Possible bios got hacked; about to do a fresh install when new ISO Drops or test beta etc

This is just a record of noticable behavior of likely compromised system over a number of months that is about to be reinstalled. (Older computer & Garuda is running great; no issues really that need to be fixed; might be helpful for making Garuda or Linux more secure or for the new ISO release for September)

Bios noticeably was manipulated; about to do a reinstall; reinstalled all packages and removed orphans which seemed to help a bit yet system is not running as it should.

Seems like the firmware updates or hardened kernel updates could have allowed for this as well not sure how though or maybe zen.

Every once in a while get a failure to install for Firedragon or Librewolf or something else; can tell there are manipulations of packages during updates sometimes; a screenshot enclosed of this happening with Plymouth.

092723 Garuda plymouth update failure after reinstall1119×562 127 KB

Also had some files disappear from the downloads folder acquired from Librewolf.
(Tested this multiple times; moving files to Desktop was a successful work around.)

Older bios or all; might be exploitable due to the Wifi hotspot dependency that hooks into boot; deleted that & wifi hotspot on a system without wifi or bluetooth with no issues.

Much appreciated. Happy Halloween. =]

System:
Kernel: 6.5.5-zen1-1-zen arch: x86_64 bits: 64 compiler: gcc v: 13.2.1
clocksource: tsc available: hpet,acpi_pm
parameters: BOOT_IMAGE=/@/boot/vmlinuz-linux-zen
root=UUID=ee9d8e46-88f6-40bb-a345-3b374ebb4edb rw rootflags=subvol=@
quiet rd.luks.uuid=5d766ada-bbea-4479-b984-c5950293753b quiet
rd.udev.log_priority=3 vt.global_cursor_default=0 loglevel=3 ibt=off
Desktop: KDE Plasma v: 5.27.8 tk: Qt v: 5.15.10 wm: kwin_x11 vt: 2
dm: SDDM Distro: Garuda Linux base: Arch Linux
Machine:
Type: Desktop Mobo: ASUSTeK model: A88XM-PLUS v: Rev X.0x
serial: <superuser required> UEFI-[Legacy]: American Megatrends v: 3004
date: 04/14/2017
Battery:
Device-1: ps-controller-battery-1c:96:5a:c3:bb:50 model: N/A serial: N/A
charge: N/A status: charging
CPU:
Info: model: AMD A10-7850K Radeon R7 12 Compute Cores 4C+8G bits: 64
type: MT MCP arch: Steamroller level: v2 built: 2014 process: GF 28nm
family: 0x15 (21) model-id: 0x30 (48) stepping: 1 microcode: 0x6003106
Topology: cpus: 1x cores: 4 smt: enabled cache: L1: 256 KiB
desc: d-4x16 KiB; i-2x96 KiB L2: 4 MiB desc: 2x2 MiB
Speed (MHz): avg: 3796 high: 3904 min/max: 1700/3700 boost: enabled
scaling: driver: acpi-cpufreq governor: performance cores: 1: 3904 2: 3700
3: 3700 4: 3881 bogomips: 29526
Flags: avx ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3 svm
Vulnerabilities: <filter>
Graphics:
Device-1: AMD Vega 10 XL/XT [Radeon RX 56/64] vendor: XFX Pine
driver: amdgpu v: kernel arch: GCN-5 code: Vega process: GF 14nm
built: 2017-20 pcie: gen: 3 speed: 8 GT/s lanes: 16 ports: active: DP-3
empty: DP-1,DP-2,HDMI-A-1 bus-ID: 03:00.0 chip-ID: 1002:687f
class-ID: 0300
Display: x11 server: X.Org v: 21.1.8 with: Xwayland v: 23.2.1
compositor: kwin_x11 driver: X: loaded: amdgpu unloaded: modesetting
alternate: fbdev,vesa dri: radeonsi gpu: amdgpu display-ID: :0 screens: 1
Screen-1: 0 s-res: 1360x768 s-dpi: 96 s-size: 358x202mm (14.09x7.95")
s-diag: 411mm (16.18")
Monitor-1: DP-3 mapped: DisplayPort-2 model: Sharp HDMI built: 2008
res: 1360x768 hz: 60 dpi: 42 gamma: 1.2 size: 820x460mm (32.28x18.11")
diag: 940mm (37") ratio: 16:9 modes: max: 1920x1080 min: 720x400
API: EGL v: 1.5 hw: drv: amd radeonsi platforms: device: 0 drv: radeonsi
device: 1 drv: swrast surfaceless: drv: radeonsi x11: drv: radeonsi
inactive: gbm,wayland
API: OpenGL v: 4.6 compat-v: 4.5 vendor: amd mesa v: 23.1.8-arch1.1
glx-v: 1.4 direct-render: yes renderer: AMD Radeon RX Vega (vega10 LLVM
16.0.6 DRM 3.54 6.5.5-zen1-1-zen) device-ID: 1002:687f memory: 7.81 GiB
