[Linux-aus] Security Forensic Audit
Steve Walsh
steve at nerdvana.org.au
Wed Apr 11 00:41:57 UTC 2007
Hi Folks
I have a client site with a RHEL box that was recently attacked and
compromised. The box had all required security updates applied, and was
adminstered as per RHEL guides. The instance itself is a vmware ESX
file, so this makes it easy for the forensic inspection that is to follow.
I know this will, of course, start a side thread on how $Distro is
better than RHEL, and how bad rpm based distro's are, but at this point
I'm not interested in that discussion. What I am interested in is the
vector that was taken, as the box is behind a Cisco ACL and a Firewall,
with only http and https ports open to the outside world. This limits
the possibilities of attack, but also opens other possiblities (ie - was
the system attacked from a compromised system inside the network, or was
the vector webbased).
The client is happy to offer the vm to anyone who might be undertaking a
security related qualification as a means to research the actual
compromise, or is actively developing a computer forensic package, and
would like a system to provide a benchmark against.
Please understand, I am not requesting quotes or offering paid work, but
if someone would like the chance to work on a box that was compromised
via an unknown (at this point) vector in an effort to further their own
knowledge or a suitable tool or package, please contact me off list for
more information.
The only restriction the client has placed on the work is that as the
instance contains both the external and Intranet websites with
associated corporate documentation, that a NDA is required with regards
to the website files and documents.
If you feel this email is Offtopic for list, then I apologise for the
intrusion, and please flame me off list rather than clog up people's
inboxes.
Regards
Steve
More information about the linux-aus
mailing list