On Thu, May 25, 2000 at 12:06:12AM -0500, Dave Sherohman wrote: > Jim McCloskey said: > > When I upgraded from slink to frozen, though, I acquired a whole new > > directory full---/var/log/keysmoops. And it's growing frighteningly > > fast (doesn't seem to be under the control of the log rotation > > system). > > > > I can't understand the information that's in these files and I haven't > > been able to find any documentation that would tell me what this log > > is for. I read debian-user regularly and I've searched the archives, > > and I'm still none the wiser. > > Given that the directory isn't being rotated, is contantly growing, > neither "keysmoop" nor "keysmoops" returns any hits on Google, and that > "smoop" looks suspiciously like "snoop"... >
Shouldn't it be /var/log/ksymoops ? and doesn't it have a bunch of files that look like YYYYMMDDhhmmss.ksyms (and *.modules). Apparrently a listing of all of the kernel symbols (i.e. function calls) made by whatever user(s) using the system at the time. Look at oops-tracing.txt in the Linux kernel source documentation. Guess it's handled by klogd/syslogd. Good if you want to file a bug report to kernel developers! > I'm inclined to suspect that your system has been invaded and a bogus log > (possibly recording all keystrokes entered, judging by the name) has been > initiated. Yes, if that's a typo above. > The first thing I would do (after physically disconnecting all networks) is > `lsof | grep keysmoops` to see if any processes have the file open. If it's > a legit log, it should be opened by syslogd (or maybe klogd). If any other > process has it open, that process should probably be kill -9'd. (Note that > you'll have to be root to do any of this.) > > If it is opened by syslogd/klogd, take a look in /etc/syslog.conf to see > who's writing to it. For instance, the line > lpr.* -/var/log/lpr.log > tells me that lpr.log is fed by messages from lpr. If /var/log/keysmoops is > getting data from a source that looks even vaguely suspicious, that source > should be eliminated. > > If it looks like your system has been compromised, you must get rid of the > affected files. Unfortunately, it's very difficult to determine after the > fact which files have been affected; the only way to ensure that all of them > have been removed is to wipe the disk and reinstall from trusted sources. > > (OTOH, "keysmoops" could be legit. But, barring any other Debianites telling > us where it comes from and what it does, I find it extremely unlikely.) -- ¶ One·should·only·use·the·ASCII·characterset·when·compos » ing·email·messages.