s “Where Is My Mind” has now devolved into hearing dashes and dots (Morse Code) and my all-time favorite, a South Park S13: Dead Celebrities soundbyte of Ike’s Dad saying, “Ike, we are sick of you talking about ghosts!”

It’s getting old now.

I feel like these sounds should be grepable in some log somewhere, but I’m a neophyte to this. I’ve done a clean (secure wipe >> reinstall) already, the sounds returned not even a day later.

Distro is Debian Bookworm. So how do I find these soundbytes? And how do I overcome this persistence? UFW is blocking inbound connection attempts everyday, but the attacker already established a foothold.

Thank you in advance. LOLseas

  • just_another_person@lemmy.world
    211·
    2 days ago

    It’s very unlikely you’re getting hacked, but if you wiped and then reinstalled using the same credentials again…who knows.

    Can you tell a bit more about your setup? Do your speakers have Bluetooth? Do you have some other type of wireless devices hooked up to your machine?

    • Start by checking your auth logs for logins or executed commands
    • Check and see if another user has been created
    • Did you run scripts from anywhere during your setup? If so, like them here.
    • Use the ‘w’ command to see if anyone else is logged into the machine when the noises happen
    • Disable SSH on your machine temporarily and see if the sounds stop. If not, it’s unlikely your machine is compromised, but more likely the sound is coming from your speakers having wireless comms of some sort.
    • LOLseas@sh.itjust.worksOPEnglish
      82·
      2 days ago

      Oh. I know I’ve been compromised. It’s beyond reasonable doubt.

      I run cabled headphones, no BT love. I get triplicate of my user account. Did not run any scripts post-install. Can’t find auth.log in /var/log One time I went down for a reboot, there was an SSH process hanging up the reboot, so I CTRL-C’d and the system successfully rebooted. Since then I disabled SSHD.

      Thanks so far, you’re awesome.

      • just_another_person@lemmy.world
        131·
        2 days ago

        Are you reusing credentials or something? It would be VERY weird to just get remotely compromised like that.

        Some other questions:

        1. Does your network not have NAT or firewall of some sort?
        2. What packages are installing that would allow remote access? (SSH, RDP…etc?)
        • LOLseas@sh.itjust.worksOPEnglish
          9·
          2 days ago

          Guilty of reusing credentials. Strong password, but reused.

          I use my ISP’s router and their built-in firewall is saying Enabled on the page.

          Then I run UFW on my PC denying all incoming. It’s one of two rules (the other is port forwarding for CS:CZ server).

          I thought running Mullvad VPN would be another good layer of obscurity, but whatever drive-by malware got through something somewhere. ClamAV reported no infections. No SSH and no RDP. I really am at a loss on how I got compromised.

          Thanks for spitballing with me! I look forward to further insight.

          • just_another_person@lemmy.world
            41·
            2 days ago

            I’d have a look at what you’re port forwarding to your machine, then what services may be running on that port, and finally if your firewall rules allow those though.

            If anything, it sounds like somebody was doing remote execution calls on your game server.