Re: keysmoops

To: debian-user@lists.debian.org
Subject: Re: keysmoops
From: "Eric G . Miller" <egm2@jps.net>
Date: Wed, 24 May 2000 23:17:28 -0700
Message-id: <[🔎] 20000524231728.A2407@calico.local>
Mail-followup-to: "Eric G . Miller" <egm2@jps.net>, debian-user@lists.debian.org
In-reply-to: <[🔎] E12upqW-0004jo-00@pchan>; from esper@usinternet.com on Thu, May 25, 2000 at 12:06:12AM -0500
References: <[🔎] E12ui1g-0000Kd-00@localhost> <[🔎] E12upqW-0004jo-00@pchan>

On Thu, May 25, 2000 at 12:06:12AM -0500, Dave Sherohman wrote:
> Jim McCloskey said:
> > When I upgraded from slink to frozen, though, I acquired a whole new
> > directory full---/var/log/keysmoops. And it's growing frighteningly
> > fast (doesn't seem to be under the control of the log rotation
> > system).
> > 
> > I can't understand the information that's in these files and I haven't
> > been able to find any documentation that would tell me what this log
> > is for. I read debian-user regularly and I've searched the archives,
> > and I'm still none the wiser.
> 
> Given that the directory isn't being rotated, is contantly growing,
> neither "keysmoop" nor "keysmoops" returns any hits on Google, and that
> "smoop" looks suspiciously like "snoop"...
> 

Shouldn't it be /var/log/ksymoops ? and doesn't it have a bunch of files
that look like YYYYMMDDhhmmss.ksyms (and *.modules).  Apparrently a
listing of all of the kernel symbols (i.e. function calls) made by
whatever user(s) using the system at the time.  Look at oops-tracing.txt
in the Linux kernel source documentation. Guess it's handled by
klogd/syslogd.  Good if you want to file a bug report to kernel
developers!

> I'm inclined to suspect that your system has been invaded and a bogus log
> (possibly recording all keystrokes entered, judging by the name) has been
> initiated.

Yes, if that's a typo above.

> The first thing I would do (after physically disconnecting all networks) is
> `lsof | grep keysmoops` to see if any processes have the file open.  If it's
> a legit log, it should be opened by syslogd (or maybe klogd).  If any other
> process has it open, that process should probably be kill -9'd.  (Note that
> you'll have to be root to do any of this.)
> 
> If it is opened by syslogd/klogd, take a look in /etc/syslog.conf to see
> who's writing to it.  For instance, the line
> lpr.*               -/var/log/lpr.log
> tells me that lpr.log is fed by messages from lpr.  If /var/log/keysmoops is
> getting data from a source that looks even vaguely suspicious, that source
> should be eliminated.
> 
> If it looks like your system has been compromised, you must get rid of the
> affected files.  Unfortunately, it's very difficult to determine after the
> fact which files have been affected; the only way to ensure that all of them
> have been removed is to wipe the disk and reinstall from trusted sources.
> 
> (OTOH, "keysmoops" could be legit.  But, barring any other Debianites telling
> us where it comes from and what it does, I find it extremely unlikely.)

-- 
¶ One·should·only·use·the·ASCII·characterset·when·compos

» ing·email·messages.

Reply to:

References:
- keysmoops
  - From: Jim McCloskey <mcclosk@ling.ucsc.edu>
- Re: keysmoops
  - From: Dave Sherohman <esper@usinternet.com>

Prev by Date: Re: How to properly Gnomeify Storm Linux?
Next by Date: Re: /dev/hda10
Previous by thread: Re: keysmoops
Next by thread: Re: keysmoops
Index(es):
- Date
- Thread