[clug] Security Forensic Audit

[Steve Walsh]

Hi Folks

I have a client site with a RHEL box that was recently attacked and 
compromised. The box had all required security updates applied, and was 
adminstered as per RHEL guides.  The instance itself is a vmware ESX 
file, so this makes it easy for the forensic inspection that is to follow.

I know this will, of course, start a side thread on how $Distro is 
better than RHEL, and how bad rpm based distro's are, but at this point 
I'm not interested in that discussion. What I am interested in is the 
vector that was taken, as the box is behind a Cisco ACL and a Firewall, 
with only http and https ports open to the outside world. This limits 
the possibilities of attack, but also opens other possiblities (ie - was 
the system attacked from a compromised system inside the network, or was 
the vector webbased).

The client is happy to offer the vm to anyone who might be undertaking a 
security related qualification as a means to research the actual 
compromise, or is actively developing a computer forensic package, and 
would like a system to provide a benchmark against.

Please understand, I am not requesting quotes or offering paid work, but 
if someone would like the chance to work on a box that was  compromised 
via an unknown (at this point) vector in an effort to further their own 
knowledge or a suitable tool or package, please contact me off list for 
more information.

The only restriction the client has placed on the work is that as the 
instance contains both the external and Intranet websites with 
associated corporate documentation, that a NDA is required with regards 
to the website files and documents.

If you feel this email is Offtopic for list, then I apologise for the 
intrusion, and please flame me off list rather than clog up people's 
inboxes.
 
Regards

Steve