I'm running 1.0.13
If I run dovecot for a while, I see a /var/run/dotvecot folder created
with the following:
drwxr-xr-x 3 root root 4096 2008-05-18 13:30 dotvecot
drwxr-xr-x 3 root root 4096 2008-05-18 13:47 .
drwxr-xr-x 18 root root 4096 2008-05-18 13:47 ..
srw------- 1 root root 0 2008-05-18 13:47 auth-worker.15138
srwxrwxrwx 1 root root 0 2008-05-18 13:47 dict-server
drwxr-x--- 2 root dovecot 4096 2008-05-18 13:47 login
-rw------- 1 root root 6 2008-05-18 13:47 master.pid
It appears to be created by imap-login
I've tried removing any dovecot remnants and reinstalling from the
1.0.13 tar.gz from the site.
After starting dovecot again after a few minutes the files appear.
The processes are running something on 6243 and 6244
(Presumably an exploit / login)
I have iptables setup to only allow existing ports in/out so I think
thats saved me so far.
I've switched to courier-imap in the interim.
Anyone want to assist in finding out how they are getting in?
Definitely dovecot related. If I don't run dovecot, seems secure. As
soon as I run dovecot, after a few minutes - rooted...
dovecot.conf
cat /etc/dovecot/dovecot.conf
base_dir = /var/run/dotvecot
protocols = imap imaps
listen = *
disable_plaintext_auth = no
shutdown_clients = yes
syslog_facility = local7 #<-- Ensure this is set up in syslog
conf
ssl_disable = no
login_max_processes_count = 128
login_max_connections = 256
login_greeting = K-Tex IMAP Server # <-- CUSTOMISE
FORYOUR SITE
login_process_size = 64
login_process_per_connection = yes
login_processes_count = 16
ssl_cert_file = /var/qmail/control/servercert.pem # /usr/local/etc/ssl/
italy1-cert.pem
ssl_key_file =/var/qmail/control/clientcert.pem # /usr/local/etc/ssl/
italy1.pem
first_valid_uid = 89
first_valid_gid = 89
protocol imap {
listen = *:143
ssl_listen = *:993
#mail_plugins = quota imap_quota
#login_greeting_capability = no
mail_plugin_dir = /usr/local/lib/dovecot/imap
imap_client_workarounds = outlook-idle
}
auth_process_size = 512
auth_cache_size = 512
auth_cache_ttl = 3600
auth default {
mechanisms = plain
# vpopmail authentication
passdb vpopmail {
#args }
# vpopmail
userdb vpopmail {
}
user = root
}
dict {
#quota = mysql:/etc/dovecot-dict-quota.conf
}
plugin {
quota = maildir
}
namespace private {
prefix = INBOX.
inbox = yes
}
On Sun, May 18, 2008 at 8:52 AM, Lawrence Sheed < lawrence at computersolutions.cn> wrote:> I'm running 1.0.13 > > If I run dovecot for a while, I see a /var/run/dotvecot folder created with > the following: > > drwxr-xr-x 3 root root 4096 2008-05-18 13:30 dotvecot > > > drwxr-xr-x 3 root root 4096 2008-05-18 13:47 . > drwxr-xr-x 18 root root 4096 2008-05-18 13:47 .. > srw------- 1 root root 0 2008-05-18 13:47 auth-worker.15138 > srwxrwxrwx 1 root root 0 2008-05-18 13:47 dict-server > drwxr-x--- 2 root dovecot 4096 2008-05-18 13:47 login > -rw------- 1 root root 6 2008-05-18 13:47 master.pid > > It appears to be created by imap-login > > > I've tried removing any dovecot remnants and reinstalling from the 1.0.13 > tar.gz from the site. > After starting dovecot again after a few minutes the files appear. >What is the problem according to you??? Excuse me for being blind to it if it is really there, but this appears okay to me! In your dovecot.conf, you have the following: base_dir = /var/run/dotvecot Given that it's actually your own typo putting that in place, how does that constitute a security hole?:-)> > The processes are running something on 6243 and 6244What are those? tcp ports??? pids??> > (Presumably an exploit / login)Oh, how? Your question is simply not clear to me at all, but that could be because I am not quite an security expert to see the obvious.> I have iptables setup to only allow existing ports in/out so I think thats > saved me so far. > > I've switched to courier-imap in the interim. > > Anyone want to assist in finding out how they are getting in? > > Definitely dovecot related. If I don't run dovecot, seems secure. As soon > as I run dovecot, after a few minutes - rooted...??? Lemme watch this in the periphery! I run dovecot-1.0.13 on over 20 hosts so I could be "rooted" as well. However, my setups tell dovecot to listen to ports 110 and 143 only and I have never observed anything strange. Timo has some good amount of money to offer you if you could prove that there is a security exploit, but I don't see you getting even 0.001% of that amount just with the information you've provided here. Aren't you just being paranoid? Could you please provide more information that can make someone "see" what you are scared of? -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ "Oh My God! They killed init! You Bastards!" --from a /. post
ROFL... This was a good way to start the day... Correct your typo in the dovecot.conf file ;) Here's a hint ;) See base_dir...> > drwxr-xr-x 3 root root 4096 2008-05-18 13:30 dotvecot > > dovecot.conf > > cat /etc/dovecot/dovecot.conf > base_dir = /var/run/dotvecot-- Andra? "ruskie" Levstik Source Mage GNU/Linux Games grimoire guru Geek/Hacker/Tinker Be sure brain is in gear before engaging mouth. Ryle hira. Key id = F4C1F89C Key fingerprint = 6FF2 8F20 4C9D DB36 B5B6 F134 884D 72CC F4C1 F89C
On Sun, 18 May 2008, Lawrence Sheed wrote:> Anyone want to assist in finding out how they are getting in?How about setting up rawlog? Details in the Wiki.> Definitely dovecot related. If I don't run dovecot, seems secure. As > soon as I run dovecot, after a few minutes - rooted...Is your dovecot configuration writable by the dovecot user? It shouldn't. What happens if you set the "+i" flag (immutable) with chattr on Linux (or schg on BSD, JFTR if someone else ), to prevent changes to the dovecot.conf file? Can you obtain working and statically linked ps, top, netstat copies from an uncompromised system or a known-good live CD? -- Matthias Andree
On Sun, 2008-05-18 at 13:52 +0800, Lawrence Sheed wrote: It would be helpful to have some more information, such as:> If I run dovecot for a while, I see a /var/run/dotvecot folder created > with the following: > > drwxr-xr-x 3 root root 4096 2008-05-18 13:30 dotvecot..> I've tried removing any dovecot remnants and reinstalling from the > 1.0.13 tar.gz from the site. > After starting dovecot again after a few minutes the files appear.Even if you change base_dir back to /var/run/dovecot? What if you unplug the network, does it still come back too?> The processes are running something on 6243 and 6244netstat -ln don't show them? That would mean the attacker gained root access, which is very unlikely to have happened directly through Dovecot (but getting non-root via Dovecot -> root via some other exploit is possible of course).> passdb vpopmail { > #args > }vpopmail would be one possibility, I have some doubts about its security. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20080518/169363b9/attachment-0002.bin>
On Sun, 18 May 2008, Timo Sirainen wrote:> > passdb vpopmail { > > #args > > } > > vpopmail would be one possibility, I have some doubts about its > security.Can you detail the spots you deem could take some more observation or investigation? vpopmail, after all, is highly popular in qmail environments which boast about their "security" (which is partially based on "proof by claim" like arguments and sometimes 'substantiated' by ad-hominem attacks of certain groups of people who can't bear criticism). -- Matthias Andree