# How to detect a keylogger

## whitethorn

Hi,

I've just been told by my boss that they think someone might have installed a keylogger on our internal network.  I'm supposed to look and see if I can find anything and if I find anything remove it.  Unfortunately I'm not quite sure how to look for one of these things.  I've been doing some googling and found a ton of threads of people looking for keyloggers and one about a guy trying to circumvent one.  I also found out that the only really good software keyloggers use evdev.  Is there a way to check and see if there's something recording or decoding the output from it?  We have two computers with a fixed IP for external access (ssh), if I find anything it would probably be on one of them luckily root loggins are not allowed.

----------

## krinn

main purpose of a keyloggers is: log key presssed and transmit that info so you can see what was pressed.

so i suppose even if i have no idea how to find the keylogger, i suppose i could just watch and look for the "transmit info" phase. You "may force" it to transmit by pushing keys many times (i suppose a keylogger transmit a buffer and not key by key).

wireshark is your friend.

 *whitethorn wrote:*   

> 
> 
> luckily root loggins are not allowed.

 

yeah, and you're enough lucky to have no users in the wheel group ?

----------

## d2_racing

In fact, plug wireshark in a mirror port switch or in a hub and you will see all the trafic.

----------

