Re: keysmoops
On Thu, May 25, 2000 at 12:06:12AM -0500, Dave Sherohman wrote:
> Jim McCloskey said:
> > When I upgraded from slink to frozen, though, I acquired a whole new
> > directory full---/var/log/keysmoops. And it's growing frighteningly
> > fast (doesn't seem to be under the control of the log rotation
> > system).
> >
> > I can't understand the information that's in these files and I haven't
> > been able to find any documentation that would tell me what this log
> > is for. I read debian-user regularly and I've searched the archives,
> > and I'm still none the wiser.
>
> Given that the directory isn't being rotated, is contantly growing,
> neither "keysmoop" nor "keysmoops" returns any hits on Google, and that
> "smoop" looks suspiciously like "snoop"...
>
Shouldn't it be /var/log/ksymoops ? and doesn't it have a bunch of files
that look like YYYYMMDDhhmmss.ksyms (and *.modules). Apparrently a
listing of all of the kernel symbols (i.e. function calls) made by
whatever user(s) using the system at the time. Look at oops-tracing.txt
in the Linux kernel source documentation. Guess it's handled by
klogd/syslogd. Good if you want to file a bug report to kernel
developers!
> I'm inclined to suspect that your system has been invaded and a bogus log
> (possibly recording all keystrokes entered, judging by the name) has been
> initiated.
Yes, if that's a typo above.
> The first thing I would do (after physically disconnecting all networks) is
> `lsof | grep keysmoops` to see if any processes have the file open. If it's
> a legit log, it should be opened by syslogd (or maybe klogd). If any other
> process has it open, that process should probably be kill -9'd. (Note that
> you'll have to be root to do any of this.)
>
> If it is opened by syslogd/klogd, take a look in /etc/syslog.conf to see
> who's writing to it. For instance, the line
> lpr.* -/var/log/lpr.log
> tells me that lpr.log is fed by messages from lpr. If /var/log/keysmoops is
> getting data from a source that looks even vaguely suspicious, that source
> should be eliminated.
>
> If it looks like your system has been compromised, you must get rid of the
> affected files. Unfortunately, it's very difficult to determine after the
> fact which files have been affected; the only way to ensure that all of them
> have been removed is to wipe the disk and reinstall from trusted sources.
>
> (OTOH, "keysmoops" could be legit. But, barring any other Debianites telling
> us where it comes from and what it does, I find it extremely unlikely.)
--
¶ One·should·only·use·the·ASCII·characterset·when·compos
» ing·email·messages.
Reply to:
- References:
- keysmoops
- From: Jim McCloskey <mcclosk@ling.ucsc.edu>
- Re: keysmoops
- From: Dave Sherohman <esper@usinternet.com>