# Keyloggers on Linux? [False alarm]

## Raniz

I've got a pretty peculiar issue..

My friend is running World of Warcraft under linux on his computer and today he got hacked - twice. First time they reset his password and changed the secret question/answer and then he's been playing the entire day.

A few minutes ago he got kicked out of his account and they had hacked him again.

It really looks like they've got a keylogger on him but I can't spot any suspicious processes on his computer and that's about where as far as my ability to track this down goes so I need help.

I (we) would appreciate any help with tracking this down, just tell me what logs/command outputs to post and I'll do it.

Grateful for any help!

----------

## haarp

It's more likely he fell for an account scam with fake Blizzard site. I get 3 of these in the mail - daily  :Evil or Very Mad: 

----------

## Raniz

Nope, he's not that stupid  :Smile: 

We found out the cause and it's no keyloggers... They had hacked his mail-account (and he had a pretty low-strength password) so they were able to get password-reset emails and reset his password.

----------

## phajdan.jr

 *Raniz wrote:*   

> It really looks like they've got a keylogger on him but I can't spot any suspicious processes on his computer and that's about where as far as my ability to track this down goes so I need help.

 

Nice to see it solved. Just a few notes for the future. It's not necessary to create a rogue process for a keylogger. With root access, the attacker could have inserted a kernel module. Also, he could have installed a rootkit to hide his processes, modules, files, network connections, etc.

By the way, yeah, the moral of story is that people underestimate the importance of their primary e-mail account.   :Wink: 

----------

