Hundreds of .png & .txt got blacked during a move from the system onto an sdhc

Files copied successfully were moved as files with 0 bytes.

Probably an exploit; system has a number of issues; might be due to payload files or files that were manipulated in transit to gain control of the system. No longer is occurring after that one instance. Much appreciated.

Kernel: 6.5.9-hardened1-1-hardened arch: x86_64 bits: 64 compiler: gcc
v: 13.2.1 clocksource: tsc available: hpet,acpi_pm parameters: pti=on
page_alloc.shuffle=1 BOOT_IMAGE=/@/boot/vmlinuz-linux-hardened
root=UUID=ee9d8e46-88f6-40bb-a345-3b374ebb4edb rw rootflags=subvol=@
quiet rd.luks.uuid=5d766ada-bbea-4479-b984-c5950293753b quiet
rd.udev.log_priority=3 vt.global_cursor_default=0 loglevel=3 ibt=off
Desktop: KDE Plasma v: 5.27.9 tk: Qt v: 5.15.11 wm: kwin_x11 vt: 2
dm: SDDM Distro: Garuda Linux base: Arch Linux
Type: Desktop Mobo: ASUSTeK model: A88XM-PLUS v: Rev X.0x
serial: <superuser required> UEFI-[Legacy]: American Megatrends v: 3004
date: 04/14/2017
Device-1: ps-controller-battery-41:42:ae:08:af:9c model: N/A serial: N/A
charge: N/A status: full
Info: model: AMD A10-7850K Radeon R7 12 Compute Cores 4C+8G bits: 64
type: MT MCP arch: Steamroller level: v2 built: 2014 process: GF 28nm
family: 0x15 (21) model-id: 0x30 (48) stepping: 1 microcode: 0x6003106
Topology: cpus: 1x cores: 4 smt: enabled cache: L1: 256 KiB
desc: d-4x16 KiB; i-2x96 KiB L2: 4 MiB desc: 2x2 MiB
Speed (MHz): avg: 3403 high: 3875 min/max: 1700/3700 boost: enabled
scaling: driver: acpi-cpufreq governor: performance cores: 1: 3875 2: 3057
3: 3700 4: 2981 bogomips: 29539
Flags: avx ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3 svm
Vulnerabilities: <filter>
Device-1: AMD Vega 10 XL/XT [Radeon RX 56/64] vendor: XFX Pine
driver: amdgpu v: kernel arch: GCN-5 code: Vega process: GF 14nm
built: 2017-20 pcie: gen: 3 speed: 8 GT/s lanes: 16 ports: active: DP-3
empty: DP-1,DP-2,HDMI-A-1 bus-ID: 03:00.0 chip-ID: 1002:687f
class-ID: 0300
Display: x11 server: X.Org v: 21.1.9 with: Xwayland v: 23.2.2
compositor: kwin_x11 driver: X: loaded: amdgpu unloaded: modesetting
alternate: fbdev,vesa dri: radeonsi gpu: amdgpu display-ID: :0 screens: 1
Screen-1: 0 s-res: 1360x768 s-dpi: 96 s-size: 358x202mm (14.09x7.95")
s-diag: 411mm (16.18")
Monitor-1: DP-3 mapped: DisplayPort-2 model: Sharp HDMI built: 2008
res: 1360x768 hz: 60 dpi: 42 gamma: 1.2 size: 820x460mm (32.28x18.11")
diag: 940mm (37") ratio: 16:9 modes: max: 1920x1080 min: 720x400
API: EGL v: 1.5 hw: drv: amd radeonsi platforms: device: 0 drv: radeonsi
device: 1 drv: swrast surfaceless: drv: radeonsi x11: drv: radeonsi
inactive: gbm,wayland
API: OpenGL v: 4.6 compat-v: 4.5 vendor: amd mesa v: 23.2.1-arch1.2
glx-v: 1.4 direct-render: yes renderer: AMD Radeon RX Vega (vega10 LLVM
16.0.6 DRM 3.54 6.5.9-hardened1-1-hardened) device-ID: 1002:687f
memory: 7.81 GiB unified: no
API: Vulkan v: 1.3.269 layers: 7 device: 0 type: discrete-gpu name: AMD
Radeon RX Vega (RADV VEGA10) driver: mesa radv v: 23.2.1-arch1.2
device-ID: 1002:687f surfaces: xcb,xlib device: 1 type: cpu name: llvmpipe
(LLVM 16.0.6 256 bits) driver: mesa llvmpipe v: 23.2.1-arch1.2 (LLVM
16.0.6) device-ID: 10005:0000 surfaces: xcb,xlib
Device-1: AMD FCH Azalia vendor: ASUSTeK AM1I-A driver: snd_hda_intel
v: kernel bus-ID: 00:14.2 chip-ID: 1022:780d class-ID: 0403
Device-2: AMD Vega 10 HDMI Audio [Radeon 56/64] driver: snd_hda_intel
v: kernel pcie: gen: 3 speed: 8 GT/s lanes: 16 bus-ID: 03:00.1
chip-ID: 1002:aaf8 class-ID: 0403
Device-3: Focusrite-Novation Scarlett 2i2 3rd Gen
driver: snd-usb-audio,usb-storage type: USB rev: 2.1 speed: 480 Mb/s
lanes: 1 mode: 2.0 bus-ID: 3-3:4 chip-ID: 1235:8210 class-ID: 0806
serial: <filter>
Device-4: Sony DualShock 4 [CUH-ZCT2x]
driver: playstation,snd-usb-audio,usbhid type: USB rev: 2.0 speed: 12 Mb/s
lanes: 1 mode: 1.1 bus-ID: 3-4.4:6 chip-ID: 054c:09cc class-ID: 0300
API: ALSA v: k6.5.9-hardened1-1-hardened status: kernel-api tools: N/A