unified: no
API: Vulkan v: 1.3.264 layers: 7 device: 0 type: discrete-gpu name: AMD
Radeon RX Vega (RADV VEGA10) driver: mesa radv v: 23.1.8-arch1.1
device-ID: 1002:687f surfaces: xcb,xlib device: 1 type: cpu name: llvmpipe
(LLVM 16.0.6 256 bits) driver: mesa llvmpipe v: 23.1.8-arch1.1 (LLVM
16.0.6) device-ID: 10005:0000 surfaces: xcb,xlib
Audio:
Device-1: AMD FCH Azalia vendor: ASUSTeK AM1I-A driver: snd_hda_intel
v: kernel bus-ID: 00:14.2 chip-ID: 1022:780d class-ID: 0403
Device-2: AMD Vega 10 HDMI Audio [Radeon 56/64] driver: snd_hda_intel
v: kernel pcie: gen: 3 speed: 8 GT/s lanes: 16 bus-ID: 03:00.1
chip-ID: 1002:aaf8 class-ID: 0403
Device-3: Focusrite-Novation Scarlett 2i2 3rd Gen
driver: snd-usb-audio,usb-storage type: USB rev: 2.1 speed: 480 Mb/s
lanes: 1 mode: 2.0 bus-ID: 2-3:4 chip-ID: 1235:8210 class-ID: 0806
serial: <filter>
API: ALSA v: k6.5.5-zen1-1-zen status: kernel-api tools: N/A
Server-1: PipeWire v: 0.3.80 status: active with: 1: pipewire-pulse
status: active 2: wireplumber status: active 3: pipewire-alsa type: plugin
4: pw-jack type: plugin tools: pactl,pw-cat,pw-cli,wpctl
Network:
Device-1: Realtek RTL8111/8168/8411 PCI Express Gigabit Ethernet
vendor: ASUSTeK H81M-C driver: r8169 v: kernel pcie: gen: 1 speed: 2.5 GT/s
lanes: 1 port: d000 bus-ID: 06:00.0 chip-ID: 10ec:8168 class-ID: 0200
IF: enp6s0 state: up speed: 1000 Mbps duplex: full mac: <filter>
Drives:
Local Storage: total: 1.14 TiB used: 33.1 GiB (2.8%)
SMART Message: Unable to run smartctl. Root privileges required.
ID-1: /dev/sda maj-min: 8:0 vendor: Samsung model: SSD 840 PRO Series
size: 238.47 GiB block-size: physical: 512 B logical: 512 B speed: 6.0 Gb/s
tech: SSD serial: <filter> fw-rev: 3B0Q scheme: MBR
ID-2: /dev/sdb maj-min: 8:16 vendor: Samsung model: SSD 860 EVO 1TB
size: 931.51 GiB block-size: physical: 512 B logical: 512 B speed: 6.0 Gb/s
tech: SSD serial: <filter> fw-rev: 4B6Q scheme: GPT
ID-3: /dev/sdc maj-min: 8:32 model: Scarlett Welcome Disk size: 192 KiB
block-size: physical: 512 B logical: 512 B type: USB rev: 2.1 spd: 480 Mb/s
lanes: 1 mode: 2.0 tech: N/A serial: <filter> fw-rev: 0.10 scheme: MBR
SMART Message: Unknown USB bridge. Flash drive/Unsupported enclosure?
Partition:
ID-1: / raw-size: 238.46 GiB size: 238.46 GiB (100.00%)
used: 33.1 GiB (13.9%) fs: btrfs dev: /dev/dm-0 maj-min: 254:0
mapped: luks-5d766ada-bbea-4479-b984-c5950293753b
ID-2: /home raw-size: 238.46 GiB size: 238.46 GiB (100.00%)
used: 33.1 GiB (13.9%) fs: btrfs dev: /dev/dm-0 maj-min: 254:0
mapped: luks-5d766ada-bbea-4479-b984-c5950293753b
ID-3: /var/log raw-size: 238.46 GiB size: 238.46 GiB (100.00%)
used: 33.1 GiB (13.9%) fs: btrfs dev: /dev/dm-0 maj-min: 254:0
mapped: luks-5d766ada-bbea-4479-b984-c5950293753b
ID-4: /var/tmp raw-size: 238.46 GiB size: 238.46 GiB (100.00%)
used: 33.1 GiB (13.9%) fs: btrfs dev: /dev/dm-0 maj-min: 254:0
mapped: luks-5d766ada-bbea-4479-b984-c5950293753b
Swap:
Kernel: swappiness: 133 (default 60) cache-pressure: 100 (default) zswap: no
ID-1: swap-1 type: zram size: 31.29 GiB used: 0 KiB (0.0%) priority: 100
comp: zstd avail: lzo,lzo-rle,lz4,lz4hc,842 max-streams: 4 dev: /dev/zram0
Sensors:
System Temperatures: cpu: 15.5 C mobo: N/A gpu: amdgpu temp: 34.0 C
mem: 27.0 C
Fan Speeds (rpm): N/A gpu: amdgpu fan: 851
Info:
Processes: 224 Uptime: 18m wakeups: 1 Memory: total: 32 GiB
available: 31.29 GiB used: 2.83 GiB (9.1%) Init: systemd v: 254
default: graphical tool: systemctl Compilers: gcc: 13.2.1 clang: 16.0.6
Packages: pm: pacman pkgs: 1443 libs: 468 tools: octopi,paru Shell: fish
v: 3.6.1 default: Bash v: 5.1.16 running-in: konsole inxi: 3.3.30
Garuda (2.6.16-1):
System install date:     2023-03-11
Last full system update: 2023-09-28
Is partially upgraded:   No
Relevant software:       snapper NetworkManager dracut
Windows dual boot:       <superuser required>
Failed units:

