hey,
Keyloggers come in all shapes and sizes. Your keylogger may be a kenel
module which means it will not obviously show up in a ps, and doing an
lsmod is no guarantee you'll find it either (its quite trivial for a
module to unlink itself from the modules list).
The keylogger may also work using shared library redirection, which means
there will never be a separate program running, just the LD_PRELOAD env
variable set to some evil library.
However, the previous two methods are usually used for tty snooping. X
Keyloggers are usually (not always) implemented as separate programs.
However, there may be a kernel module present which hides the process, so
a clean ps listing is again no guarantee.
So, you can't really be sure :). But then, you're unlikely to have a
keylogger running, unless your account or root on your machine was
compromised. Why do you think that you have a keylogger running
anyway ?
--ayan
On Sat, 19 Mar 2005, Deepan Chakravarthy N wrote:
hello..
1) how do i find if some key loggers are running in my system.. one
would say use top or ps command.but what if my keylogger has been
renamed to some other program which is a system program..
so i cant identify from names listed in top.
2) is there a way to hide programs from getting listed in top or ps command..
i use fedora core 3...
thanks....
