[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] LCAP, was: Forensics on a hacked server
- Subject: [cobalt-security] LCAP, was: Forensics on a hacked server
- From: Parker Morse <morse@xxxxxxxxxxx>
- Date: Wed, 21 May 2003 15:04:46 -0400
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
On Wednesday, May 21, 2003, at 01:13 PM, Michael Stauber wrote:
LCAP can prevent the loading of malicious kernel modules once someone
gets in.
Is there anyone on this list who can give me some pointers on getting
LCAP working on our Qube3?
We were compromised in April. Gerald rebuilt the box for us (built the
OS on a new HD, left the old HD intact and usually unmounted on the
second channel - anyone want to examine a few bog-standard rootkits?)
and installed a lot of security tools, including fcheck (which Michael
mentioned) and LCAP among others. (I already had chkrootkit 0.39a
running, which was how I found the kit in the first place.)
However, LCAP has thrown errors from the start. Part of it is "kmod",
which runs by a cron job every ten minutes. (It lives in /etc/cron.d/.)
I got the following error: "rmmod: Operation not permitted." Every ten
minutes. So I took it out of cron.
Where can I find out more about what LCAP does? My Google searches turn
up a lot of places to download the package but no documentation and a
few 404s.
Second, can anyone help me figure out how to get it running again?
Thanks,
pjm