I think your Tin Foil Hat may need adjusting. OP dual-booting w/Windows.

Also an issue with encrypted drives (NTFS or Linux); saving passwords without checking the box; happens with removable drives & also drives on left on the system.

Aha! Now we know you run Windows. All bets are off. Sorry, I can’t help you on a dual-boot issue.

Please, never post screenshots from terminal, just cp & paste as text like you post the garuda-inxi.
Images can be read worse, are not searchable and copyable for further search. Thanks

image692×56 32.9 KB

This is not evidence of an exploited device. Rather, this script is calling mkinitcpio:

❯ cat plymouth-update-initrd
File: plymouth-update-initrd
#!/bin/bash
mkinitcpio -P

But you are using dracut:

It looks like you are not using Plymouth anyway, as you do not have the splash kernel parameter set. These are your kernel parameters:

An easy way to stop getting that error message if you aren’t using Plymouth would be to just uninstall the package.

As for your BIOS, if you are having issues with it you should check to see if there is an update available because your last BIOS update was over five years ago. You also installed in legacy mode even though you have a UEFI board.

If you are going to reinstall, you may want to consider installing in UEFI mode instead. Who knows, maybe the CSM is related to whatever your issue with the BIOS is.

Usually do… was not able to at the time… apologies.

Windows partition was there; got compromised and was erased which is why it is still showing up; then there was a Garuda bios compromise that may or may not have been fixed; older UEFI system (2013) so could be an issue; looking into using secure boot with Arch / Garuda for a newer Zen 2 system with a bios that is still supported.

Also could have been an issue due to the triple boot partition which has PopOS (not a bleeding edge as Arch so an easier target) which also seemed wonky at some points during the 6 month install; does not show up on the system report from terminal which is something to think about; everything got compromised much earlier last year so props for all the hard work and great changes by all the Linux teams including Garuda, kernel, Plasma especially as well as some open source application fixes that were helpful as well as everyone working hard the forums to make things great.

