Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Debian (Ans soon Ubuntu and Android)
Posts: 48
Rep:
Possible keylogger got into my system.
Hi, a friend said he found my account for sale on a hacker's forum. No idea how they hacked it, and I changed the password (login simply worked), but I still don't trust this.
He told me I had probably got a cross-platform keylogger that reports my every move.
I know there is very few malware for linux, but how can I be shure wether I've got one or not? (I'm on Debian)
I don't know the odds of finding one of your friends accounts for sale on a hacker forum, but I think it's safe to say it's slim to none. A cross platform key logger is also unlikely. The most likely situation is he's pulling your leg.
how can I be shure wether I've got one or not? (I'm on Debian)
You would need to perform an investigation of your system, in particular examine your system binaries for signs of modification and look for processes that don't belong.
Distribution: Debian (Ans soon Ubuntu and Android)
Posts: 48
Original Poster
Rep:
I was talking about my minecraft account, hacking those is big business on the internet. I could simply log into my account, although I'd expected the hacker would have changed the password.
Yes, the warning is probably fake, but if it's not, that's dangerous since that would mean that hacker would have access to my parents' website.
I noticed python running in he background, how do I find out what script it's executing?
I noticed python running in he background, how do I find out what script it's executing?
As root run:
Code:
(ps acxfwwwe 2>&1; lsof -Pwln 2>&1; netstat -anpe 2>&1; lastlog 2>&1; last 2>&1; who -a 2>&1 ) > /tmp/log.txt
That will give you a process tree as well as a list of all open files. Using this, you should be able to trace your python program back to the parent process and see if there are any open connections to unknown sources.
Of course this assumes your binaries haven't been subverted. If they have actually installed a key logging application I suspect that they will have replaced these binaries to prevent you from seeing it. So depending on how tight your foil hat is, verify the binaries in the above command against the versions in your distribution repository before running the above command. You will need to manually locate and download these programs and then verify the modification date-time, size, and md5sum.
Hi, a friend said he found my account for sale on a hacker's forum. No idea how they hacked it, and I changed the password (login simply worked), but I still don't trust this.
He told me I had probably got a cross-platform keylogger that reports my every move.
Unless there are significantly more details that you've left out, assuming a "keylogger" on your Debian system is inappropriate at this point.
Question: do you log into Minecraft over a TLS-encrypted connection?
For the most part the output looks clean. There are a couple of things that struck me as a little odd that I will mention, but I don't see what I would consider to be signs of an intrusion. By this I mean, there doesn't appear to be any weird SSHD connections, unusual login activity, orphaned bash processes, files or anything open in /tmp, /dev, /proc that seems out of place (for example, one would expect your web browser to use files in /tmp). I will say that you are running A LOT of stuff on this machine!
The couple of things I will point out are:
1 - it is clear that your running Gnome. However, it also looks like you have LXDE running at the same time.
2 - I am not sure what this process gvfsd-httpd is, pid 2869, but it is run from your user account UID 1000. GVFSD is the Gnome filesystem, but I can say much about the application. What caught my attention is that while you seem to have Chrome open to LinuxQuestions and a server at 1e100 (and I am guessing located in The Netherlands), this process HAD a connection open to a Greek domain called hades.car.gr. Note, that there appears to be a DNS conflict as this IP address is also shared by screenshots.debian.net.
3 - I noticed that you are running the Character-Picker applet, and it caught my attention that it had libraries open for Ogg and Vorbis (music codec) files. Perhaps this is normal, but it jumped out at me.
4 - You are running portmap, which has to do with network file systems and accepting connections for remote procedure calls. I am not sure if this is something you were expecting, but thought I would mention it.
Overall, though, I don't see anything that looks like an intrusion on your system, or key logging activity. I would recommend you keep watch on your system, follow up on this information your "friend" supposedly has, and go from there. You don't seem to be running any server processes, so you should be able to keep a firewall up on your system. Keep your applications up to date and use common sense in your browsing, but I don't see that you have cause for alarm at this point.
I'm Happy to have been of help and I am glad that you don't appear to be facing a spyware infection.
To follow up on the LXDE, the part that looks like LXDE is the lxtask section. You may not actually have the full LXDE, but you have the desktop manager for it, or at least that is what it looks like. Doing a little more digging, various wiki pages:
Quote:
1) Task manager of the LXDE Desktop
2) It is derived from the Xfce4 task manager with all the Xfce4 dependencies removed, some bugs fixed, and some improvement of UI. Although being part of LXDE (lightweight X11 desktop environment), it's totally desktop independent and only requires pure gtk+.
3) task manager & system monitor, use htop instead as it uses less resources.
So it may be an app with the same name, but something to look into. The LSOF output does show it using a lot of GTK libraries.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.