Re: keysmoops

To: Jim McCloskey <mcclosk@ling.ucsc.edu>
Cc: debian-user@lists.debian.org
Subject: Re: keysmoops
From: Dave Sherohman <esper@usinternet.com>
Date: Thu, 25 May 2000 00:06:12 -0500 (CDT)
Message-id: <[🔎] E12upqW-0004jo-00@pchan>
In-reply-to: <[🔎] E12ui1g-0000Kd-00@localhost> from Jim McCloskey at "May 24, 2000 01:45:12 pm"

Jim McCloskey said:
> When I upgraded from slink to frozen, though, I acquired a whole new
> directory full---/var/log/keysmoops. And it's growing frighteningly
> fast (doesn't seem to be under the control of the log rotation
> system).
> 
> I can't understand the information that's in these files and I haven't
> been able to find any documentation that would tell me what this log
> is for. I read debian-user regularly and I've searched the archives,
> and I'm still none the wiser.

Given that the directory isn't being rotated, is contantly growing,
neither "keysmoop" nor "keysmoops" returns any hits on Google, and that
"smoop" looks suspiciously like "snoop"...

I'm inclined to suspect that your system has been invaded and a bogus log
(possibly recording all keystrokes entered, judging by the name) has been
initiated.

The first thing I would do (after physically disconnecting all networks) is
`lsof | grep keysmoops` to see if any processes have the file open.  If it's
a legit log, it should be opened by syslogd (or maybe klogd).  If any other
process has it open, that process should probably be kill -9'd.  (Note that
you'll have to be root to do any of this.)

If it is opened by syslogd/klogd, take a look in /etc/syslog.conf to see
who's writing to it.  For instance, the line
lpr.*               -/var/log/lpr.log
tells me that lpr.log is fed by messages from lpr.  If /var/log/keysmoops is
getting data from a source that looks even vaguely suspicious, that source
should be eliminated.

If it looks like your system has been compromised, you must get rid of the
affected files.  Unfortunately, it's very difficult to determine after the
fact which files have been affected; the only way to ensure that all of them
have been removed is to wipe the disk and reinstall from trusted sources.

(OTOH, "keysmoops" could be legit.  But, barring any other Debianites telling
us where it comes from and what it does, I find it extremely unlikely.)

-- 
"Two words: Windows survives." - Craig Mundie, Microsoft senior strategist
"So does syphillis. Good thing we have penicillin." - Matthew Alton
Geek Code 3.1:  GCS d- s+: a- C++ UL++$ P+>+++ L++>++++ E- W--(++) N+ o+ !K
w---$ O M- !V PS+ PE Y+ PGP t 5++ X+ R++ tv- b++ DI++++ D G e* h+ r++ y+

Reply to:

Follow-Ups:
- Re: keysmoops
  - From: "Eric G . Miller" <egm2@jps.net>
- Re: keysmoops
  - From: Ethan Benson <erbenson@alaska.net>
- Re: kysmoops (was keysmoops)
  - From: <mcclosk@cats.ucsc.edu>

References:
- keysmoops
  - From: Jim McCloskey <mcclosk@ling.ucsc.edu>

Prev by Date: print problem
Next by Date: xdm/kdm two terminal problem
Previous by thread: keysmoops
Next by thread: Re: keysmoops
Index(es):
- Date
- Thread