Trying to completely replace Windows yet being held back now by only Audio Production software such as Ableton & VST installers for Arturia & Spitfire audio (which has free libraries that are very nice); which has more features then Bitwig still currently yet getting close; working on getting Ableton installed with Wine / Bottles.
Also trying to switch to Mixxx from Traktor DJ Pro 3.

Garuda has made such a big difference over the last year; linux & KDE have had some great upgrades and changes as well as Proton & Steam; has been a dream to use Linux exclusively since barely getting sound to work in Red Hat Linux 5 circa 1997. (Red Hat Linux 5.0 : Red Hat Software, Inc. : Free Download, Borrow, and Streaming : Internet Archive)

Much appreciated. Cheers. Excited to get all the bugs out of the new ISO! =]

Also KDE Wallet is popping up after any USB Device is plugged in or unplugged; (Ethernet over USB was used to upgrade the systems); seems to be some tricky file-less malware at play as well being injected into the firmware & bios possibly on the other older systems; working with bug bounty programs on other OS & apps as well as looking for a capable data forensics package that is open source and available …Still… to shine some light on the harder to find exploits & close as many holes also.

Only happening on the newer installs thought not this system that is completely broken. This might be due to many of the holes being used in this install being closed.

Was thinking this might have been an exploit because both web browsers are showing install failed warnings yet still being installed which might be evidence of payload injection in them.

“Every once in a while get a failure to install for Firedragon or Librewolf or something else; can tell there are manipulations of packages during updates sometimes; a screenshot enclosed of this happening with Plymouth.”

Thank you for all the responses very helpful; still learning about all the great changes that are always coming in so fast; trying to keep on top of updates and stay clear headed to think about how exploits are happening and find ways to explain them to developers to improve security. Much appreciated always.

Nope, I was right the first time. Tin Foil Hat required.

Every situation is different; tin foil hat would not even work; maybe a Faraday cage. (https://i.makeagif.com/media/8-15-2018/LkbEml.gif)

Sometimes things get complicated. Going down a few rabbit holes can be interesting. Not everyone can handle the nonsense of reality breaking down though.

Most of the difficult issues are solved. Much appreciated for the help though always.

Failed to remove error from latest update 10.04.23

:: Synchronizing package databases...
garuda is up to date
core                                  127.2 KiB   586 KiB/s 00:00 [------------------------------------] 100%
extra                                   8.2 MiB  16.3 MiB/s 00:01 [------------------------------------] 100%
multilib                              140.4 KiB   540 KiB/s 00:00 [------------------------------------] 100%
chaotic-aur                             2.6 MiB  3.84 MiB/s 00:01 [------------------------------------] 100%

--> Refreshing mirrorlists using rate-mirrors, please be patient..🍵
:: Synchronizing package databases...
garuda downloading...
core downloading...
extra downloading...
multilib downloading...
chaotic-aur downloading...
:: Starting full system upgrade...
resolving dependencies...
looking for conflicting packages...

Package (4)                       Old Version     New Version     Net Change  Download Size

core/grub                         2:2.12rc1-1     2:2.12rc1-3       0.52 MiB       6.81 MiB
core/openssh                      9.4p1-4         9.5p1-1           0.01 MiB       1.12 MiB
extra/perl-uri                    5.20-1          5.21-1            0.00 MiB       0.08 MiB
chaotic-aur/sweet-theme-full-git  r334.6e82150-1  r335.2910929-1    0.00 MiB       2.96 MiB

Total Download Size:   10.97 MiB
Total Installed Size:  49.14 MiB
Net Upgrade Size:       0.53 MiB

