[Dovecot] Security Hole in 1.0.13?

Lawrence Sheed Lawrence at computersolutions.cn
Sun May 18 11:18:50 EEST 2008


I am running Debian on both servers, but updated both the keys and the  
ssh server as I saw it on Slashdot.

(A few days ago).

The intrusion seems to be around the 13th.
They changed the dovecot configuration (as noted).

If I turned off the iptables firewalling, I see that
port 6244 and 6243 had something running on them if I checked from a  
non-compromised server.
An nmap from the compromised server (including those ports in the  
scan) showed nothing.

rkhunter showed nothing untoward.

Other relevant details.

I'm running /tmp as noexec and nosu.
unused ports are firewalled (which is probably what saved me from  
being horribly compromised).
Certain files are root only
(I have a daily script which does)
chmod 750 /usr/bin/rcp
chmod 750 /usr/bin/wget
chmod 750 /usr/bin/lynx
chmod 750 /usr/bin/links
chmod 750 /usr/bin/scp

This usually stops script kiddies.

Also have fail2ban running for ssh and ftp dictionary attacks.

I saw a couple of strange things in the imap logs related to ssh*-dist  
(can't remember the exact wording, and those logs are gone  
unfortunately)

I run 5 servers with similar setups - although some are running 1.0.9  
(which I've upgraded to 1.0.13 on all), although I'm running courier- 
imap on them for the moment just to be sure.

2 out of 5 had the /var/run/dotvecot folder appear around the 13th.
I hadn't made any changes to dovecot other than updates as new  
releases come out.

I'm not sure if the dict line in the dovecot.conf was there before.  
It's not on most of the setups, but appears in both of the affected  
ones.

I'm going to reinstall one of the affected servers, but can leave the  
second running for a little while.

Any other thoughts (positive ones), or things you'd like me to post?



On May 18, 2008, at 4:02 PM, Andraž 'ruskie' Levstik wrote:

> Are you perhaps running a debian host with compromised keys(see recent
> debian+ssl issues)?
>
> --
> Andraž "ruskie" Levstik
> Source Mage GNU/Linux Games grimoire guru
> Geek/Hacker/Tinker
>
> Be sure brain is in gear before engaging mouth.
> Ryle hira.
>
> Key id = F4C1F89C
> Key fingerprint = 6FF2 8F20 4C9D DB36 B5B6  F134 884D 72CC F4C1 F89C
>
>



More information about the dovecot mailing list