|
-
Keylogger
How does one go about detecting a keylogger or other similar utility that may have been installed on a computer. How does one locate the data that has been stored and remove it as well as the offensive utility.
Note: This a personal home computer not a work or employer owned system. Thanks in advance. 
-
-
No expert, but will careful inspection of lsof help?
-
-
Not really sure about Linux but if you are using windows, however, you might want to open up the task manager. Do we have a task manager in Linux?
-
-
There is a task manager in most, if not all, Linux distributions. The menu to access it can vary depending on what you are running, but I believe it is normally found under the 'System' menu with the title 'Task Manager'. I am trying to remember what you can enter when pressing ALT + F2 to pull up the Run Program menu, but my mind is drawing a blank. I must say that I am not too familiar with having a key logger (or a problem with one) on any Linux system, was this a key logger that you installed?
-
-
1. I am Assuming windows.
2. I am assuming the machine is on.
3. You can do the same in linux, I just don't know the tools.
Ok Firstly. You wanna stop using your plugged in keyboard. Go to the onscreen keyboard on the screen - this will not be logged by a keylogger.
Secondly. You wanna find out what ports you have open, and where they are connecting to. Close all web browsers and everything connecting outwards. If you see anything going out, not the ip address.
Open a process viewer (task manager will do) look for any processes taking up more ram / cpu than the others. Download and install process explorer from sys internals. Use this to "varify" all processes running. Right click process, click properties, click varify.
If any do not varify. They are suspect.
Disconnect the machine from the internet. If it is a text keylogger you need to look for several things. Any stange exes, and any strange text files. To find these. I would boot into a linux live cd. Grep for exe. See what you find. Grep for .txt or .log see what you find.
If you are still unsure. Type in some random characters onto the live running machine using your keyboard. Make it a unique string. so like "hdnsnakaishtbam292834dsa" something you would not have typed before. Boot into linux, and do a grep for that string. If you find it saved in a text file, or find it anywhere on the drive OTHER THAN the pagefile.sys. You have a keylogger on your machine. Once you find out where your string is stored, you have the temp file of the keylogger. Google its name, and check the folder where it is saved. You will likely find the keylogger hidding in the same, or a few folders back in the tree.
I hope this helps. I do this for a living. I have detected and removed keyloggers on windows machines before. So I can try my best to help you.
Once you find any suspect files. Upload them to virustotal.com and see what they rank as, either good or bad.
-
-
 Originally Posted by scotty
1. I am Assuming windows.
2. I am assuming the machine is on.
3. You can do the same in linux, I just don't know the tools.
Ok Firstly. You wanna stop using your plugged in keyboard. Go to the onscreen keyboard on the screen - this will not be logged by a keylogger.
Secondly. You wanna find out what ports you have open, and where they are connecting to. Close all web browsers and everything connecting outwards. If you see anything going out, not the ip address.
Open a process viewer (task manager will do) look for any processes taking up more ram / cpu than the others. Download and install process explorer from sys internals. Use this to "varify" all processes running. Right click process, click properties, click varify.
If any do not varify. They are suspect.
Disconnect the machine from the internet. If it is a text keylogger you need to look for several things. Any stange exes, and any strange text files. To find these. I would boot into a linux live cd. Grep for exe. See what you find. Grep for .txt or .log see what you find.
If you are still unsure. Type in some random characters onto the live running machine using your keyboard. Make it a unique string. so like "hdnsnakaishtbam292834dsa" something you would not have typed before. Boot into linux, and do a grep for that string. If you find it saved in a text file, or find it anywhere on the drive OTHER THAN the pagefile.sys. You have a keylogger on your machine. Once you find out where your string is stored, you have the temp file of the keylogger. Google its name, and check the folder where it is saved. You will likely find the keylogger hidding in the same, or a few folders back in the tree.
I hope this helps. I do this for a living. I have detected and removed keyloggers on windows machines before. So I can try my best to help you.
Once you find any suspect files. Upload them to virustotal.com and see what they rank as, either good or bad.
Great and detailed post. I would do it as Scotty said. Another method you might want to consider assuming it is still in windows is to use safe mode. Just reboot your windows and switch to safe mode then manually delete/uninstall that keylogger. If anyone can teach us how to do it in Linux, it would be a great help.
-
-
Originally Posted by Godric
Great and detailed post. I would do it as Scotty said. Another method you might want to consider assuming it is still in windows is to use safe mode. Just reboot your windows and switch to safe mode then manually delete/uninstall that keylogger. If anyone can teach us how to do it in Linux, it would be a great help.
Yes for linux, I am not so sure. The best thing you can do is unplug from the network, and not restart. That way if anything is transmitting / running now you will get it. If you restart you run the risk that you might not catch it again.
-
-
I'm just curious... If there is a keylogger running in Linux, would you be able to find it on your running processes by typing "ps x"? If so, maybe you could just kill that process then search and destroy it. I haven't encountered any keylogger yet so I'm not quite sure.
Acronix | Coders Republic
"In my weakness, I find strength."
-
-
If you're on Windows what anti-virus are you running? Because constantly browsing the web with Windows and no anti-virus, even a free one, is just asking to get infected with something. If you don't want to spend money, then at least download the free versions of Avast and Malwarebytes. If you're willing to put out a couple of bucks, then Kaspersky and Bitdefender are also quite good. The paid version of Kaspersky (3-PC license for 2012) also has a free $50 rebate on Newegg right now (ends 4/18) so you essentially get it for free.
-
-
Originally Posted by Acronix
I'm just curious... If there is a keylogger running in Linux, would you be able to find it on your running processes by typing "ps x"? If so, maybe you could just kill that process then search and destroy it. I haven't encountered any keylogger yet so I'm not quite sure.
Yes you could if you could find the process. A lot of keyloggers hide at the rootkit level, so finding the process is sometimes difficult, as it can either be hooked into something else like the acpi drivers, for example.
-
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Check out Linux Central for Linux software and other goodies!
» Recent Threads
» Stats
Members: 3,541
Threads: 3,912
Posts: 9,423
Top Poster: Fred (1,486)
» Links
|
Reply With Quote
Bookmarks