I'm running 1.0.13
If I run dovecot for a while, I see a /var/run/dotvecot folder created
with the following:
drwxr-xr-x 3 root root 4096 2008-05-18 13:30 dotvecot
drwxr-xr-x 3 root root 4096 2008-05-18 13:47 . drwxr-xr-x 18 root root 4096 2008-05-18 13:47 .. srw------- 1 root root 0 2008-05-18 13:47 auth-worker.15138 srwxrwxrwx 1 root root 0 2008-05-18 13:47 dict-server drwxr-x--- 2 root dovecot 4096 2008-05-18 13:47 login -rw------- 1 root root 6 2008-05-18 13:47 master.pid
It appears to be created by imap-login
I've tried removing any dovecot remnants and reinstalling from the
1.0.13 tar.gz from the site.
After starting dovecot again after a few minutes the files appear.
The processes are running something on 6243 and 6244
(Presumably an exploit / login)
I have iptables setup to only allow existing ports in/out so I think
thats saved me so far.
I've switched to courier-imap in the interim.
Anyone want to assist in finding out how they are getting in?
Definitely dovecot related. If I don't run dovecot, seems secure. As
soon as I run dovecot, after a few minutes - rooted...
dovecot.conf
cat /etc/dovecot/dovecot.conf
base_dir = /var/run/dotvecot
protocols = imap imaps
listen = *
disable_plaintext_auth = no
shutdown_clients = yes
syslog_facility = local7 #<-- Ensure this is set up in syslog
conf
ssl_disable = no
login_max_processes_count = 128
login_max_connections = 256
login_greeting = K-Tex IMAP Server # <-- CUSTOMISE
FORYOUR SITE
login_process_size = 64
login_process_per_connection = yes
login_processes_count = 16
ssl_cert_file = /var/qmail/control/servercert.pem # /usr/local/etc/ssl/ italy1-cert.pem ssl_key_file =/var/qmail/control/clientcert.pem # /usr/local/etc/ssl/ italy1.pem
first_valid_uid = 89 first_valid_gid = 89
protocol imap { listen = *:143 ssl_listen = *:993 #mail_plugins = quota imap_quota #login_greeting_capability = no mail_plugin_dir = /usr/local/lib/dovecot/imap imap_client_workarounds = outlook-idle }
auth_process_size = 512 auth_cache_size = 512 auth_cache_ttl = 3600 auth default { mechanisms = plain
# vpopmail authentication passdb vpopmail { #args = }
# vpopmail userdb vpopmail { }
user = root }
dict { #quota = mysql:/etc/dovecot-dict-quota.conf }
plugin { quota = maildir }
namespace private { prefix = INBOX. inbox = yes }