:: Proceed with installation? [Y/n] y
:: Retrieving packages...
perl-uri-5.21-1-any                    81.3 KiB   193 KiB/s 00:00 [------------------------------------] 100%
sweet-theme-full-git-r335.291092...     3.0 MiB  5.23 MiB/s 00:01 [------------------------------------] 100%
openssh-9.5p1-1-x86_64               1145.4 KiB  1507 KiB/s 00:01 [------------------------------------] 100%
grub-2:2.12rc1-3-x86_64                 6.8 MiB  7.22 MiB/s 00:01 [------------------------------------] 100%
Total (4/4)                            11.0 MiB  9.17 MiB/s 00:01 [------------------------------------] 100%
(4/4) checking keys in keyring                                     [------------------------------------] 100%
(4/4) checking package integrity                                   [------------------------------------] 100%
(4/4) loading package files                                        [------------------------------------] 100%
(4/4) checking for file conflicts                                  [------------------------------------] 100%
(4/4) checking available disk space                                [------------------------------------] 100%
:: Running pre-transaction hooks...
(1/1) Performing snapper pre snapshots for the following configurations...
==> root: 812
:: Processing package changes...
(1/4) upgrading grub                                               [------------------------------------] 100%
:: To use the new features provided in this GRUB update, it is recommended
to install it to the MBR or UEFI. Due to potential configuration
incompatibilities, it is advised to run both, installation and generation
of configuration:
# grub-install ...
# grub-mkconfig -o /boot/grub/grub.cfg
(2/4) upgrading openssh                                            [------------------------------------] 100%
(3/4) upgrading perl-uri                                           [------------------------------------] 100%
(4/4) upgrading sweet-theme-full-git                               [------------------------------------] 100%
:: Running post-transaction hooks...
( 1/15) Enabling os-prober...
( 2/15) Reloading system manager configuration...
( 3/15) Creating temporary files...
( 4/15) Arming ConditionNeedsUpdate...
( 5/15) Foreign/AUR package notification
ananicy-rules 1.r129.8ac5d97-1
transcode 1.1.7-41
( 6/15) Updating grub binary in EFI
( 7/15) Orphaned package notification...
=> No orphans found.
( 8/15) Checking for .pacnew and .pacsave files...
.pac* files found:
/etc/shells.pacnew
/etc/firewalld/firewalld.conf.pacnew
/etc/pacman.conf.pacnew
/etc/pacman.d/mirrorlist.pacnew
/etc/plymouth/plymouthd.conf.pacnew
Please check and merge
( 9/15) GRUB update after transactions...
Generating grub configuration file ...
Found theme: /usr/share/grub/themes/garuda-dr460nized/theme.txt
Found linux image: /boot/vmlinuz-linux-zen
Found initrd image: /boot/amd-ucode.img /boot/initramfs-linux-zen.img
Found fallback initrd image(s) in /boot:  amd-ucode.img initramfs-linux-zen-fallback.img
Found linux image: /boot/vmlinuz-linux-hardened
Found initrd image: /boot/amd-ucode.img /boot/initramfs-linux-hardened.img
Found fallback initrd image(s) in /boot:  amd-ucode.img initramfs-linux-hardened-fallback.img
Warning: os-prober will be executed to detect other bootable partitions.
Its output will be used to detect bootable binaries on them and create new boot entries.
rmdir: failed to remove '/var/lib/os-prober/mount': Device or resource busy
rmdir: failed to remove '/var/lib/os-prober/mount': Device or resource busy
rmdir: failed to remove '/var/lib/os-prober/mount': Device or resource busy
rmdir: failed to remove '/var/lib/os-prober/mount': Device or resource busy
rmdir: failed to remove '/var/lib/os-prober/mount': Device or resource busy
rmdir: failed to remove '/var/lib/os-prober/mount': Device or resource busy
rmdir: failed to remove '/var/lib/os-prober/mount': Device or resource busy
rmdir: failed to remove '/var/lib/os-prober/mount': Device or resource busy
rmdir: failed to remove '/var/lib/os-prober/mount': Device or resource busy
rmdir: failed to remove '/var/lib/os-prober/mount': Device or resource busy
Found Pop!_OS 22.04 LTS (22.04) on /dev/sdb6
Adding boot menu entry for UEFI Firmware Settings ...
Detecting snapshots ...
Found snapshot: 2023-10-04 18:38:38 | @/.snapshots/812/snapshot | pre  | pacman -Su                           |
Found snapshot: 2023-10-04 09:56:21 | @/.snapshots/811/snapshot | post | btrfs-progs glibc hwdata lib32-glibc pugixml python-fastjsonschema xdg-d |
Found snapshot: 2023-10-04 09:56:06 | @/.snapshots/810/snapshot | pre  | pacman -Su                           |
Found snapshot: 2023-10-03 18:37:51 | @/.snapshots/809/snapshot | post | ca-certificates-mozilla candy-icons-git carla-git firedragon firewalld g |
Found snapshot: 2023-10-03 18:37:30 | @/.snapshots/808/snapshot | pre  | pacman -Su                           |
Found snapshot: 2023-10-02 17:05:29 | @/.snapshots/807/snapshot | post | blas cblas lapack lib32-sdl2 qt5-basesdl2                               |
Found snapshot: 2023-10-02 17:05:25 | @/.snapshots/806/snapshot | pre  | pacman -Su                           |
Found snapshot: 2023-10-02 13:15:04 | @/.snapshots/805/snapshot | post | fastfetch                            |
Found snapshot: 2023-10-02 13:15:02 | @/.snapshots/804/snapshot | pre  | pacman -Su                           |
Found snapshot: 2023-10-02 08:07:55 | @/.snapshots/803/snapshot | post | eza profile-sync-daemon              |
Found snapshot: 2023-10-02 08:07:54 | @/.snapshots/802/snapshot | pre  | pacman -Su                           |
Found snapshot: 2023-10-01 20:19:58 | @/.snapshots/801/snapshot | post | apparmor                             |
Found snapshot: 2023-10-01 20:19:55 | @/.snapshots/800/snapshot | pre  | /usr/bin/pacman -S extra/apparmor    |
Found 13 snapshot(s)
Unmount /tmp/grub-btrfs.KjRm3gMocW .. Success
Found memtest86+ image: /boot/memtest86+/memtest.bin
done
(10/15) Warn about old perl modules
(11/15) Fix 'grub' and 'os-prober'
(12/15) Updating icon theme caches...
(13/15) Updating the info directory file...
(14/15) Performing snapper post snapshots for the following configurations...
==> root: 813
(15/15) Syncing all file systems...

