Jim McCloskey said: > When I upgraded from slink to frozen, though, I acquired a whole new > directory full---/var/log/keysmoops. And it's growing frighteningly > fast (doesn't seem to be under the control of the log rotation > system). > > I can't understand the information that's in these files and I haven't > been able to find any documentation that would tell me what this log > is for. I read debian-user regularly and I've searched the archives, > and I'm still none the wiser.
Given that the directory isn't being rotated, is contantly growing, neither "keysmoop" nor "keysmoops" returns any hits on Google, and that "smoop" looks suspiciously like "snoop"... I'm inclined to suspect that your system has been invaded and a bogus log (possibly recording all keystrokes entered, judging by the name) has been initiated. The first thing I would do (after physically disconnecting all networks) is `lsof | grep keysmoops` to see if any processes have the file open. If it's a legit log, it should be opened by syslogd (or maybe klogd). If any other process has it open, that process should probably be kill -9'd. (Note that you'll have to be root to do any of this.) If it is opened by syslogd/klogd, take a look in /etc/syslog.conf to see who's writing to it. For instance, the line lpr.* -/var/log/lpr.log tells me that lpr.log is fed by messages from lpr. If /var/log/keysmoops is getting data from a source that looks even vaguely suspicious, that source should be eliminated. If it looks like your system has been compromised, you must get rid of the affected files. Unfortunately, it's very difficult to determine after the fact which files have been affected; the only way to ensure that all of them have been removed is to wipe the disk and reinstall from trusted sources. (OTOH, "keysmoops" could be legit. But, barring any other Debianites telling us where it comes from and what it does, I find it extremely unlikely.) -- "Two words: Windows survives." - Craig Mundie, Microsoft senior strategist "So does syphillis. Good thing we have penicillin." - Matthew Alton Geek Code 3.1: GCS d- s+: a- C++ UL++$ P+>+++ L++>++++ E- W--(++) N+ o+ !K w---$ O M- !V PS+ PE Y+ PGP t 5++ X+ R++ tv- b++ DI++++ D G e* h+ r++ y+
