18 May
2008
18 May
'08
12:02 p.m.
On Sun, 18 May 2008, Lawrence Sheed wrote:
Anyone want to assist in finding out how they are getting in?
How about setting up rawlog? Details in the Wiki.
Definitely dovecot related. If I don't run dovecot, seems secure. As
soon as I run dovecot, after a few minutes - rooted...
Is your dovecot configuration writable by the dovecot user? It shouldn't.
What happens if you set the "+i" flag (immutable) with chattr on Linux (or schg on BSD, JFTR if someone else ), to prevent changes to the dovecot.conf file?
Can you obtain working and statically linked ps, top, netstat copies from an uncompromised system or a known-good live CD?
-- Matthias Andree