How can I detect a keylogger on my system?

keyboard security
79,786

Solution 1

Is a keylogger running right now?

  • First, we'll assume you're using a stock Ubuntu system that X installed and that has always been under X's control -- where X is yourself or someone you absolutely trust.

  • Since this is a stock system and all software has been installed from the official repositories, you can be certain that there is no hidden keylogger in there, e.g. someone modifies the kernel specially to spy on you such that it is very hard to detect.

  • Then, if a keylogger is running, its process(es) will be visible. All you need to do is use ps -aux, or htop to look at the list of all running processes and figure out if anything is suspicious.

    • The most common "legitimate" Linux keyloggers are lkl, uberkey, THC-vlogger, PyKeylogger, logkeys. logkeys is the only one available in the Ubuntu repositories.

Did I accidentally download a trojan/virus keylogger?

  • Usually this risk is very minimal on Ubuntu/Linux because of the privileges (su) required.
  • You can try using a "rootkit" detector as Mitch noted in his answer.
  • Otherwise, it comes down to forensic analysis, such as tracing/debugging processes, looking at file modifications/timestamps between boots, sniffing network activity, etc.

What if I'm on an "untrusted" Ubuntu system?

So what if you're in an internet/cybercafe, at the library, at work, etc.? Or even a home computer used by many family members?

Well, all bets are off in that case. It's fairly easy to spy on your keystrokes if someone has enough skill/money/determination:

  • Those kernel-modifying hidden keyloggers that are so nearly impossible to introduce into someone else's system are much easier to introduce when you're the administrator of a public computer lab and are putting them on your own systems.
  • There are hardware USB or PS/2 keyloggers that sit between the keyboard and the computer, logging each keystroke into built-in memory; they can be hidden inside the keyboard, or even inside the computer case.
  • Cameras can be positioned so that your keystrokes are visible or can be figured out.
  • If all else fails, a police state can always send their goons after you to force you to tell them what you were typing at gunpoint :/

So, the best you can do with an untrusted system is to take your own Live-CD/Live-USB and use that, take your own wireless keyboard and plug it into a usb port other than the one the system's own keyboard is on (eliminating hardware loggers both hidden in the keyboard, and ones on that port hidden in the computer, in hopes they didn't use a hardware logger for each port on the entire system), learn to spot cameras (including likely spots for hidden ones), and if you're in a police state, finish what you're doing and be somewhere else in less time than the response time of the local police.

Solution 2

I just want to throw in something that I did not know existed on Linux: Secure Text Input.

On xterm, Ctrl+click -> "Secure Keyboard". This makes a request to isolate xterm keystrokes from other x11 apps. This doesn't prevent kernel loggers, but is just one level of protection.

Solution 3

Yes, Ubuntu can have a key-logger. Its far fetched, but it can happen. It can be exploited via a browser and an attacker can run code with your user privileges. It can use auto-start services which run programs on login. Any program can get scan codes of pressed keys in X Window System. It is easily demonstrated with xinput command. See GUI isolation for more details.1

linux key loggers needs to have a root access before they can monitor the keyboard. unless they don't gain that privilege they can't run a key logger. The only thing that you can do is check for rootkits. To do that you can use CHKROOTKIT

1Source:superuser.com

Solution 4

Linux keyloggers can be made from languages that are compatible with the system and would require the use of local file storage to record this data and, if programmed to do so, if you do have a keylogger that was manually programmed or downloaded to work with this operating system then it may actually be a file, possibly renamed to look like a system file, anywhere on the system.

Last time I created/had a keylogger on my system this was the situation and it was easy to detect and remove but it included manually finding the source and this took a little time.

If you do have a keylogger of this type, I'd attempt to find and remove it but if it is indeed something that was downloaded or installed I'd consider this highly unlikely as Linux is a secure operating system that is usually not suspect to forms of viruses you would normally find on Windows systems.

Share:
79,786

Related videos on Youtube

Tissuebox
Author by

Tissuebox

Updated on September 18, 2022

Comments

  • Tissuebox
    Tissuebox over 1 year

    How could I know if there's a keylogger in my system, or at least if one is active right now?

  • Tissuebox
    Tissuebox almost 12 years
    My question was more oriented towards your last point. The three examples you mentioned are actually not related to the system, so using a live CD wouldn't help. I am just talking about the system itself, not cameras or other hardware stuff. How can I know if there's a hook on my system that logs my keys ?
  • guntbert
    guntbert over 10 years
    I am a little confused: "Any program can get scan codes of pressed keys in X Window System." vs. "linux key loggers needs to have a root access before they can monitor the keyboard." Isn't that a contradiction?
  • Rinzwind
    Rinzwind over 10 years
    And just to be picky: there are keyloggers in the repo's since there are valid use cases for one to be present (see packages.ubuntu.com/raring/logkeys ) so it is not far fetched ;-)
  • shivams
    shivams about 9 years
    Your answer is the only one that gave some me some new insight. I never knew xterm has this possibility.
  • Curt
    Curt almost 7 years
    Who has reviewed the source code for all of the chkrootkit C programs, especially the script “chkrootkit”, to ensure that they aren’t infecting our computers with rootkits or key loggers?
  • L29Ah
    L29Ah over 5 years
    @guntbert If X is running, by default any software that can access the X session can log keys, otherwise you need to have the permissions to access the linux event device directly (that only root has on some configurations).

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Why can't we use/set function keys as password keys?
How secure is Apple's Bluetooth keyboard?
How secure is a bluetooth keyboard against password sniffing?
How to detect focus in children from a parent widget
How to manage OAuth flow in mobile application with server
How to remove keyboard tool bar in Flutter?
IOS Simulator Software Keyboard Not Appearing
Are compile-time variables secure in flutter?
ShowModalBottomSheet containing Textfield gets hidden with keyboard following Flutter upgrade 2.2.0
Flutter: How to detect delete key is pressed on TextField