How can I detect a keylogger on my system?

Is a keylogger running right now?

  • First, we'll assume you're using a stock Ubuntu system that X installed and that has always been under X's control -- where X is yourself or someone you absolutely trust.

  • Since this is a stock system and all software has been installed from the official repositories, you can be certain that there is no hidden keylogger in there, e.g. someone modifies the kernel specially to spy on you such that it is very hard to detect.

  • Then, if a keylogger is running, its process(es) will be visible. All you need to do is use ps -aux, or htop to look at the list of all running processes and figure out if anything is suspicious.

    • The most common "legitimate" Linux keyloggers are lkl, uberkey, THC-vlogger, PyKeylogger, logkeys. logkeys is the only one available in the Ubuntu repositories.

Did I accidentally download a trojan/virus keylogger?

  • Usually this risk is very minimal on Ubuntu/Linux because of the privileges (su) required.
  • You can try using a "rootkit" detector as Mitch noted in his answer.
  • Otherwise, it comes down to forensic analysis, such as tracing/debugging processes, looking at file modifications/timestamps between boots, sniffing network activity, etc.

What if I'm on an "untrusted" Ubuntu system?

So what if you're in an internet/cybercafe, at the library, at work, etc.? Or even a home computer used by many family members?

Well, all bets are off in that case. It's fairly easy to spy on your keystrokes if someone has enough skill/money/determination:

  • Those kernel-modifying hidden keyloggers that are so nearly impossible to introduce into someone else's system are much easier to introduce when you're the administrator of a public computer lab and are putting them on your own systems.
  • There are hardware USB or PS/2 keyloggers that sit between the keyboard and the computer, logging each keystroke into built-in memory; they can be hidden inside the keyboard, or even inside the computer case.
  • Cameras can be positioned so that your keystrokes are visible or can be figured out.
  • If all else fails, a police state can always send their goons after you to force you to tell them what you were typing at gunpoint :/

So, the best you can do with an untrusted system is to take your own Live-CD/Live-USB and use that, take your own wireless keyboard and plug it into a usb port other than the one the system's own keyboard is on (eliminating hardware loggers both hidden in the keyboard, and ones on that port hidden in the computer, in hopes they didn't use a hardware logger for each port on the entire system), learn to spot cameras (including likely spots for hidden ones), and if you're in a police state, finish what you're doing and be somewhere else in less time than the response time of the local police.


I just want to throw in something that I did not know existed on Linux: Secure Text Input.

On xterm, Ctrl+click -> "Secure Keyboard". This makes a request to isolate xterm keystrokes from other x11 apps. This doesn't prevent kernel loggers, but is just one level of protection.


Yes, Ubuntu can have a key-logger. Its far fetched, but it can happen. It can be exploited via a browser and an attacker can run code with your user privileges. It can use auto-start services which run programs on login. Any program can get scan codes of pressed keys in X Window System. It is easily demonstrated with xinput command. See GUI isolation for more details.1

linux key loggers needs to have a root access before they can monitor the keyboard. unless they don't gain that privilege they can't run a key logger. The only thing that you can do is check for rootkits. To do that you can use CHKROOTKIT

1Source:superuser.com