My fellow penguins,
I have been pwned. What started off as weeks of smiling everytime I heard a 7-10s soundbyte of Karma Factory’s “Where Is My Mind” has now devolved into hearing dashes and dots (Morse Code) and my all-time favorite, a South Park S13: Dead Celebrities soundbyte of Ike’s Dad saying, “Ike, we are sick of you talking about ghosts!”
It’s getting old now.
I feel like these sounds should be grepable in some log somewhere, but I’m a neophyte to this. I’ve done a clean (secure wipe >> reinstall) already, the sounds returned not even a day later.
Distro is Debian Bookworm. So how do I find these soundbytes? And how do I overcome this persistence? UFW is blocking inbound connection attempts everyday, but the attacker already established a foothold.
Thank you in advance. LOLseas
Oh. I know I’ve been compromised. It’s beyond reasonable doubt.
I run cabled headphones, no BT love. I get triplicate of my user account. Did not run any scripts post-install. Can’t find auth.log in /var/log One time I went down for a reboot, there was an SSH process hanging up the reboot, so I CTRL-C’d and the system successfully rebooted. Since then I disabled SSHD.
Thanks so far, you’re awesome.
Are you reusing credentials or something? It would be VERY weird to just get remotely compromised like that.
Some other questions:
Guilty of reusing credentials. Strong password, but reused.
I use my ISP’s router and their built-in firewall is saying Enabled on the page.
Then I run UFW on my PC denying all incoming. It’s one of two rules (the other is port forwarding for CS:CZ server).
I thought running Mullvad VPN would be another good layer of obscurity, but whatever drive-by malware got through something somewhere. ClamAV reported no infections. No SSH and no RDP. I really am at a loss on how I got compromised.
Thanks for spitballing with me! I look forward to further insight.
I’d have a look at what you’re port forwarding to your machine, then what services may be running on that port, and finally if your firewall rules allow those though.
If anything, it sounds like somebody was doing remote execution calls on your game server.
I did a ‘netstat --verbose’ and had these connections after a reboot, did not launch the browser.
Do a
netstat -anlp | grep LISTand post itWill do as soon as reinstall 3 is done. I’m reverting back to Debian 12 “Bookworm” as I don’t trust any newly downloaded iso’s aren’t getting tampered with. I noticed a mismatch on the hash for a newly downloaded Gentoo LiveUSB image and its .iso.sha256 file. I reset my router back to factory settings in the meantime. Fresh admin password, fresh SSID and keyphrase. Only wireless device on network is my phone, also reflected on router wireless page.