System updated! 🐧
Press enter to exit

Your Google-Fu is severely lacking. Instead of donning YATFH (yet another tin foil hat), please take whatever steps you need to solve the problem. This is an example, whether it fixes your problem or not. What you do from here is up to you.

Appreciate the help; am not looking to temporarily solve the problem; too many errors to report to all the package maintainers. No timeline needed for fixes that will most likely be in KDE Plasma 6 or Wayland it seems. Always open to learning anything.

Currently working on writing projects on Medium not related to Linux currently.

Exploiters have dropped another “Geschenk” (connotation not specified) that has been possible on many operating systems. Inserting a drive that is unencrypted; containing Bandcamp tracks recently downloaded of size 1.2 GB; with the ethernet unplugged after copying said files to an Encrypted install (possibly exploited); renders ddr3 memory exploitable likely from payload injected firmware package that allowed for the bios exploitation & manipulation of many variables within KDE & boot loader. Specifically this board was originally being exploited by overvoltaging the Fractal Integra 750 Watt bronze power supply & or the AMD APU 7850k motherboard that includes “5X overvoltage protection” as a feature that is dated hack-able and possibly dangerous to humans when the exploit is in use.

System froze after copying which could be to data forensics issues with the files downloaded that likely were injected with payloads that are accessible without internet access by hacking the physical smart meter on the residence most likely. This attack is being done on a number of systems and appliances including the water heater currently and has been for a number of year back to previous administration.

Creative yet beyond this ones pay grade currently.

Open to all criticism or logical fabrications on what is and is not possible and why.

Cheers & Much appreciated. Have a nice week.

Librewolf private windows & Firedragon non private windows; are exhibiting bookmarks that were not made by the user; on a regular basis after being deleted.

On related note, on an Asus R8 after removing the xanmod kernel; there were significant performance improvements.

Leading to the conception; that other kernels might being exploited with payloads; then used as an attack surface on a running system against the running kernel.

Xanmod was never used; it is possible that this can be done to any kernel; or maybe just kernels that are not being used if it is not possible to exploit the running kernel directly without being detected. (KDE Cross kernel exploits are probably not tested)

Hey my guy, no criticism or ill-intent here but do you have a CO detector in your home?

I heard the NSA can secretly listen to you with those!

I work emergency services in my county and we’ve had about 3 incidents where long-term exposure to a small CO leak has lead to similar scenarios of paranoia with memory loss.

That’s the most significant post in this thread. Thanks for bringing it to the forefront.