My fellow penguins,
I have been pwned. What started off as weeks of smiling everytime I heard a 7-10s soundbyte of Karma Factory’s “Where Is My Mind” has now devolved into hearing dashes and dots (Morse Code) and my all-time favorite, a South Park S13: Dead Celebrities soundbyte of Ike’s Dad saying, “Ike, we are sick of you talking about ghosts!”
It’s getting old now.
I feel like these sounds should be grepable in some log somewhere, but I’m a neophyte to this. I’ve done a clean (secure wipe >> reinstall) already, the sounds returned not even a day later.
Distro is Debian Bookworm. So how do I find these soundbytes? And how do I overcome this persistence? UFW is blocking inbound connection attempts everyday, but the attacker already established a foothold.
Thank you in advance. LOLseas
Run strace (or falco) and log every file open. When you hear the sound, reference the log of what files were accessed at that time.
Run tcpdump and capture all traffic. Analyze it in wireshark, searching for a time window around when the sounds happened.
FWIW putting pranks like this in cron or systemd is a common way to haze people who have bad security practices. We also used to set the default run level to 3 or 6, but of course that doesn’t make sense in the era of systemd.