LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Keystroke logger infestation? (http://www.linuxquestions.org/questions/linux-security-4/keystroke-logger-infestation-836162/)

pwabrahams 10-04-2010 03:10 PM

Keystroke logger infestation?
 
One of my websites has been hacked, and the hosting company thinks we might be suffering from a keystroke logger. We have a number of different computers here, mostly running Linux (OpenSuSE and Kubuntu) but a few running Windows as a dual-boot.

Is there a way I can check the safety of my Linux systems? Have there been problems with malicious loggers under Linux? It's tempting to say that it's all the fault of the Windows systems, but that might be false optimism.

rweaver 10-04-2010 03:21 PM

Every operating system has key loggers, viruses, etc. Run chkrootkit and rkhunter on the system at the minimum. In windows bring it up in safe mode without networking and run several good virus scanners over the machines and check hijackthis and verify everything seems sane. Then evaluate potential other methods you could be exposing your passwords, do you type them into unencrypted webforms? Are you running a control panel of any kind? Are you using ftp or pop3/imap without ssl? Are all the versions of your software up to date? etc.

Hangdog42 10-04-2010 03:28 PM

Quote:

One of my websites has been hacked, and the hosting company thinks we might be suffering from a keystroke logger.
Can I ask why they think that? In this forum we like to have evidence before we start theorizing as to what the issue might be.

Quote:

Is there a way I can check the safety of my Linux systems? Have there been problems with malicious loggers under Linux? It's tempting to say that it's all the fault of the Windows systems, but that might be false optimism.
There certainly are keystroke loggers that will work under Linux, but like any software, someone would have to gain root access to install it and get it to run.

So probably the place to start is to describe a bit more about the computers, such as the distro they're running and the status of patching. Also, what kinds of services are run on them and are they exposed to a LAN or the internet? It would also be useful to know how physically secure they are and if strong passwords are enforced, particularly for the root account. The more details about the systems and environment, the better.

As a start, you might run ps -afxwwwe to see if anything unusual seems to be running.


All times are GMT -5. The time now is 07:04 PM.