Hi, a friend said he found my account for sale on a hacker's forum. No idea how they hacked it, and I changed the password (login simply worked), but I still don't trust this.

He told me I had probably got a cross-platform keylogger that reports my every move.

I know there is very few malware for linux, but how can I be shure wether I've got one or not? (I'm on Debian)

I don't know the odds of finding one of your friends accounts for sale on a hacker forum, but I think it's safe to say it's slim to none. A cross platform key logger is also unlikely. The most likely situation is he's pulling your leg.

Kind of a wrong statement. The malware is not the same as exploits.

Your system could be exploited either at your system or through network or brute force attack. This applies to both sides of systems.


What do you mean account for sale?

Also, what do you mean by:
With regards to:
You would need to perform an investigation of your system, in particular examine your system binaries for signs of modification and look for processes that don't belong.

I was talking about my minecraft account, hacking those is big business on the internet. I could simply log into my account, although I'd expected the hacker would have changed the password.

Yes, the warning is probably fake, but if it's not, that's dangerous since that would mean that hacker would have access to my parents' website.

I noticed python running in he background, how do I find out what script it's executing?

As root run: That will give you a process tree as well as a list of all open files. Using this, you should be able to trace your python program back to the parent process and see if there are any open connections to unknown sources.

Of course this assumes your binaries haven't been subverted. If they have actually installed a key logging application I suspect that they will have replaced these binaries to prevent you from seeing it. So depending on how tight your foil hat is, verify the binaries in the above command against the versions in your distribution repository before running the above command. You will need to manually locate and download these programs and then verify the modification date-time, size, and md5sum.

Unless there are significantly more details that you've left out, assuming a "keylogger" on your Debian system is inappropriate at this point.

Question: do you log into Minecraft over a TLS-encrypted connection?

As far as I know, the password gets sent once over https (no other encryption).

My friend told me that he would send me a screenshot of the page selling my account. (The forum itself is supposed to be members-only visible.)

Currently, I still rather believe that it's fake.

Noway2, I ran your command, I didn't see anything suspicious. Anyone with more experience willing to take a look at it?

http://dl.dropbox.com/u/60672021/log.txt

For the most part the output looks clean. There are a couple of things that struck me as a little odd that I will mention, but I don't see what I would consider to be signs of an intrusion. By this I mean, there doesn't appear to be any weird SSHD connections, unusual login activity, orphaned bash processes, files or anything open in /tmp, /dev, /proc that seems out of place (for example, one would expect your web browser to use files in /tmp). I will say that you are running A LOT of stuff on this machine!

The couple of things I will point out are:
1 - it is clear that your running Gnome. However, it also looks like you have LXDE running at the same time.
2 - I am not sure what this process gvfsd-httpd is, pid 2869, but it is run from your user account UID 1000. GVFSD is the Gnome filesystem, but I can say much about the application. What caught my attention is that while you seem to have Chrome open to LinuxQuestions and a server at 1e100 (and I am guessing located in The Netherlands), this process HAD a connection open to a Greek domain called hades.car.gr. Note, that there appears to be a DNS conflict as this IP address is also shared by screenshots.debian.net.
3 - I noticed that you are running the Character-Picker applet, and it caught my attention that it had libraries open for Ogg and Vorbis (music codec) files. Perhaps this is normal, but it jumped out at me.
4 - You are running portmap, which has to do with network file systems and accepting connections for remote procedure calls. I am not sure if this is something you were expecting, but thought I would mention it.

Overall, though, I don't see anything that looks like an intrusion on your system, or key logging activity. I would recommend you keep watch on your system, follow up on this information your "friend" supposedly has, and go from there. You don't seem to be running any server processes, so you should be able to keep a firewall up on your system. Keep your applications up to date and use common sense in your browsing, but I don't see that you have cause for alarm at this point.

Good to know that I don't have any locally-run spyware.

I have no idea why so much stuff is open though.

LXDE? Synaptic says those packages aren't installed...

Anyway, thank you for taking the time to read that massive wall of text and giving me an answer.

I'm Happy to have been of help and I am glad that you don't appear to be facing a spyware infection.

To follow up on the LXDE, the part that looks like LXDE is the lxtask section. You may not actually have the full LXDE, but you have the desktop manager for it, or at least that is what it looks like. Doing a little more digging, various wiki pages:
So it may be an app with the same name, but something to look into. The LSOF output does show it using a lot of GTK libraries.