I am running Debian on both servers, but updated both the keys and the
ssh server as I saw it on Slashdot.
(A few days ago).
The intrusion seems to be around the 13th. They changed the dovecot configuration (as noted).
If I turned off the iptables firewalling, I see that
port 6244 and 6243 had something running on them if I checked from a
non-compromised server.
An nmap from the compromised server (including those ports in the
scan) showed nothing.
rkhunter showed nothing untoward.
Other relevant details.
I'm running /tmp as noexec and nosu.
unused ports are firewalled (which is probably what saved me from
being horribly compromised).
Certain files are root only
(I have a daily script which does)
chmod 750 /usr/bin/rcp
chmod 750 /usr/bin/wget
chmod 750 /usr/bin/lynx
chmod 750 /usr/bin/links
chmod 750 /usr/bin/scp
This usually stops script kiddies.
Also have fail2ban running for ssh and ftp dictionary attacks.
I saw a couple of strange things in the imap logs related to ssh*-dist
(can't remember the exact wording, and those logs are gone
unfortunately)
I run 5 servers with similar setups - although some are running 1.0.9
(which I've upgraded to 1.0.13 on all), although I'm running courier-
imap on them for the moment just to be sure.
2 out of 5 had the /var/run/dotvecot folder appear around the 13th.
I hadn't made any changes to dovecot other than updates as new
releases come out.
I'm not sure if the dict line in the dovecot.conf was there before.
It's not on most of the setups, but appears in both of the affected
ones.
I'm going to reinstall one of the affected servers, but can leave the
second running for a little while.
Any other thoughts (positive ones), or things you'd like me to post?
On May 18, 2008, at 4:02 PM, Andraž 'ruskie' Levstik wrote:
Are you perhaps running a debian host with compromised keys(see recent debian+ssl issues)?
-- Andraž "ruskie" Levstik Source Mage GNU/Linux Games grimoire guru Geek/Hacker/Tinker
Be sure brain is in gear before engaging mouth. Ryle hira.
Key id = F4C1F89C Key fingerprint = 6FF2 8F20 4C9D DB36 B5B6 F134 884D 72CC F4C1 F89C