On Sun, 2008-05-18 at 13:52 +0800, Lawrence Sheed wrote:
It would be helpful to have some more information, such as:
If I run dovecot for a while, I see a /var/run/dotvecot folder created
with the following:drwxr-xr-x 3 root root 4096 2008-05-18 13:30 dotvecot .. I've tried removing any dovecot remnants and reinstalling from the
1.0.13 tar.gz from the site. After starting dovecot again after a few minutes the files appear.
Even if you change base_dir back to /var/run/dovecot? What if you unplug the network, does it still come back too?
The processes are running something on 6243 and 6244
netstat -ln don't show them? That would mean the attacker gained root access, which is very unlikely to have happened directly through Dovecot (but getting non-root via Dovecot -> root via some other exploit is possible of course).
passdb vpopmail { #args = }
vpopmail would be one possibility, I have some doubts about its security.