# Keylogger in current FreeBSD 10.0-RELEASE USB image?



## beckerwilliams (May 1, 2014)

I was preparing to install the 10.0-RELEASE image from a USB key today. After boot up, I selected 'shell' in order to wipe the drive to which I'm installing using `dd if=/dev/zero ...` etc.  It came back immediately, which was surprising. I looked at /var/log/messages and saw my keystrokes in the file. I then did a test as follows:

The pound (#)  is the root prompt selecting 'SHELL' from the installer. I typed in 'what is here in the log now' and then tailed the log, to whit:

```
# what is here in the log now?
what: is: No such file or directory
what: here: No such file or directory
what: in: No such file or directory
what: the: No such file or directory
what: log: No such file or directory
what: now?: No such file or directory
# tail /var/log/messages
May  1 15:25:50  kernel: o
May  1 15:25:50  kernel: g
May  1 15:25:51  kernel: n
May  1 15:25:51  kernel: o
May  1 15:25:51  kernel: w
May  1 15:25:52  kernel: ?
May  1 15:25:53  kernel: 
May  1 15:25:54  kernel: what is here in the log now?
ls
May  1 15:25:55  kerneltail /var/log/messages
#
```

Every key stroke typed, including /r, and then the complete line typed show up as individual log messages. Is this intended? Or do we have a problem, Houston?

Cheers!

~r


----------



## kpa (May 1, 2014)

No, the system tries to execute what you're typing at the prompt . If you type something nonsensical at the prompt the system will fail to execute anything and will log the failure in the system log. It's that simple. If you're wondering why the logging is on (it's not like that on the installed system at all) think for a moment: what good is logging for on a system meant to be used for installing an operating system?


----------



## beckerwilliams (May 1, 2014)

*Re: Re: Keylogger in current FreeBSD 10.0-RELEASE USB image?*

Thanx Thanks @kpa, that makes sense, but it logs all I/O. If I cat the whole log file I see the ASCII screens, every keystroke, even for sensical commands. For example, I typed `mount -o rw /dev/ada0p2 /mnt` - each keystroke was its own entry, and then the entire command printed out as its own line. And it was successful mounting the partition.

I can see how it'd be useful for installation - I was just surprised by the behavior. I'm paranoid by nature and profession.

Cheers!

~r


----------

