Typically before I kill a system thats been compromised, I try to find
out the reason, so it DOESNT happen again.
In this instance I have 2 systems with exactly the same "issue"
Both were running smoothly until about last week, then load spikes
were observed.
In both systems, the the attacker has changed the dovecot.conf to
point at dotvecot
I'm guessing around the 13th as thats when the /var/run/dovecot folder
was updated.
I'll do the rest offlist.
Andraz, thank you. Washington, you're an asshole.
Cheers,
Lawrence.
On May 18, 2008, at 3:03 PM, Lawrence Sheed wrote:
Corrected that in the conf file.
If I check the dovecot user, I see its been compromised also - a
bunch of crap in their login folder. I didn't create the dovecot.conf with a /var/run/dotvecot though, so
someone else did that.More updates as I check further.
On May 18, 2008, at 2:54 PM, Andraž 'ruskie' Levstik wrote:
ROFL...
This was a good way to start the day...
Correct your typo in the dovecot.conf file ;)
Here's a hint ;) See base_dir...
drwxr-xr-x 3 root root 4096 2008-05-18 13:30 dotvecot
dovecot.conf
cat /etc/dovecot/dovecot.conf base_dir = /var/run/dotvecot
-- Andraž "ruskie" Levstik Source Mage GNU/Linux Games grimoire guru Geek/Hacker/Tinker
Be sure brain is in gear before engaging mouth. Ryle hira.
Key id = F4C1F89C Key fingerprint = 6FF2 8F20 4C9D DB36 B5B6 F134 884D 72CC F4C1 F89C