Server-1: PipeWire v: 0.3.83 status: active with: 1: pipewire-pulse
status: active 2: wireplumber status: active 3: pipewire-alsa type: plugin
4: pw-jack type: plugin tools: pactl,pw-cat,pw-cli,wpctl
Device-1: Realtek RTL8111/8168/8411 PCI Express Gigabit Ethernet
vendor: ASUSTeK H81M-C driver: r8169 v: kernel pcie: gen: 1 speed: 2.5 GT/s
lanes: 1 port: d000 bus-ID: 06:00.0 chip-ID: 10ec:8168 class-ID: 0200
IF: enp6s0 state: up speed: 1000 Mbps duplex: full mac: <filter>
Local Storage: total: 1.14 TiB used: 21.25 GiB (1.8%)
SMART Message: Unable to run smartctl. Root privileges required.
ID-1: /dev/sda maj-min: 8:0 vendor: Samsung model: SSD 840 PRO Series
size: 238.47 GiB block-size: physical: 512 B logical: 512 B speed: 6.0 Gb/s
tech: SSD serial: <filter> fw-rev: 3B0Q scheme: MBR
ID-2: /dev/sdb maj-min: 8:16 vendor: Samsung model: SSD 860 EVO 1TB
size: 931.51 GiB block-size: physical: 512 B logical: 512 B speed: 6.0 Gb/s
tech: SSD serial: <filter> fw-rev: 4B6Q scheme: GPT
ID-3: /dev/sdc maj-min: 8:32 model: Scarlett Welcome Disk size: 192 KiB
block-size: physical: 512 B logical: 512 B type: USB rev: 2.1 spd: 480 Mb/s
lanes: 1 mode: 2.0 tech: N/A serial: <filter> fw-rev: 0.10 scheme: MBR
SMART Message: Unknown USB bridge. Flash drive/Unsupported enclosure?
ID-1: / raw-size: 238.46 GiB size: 238.46 GiB (100.00%)
used: 21.25 GiB (8.9%) fs: btrfs dev: /dev/dm-0 maj-min: 254:0
mapped: luks-5d766ada-bbea-4479-b984-c5950293753b
ID-2: /home raw-size: 238.46 GiB size: 238.46 GiB (100.00%)
used: 21.25 GiB (8.9%) fs: btrfs dev: /dev/dm-0 maj-min: 254:0
mapped: luks-5d766ada-bbea-4479-b984-c5950293753b
ID-3: /var/log raw-size: 238.46 GiB size: 238.46 GiB (100.00%)
used: 21.25 GiB (8.9%) fs: btrfs dev: /dev/dm-0 maj-min: 254:0
mapped: luks-5d766ada-bbea-4479-b984-c5950293753b
ID-4: /var/tmp raw-size: 238.46 GiB size: 238.46 GiB (100.00%)
used: 21.25 GiB (8.9%) fs: btrfs dev: /dev/dm-0 maj-min: 254:0
mapped: luks-5d766ada-bbea-4479-b984-c5950293753b
Kernel: swappiness: 133 (default 60) cache-pressure: 100 (default) zswap: no
ID-1: swap-1 type: zram size: 31.3 GiB used: 0 KiB (0.0%) priority: 100
comp: zstd avail: lzo,lzo-rle,lz4,lz4hc,842 max-streams: 4 dev: /dev/zram0
System Temperatures: cpu: 22.8 C mobo: N/A gpu: amdgpu temp: 32.0 C
mem: 25.0 C
Fan Speeds (rpm): N/A gpu: amdgpu fan: 796
Processes: 259 Uptime: 17m wakeups: 1 Memory: total: 32 GiB
available: 31.3 GiB used: 2.52 GiB (8.1%) Init: systemd v: 254
default: graphical tool: systemctl Compilers: gcc: 13.2.1 clang: 16.0.6
Packages: pm: pacman pkgs: 1445 libs: 470 tools: octopi,paru Shell: fish
v: 3.6.1 default: Bash v: 5.2.15 running-in: konsole inxi: 3.3.30
Garuda (2.6.17-1):
System install date:     2023-03-11
Last full system update: 2023-10-31 ↻
Is partially upgraded:   No
Relevant software:       snapper NetworkManager dracut
Windows dual boot:       <superuser required>
Failed units:

As always, please reboot.

1 Like

Memory leak issue is still occurring; memory is ddr3 as the system is from 2014; remote attackers were also more recently able to delete a folder that had just been created with one file added. Seems to be the same attack. Memory leak allowing for manipulation of tasks or items in memory. No web browser was open only dolphin.

System was online using Ethernet with no applications open using the internet.

Reboot works until the attack is used again. Much appreciated.

it’s not hacked, it’s you setting up your system all wrong with paranoia driving your decisions so it cannot properly write to disk, therefore everything you try to do will be effed up exactly like you report.

1 Like

There are certainly more likely reasons for this error than an exploit.

The most common reason is the media was removed prematurely. Even when you get a notification that the copy or transfer function is complete, you still cannot take out the disk until it is properly synced and unmounted. 0 byte files or corruption can happen if you jump the gun.


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.