On Sun, May 18, 2008 at 10:19 AM, Lawrence Sheed < Lawrence@computersolutions.cn> wrote:
Typically before I kill a system thats been compromised, I try to find out the reason, so it DOESNT happen again.
In this instance I have 2 systems with exactly the same "issue"
Both were running smoothly until about last week, then load spikes were observed.
In both systems, the the attacker has changed the dovecot.conf to point at dotvecot I'm guessing around the 13th as thats when the /var/run/dovecot folder was updated.
I'll do the rest offlist.
Andraz, thank you. Washington, you're an asshole.
I agree, but ..... It's made you come up with more details to make someone start thinking. Now you are heading towards Timo's cash offer to anyone who can discover and point out a security hole in dovecot, but you are a little far away still. We are all interested in what you find out ultimately, and I stop being an asshole now, so please share with us everything. As I told you, I run same version of dovecot as you on over 20 servers. They are all FreeBSD and configured the same in all aspects except domain names/ip addresses. Your discovery could help me and others as well.
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223
"Oh My God! They killed init! You Bastards!" --from a /. post