On 05/25/2012 11:39 PM, Sam Varshavchik wrote:
> The next time this starts happening, telnet to port 143, find the
> newly-spawned imaplogin process, attach "strace -o strace.log -s 256
> -p <PID>" to it, then proceed to log in manually, and see what strace
> captures.
>
I replaced %USER, %PASS and %HOST, the rest is cat strace.log:
select(1, [0], NULL, NULL, {1782, 35496}) = 1 (in [0], left {1773, 249425})
read(0, "0 LOGIN %USER %PASS\r\n", 8192) = 28
access("/usr/bin/couriertls", X_OK) = 0
socket(PF_FILE, SOCK_STREAM, 0) = 3
fcntl(3, F_SETFL, O_RDONLY|O_NONBLOCK) = 0
connect(3, {sa_family=AF_FILE, sun_path="/var/run/authdaemon/socket"},
110) = 0
fcntl(3, F_SETFL, O_RDONLY) = 0
select(4, NULL, [3], NULL, {10, 0}) = 1 (out [3], left {9, 999997})
write(3, "AUTH 30\nimap\nlogin\n%USER\n%PASS\n", 38) = 38
select(4, [3], NULL, NULL, {30, 0}) = 1 (in [3], left {29, 999471})
read(3,
"UID=999\nGID=999\nHOME=/www/mail\nADDRESS=%USER\nMAILDIR=%USER@%HOST\nPASSWD2=%PASS\n.\n",
8191) = 100
setgid(999) = 0
getuid() = 0
setgroups(1, [999]) = 0
setuid(999) = 0
chdir("/www/mail") = 0
alarm(0) = 33
execve("/usr/bin/imapd", ["/usr/bin/imapd", "%USER@%HOST"], [/* 65 vars
*/]) = 0
brk(0) = 0xbce000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
= 0x7fbb4fcac000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 5
fstat(5, {st_mode=S_IFREG|0644, st_size=48662, ...}) = 0
mmap(NULL, 48662, PROT_READ, MAP_PRIVATE, 5, 0) = 0x7fbb4fca0000
close(5) = 0
open("/usr/lib/libfam.so.0", O_RDONLY|O_CLOEXEC) = 5
read(5,
"\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\27\0\0\0\0\0\0@\0\0\0\0\0\0\0\30c\0\0\0\0\0\0\0\0\0\0@\0008\0\7\0@\0\32\0\31\0\1\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0lS\0\0\0\0\0\0lS\0\0\0\0\0\0\0\0
\0\0\0\0\0\1\0\0\0\6\0\0\0\320]\0\0\0\0\0\0\320] \0\0\0\0\0\320]
\0\0\0\0\0004\4\0\0\0\0\0\0\20\5\0\0\0\0\0\0\0\0
\0\0\0\0\0\2\0\0\0\6\0\0\0\370]\0\0\0\0\0\0\370] \0\0\0\0\0\370]
\0\0\0\0\0\220\1\0\0\0\0\0\0\220\1\0\0\0\0\0\0\10\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\310\1\0\0\0\0\0\0\310\1\0\0\0\0\0\0"...,
832) = 832
fstat(5, {st_mode=S_IFREG|0755, st_size=27032, ...}) = 0
mmap(NULL, 2122464, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5,
0) = 0x7fbb4f885000
mprotect(0x7fbb4f88b000, 2093056, PROT_NONE) = 0
mmap(0x7fbb4fa8a000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0x5000) = 0x7fbb4fa8a000
close(5) = 0
open("/usr/lib/libgdbm.so.4", O_RDONLY|O_CLOEXEC) = 5
read(5,
"\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\36\0\0\0\0\0\0@\0\0\0\0\0\0\0008\203\0\0\0\0\0\0\0\0\0\0@\0008\0\7\0@\0\33\0\32\0\1\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0ln\0\0\0\0\0\0ln\0\0\0\0\0\0\0\0
\0\0\0\0\0\1\0\0\0\6\0\0\0\0}\0\0\0\0\0\0\0} \0\0\0\0\0\0}
\0\0\0\0\0\30\5\0\0\0\0\0\0000\5\0\0\0\0\0\0\0\0
\0\0\0\0\0\2\0\0\0\6\0\0\0\20~\0\0\0\0\0\0\20~ \0\0\0\0\0\20~
\0\0\0\0\0\220\1\0\0\0\0\0\0\220\1\0\0\0\0\0\0\10\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\310\1\0\0\0\0\0\0\310\1\0\0\0\0\0\0"...,
832) = 832
fstat(5, {st_mode=S_IFREG|0755, st_size=35320, ...}) = 0
mmap(NULL, 2130480, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5,
0) = 0x7fbb4f67c000
mprotect(0x7fbb4f683000, 2097152, PROT_NONE) = 0
mmap(0x7fbb4f883000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0x7000) = 0x7fbb4f883000
close(5) = 0
open("/usr/lib/libcourierauth.so", O_RDONLY|O_CLOEXEC) = 5
read(5,
"\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\3602\0\0\0\0\0\0@\0\0\0\0\0\0\0\250\305\0\0\0\0\0\0\0\0\0\0@\0008\0\7\0@\0\32\0\31\0\1\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0T\267\0\0\0\0\0\0T\267\0\0\0\0\0\0\0\0
\0\0\0\0\0\1\0\0\0\6\0\0\0\270\275\0\0\0\0\0\0\270\275
\0\0\0\0\0\270\275 \0\0\0\0\0\300\6\0\0\0\0\0\0p\n\0\0\0\0\0\0\0\0
\0\0\0\0\0\2\0\0\0\6\0\0\0\320\275\0\0\0\0\0\0\320\275
\0\0\0\0\0\320\275
\0\0\0\0\0\340\1\0\0\0\0\0\0\340\1\0\0\0\0\0\0\10\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\310\1\0\0\0\0\0\0\310\1\0\0\0\0\0\0"...,
832) = 832
fstat(5, {st_mode=S_IFREG|0755, st_size=52264, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
= 0x7fbb4fc9f000
mmap(NULL, 2148392, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5,
0) = 0x7fbb4f46f000
mprotect(0x7fbb4f47b000, 2093056, PROT_NONE) = 0
mmap(0x7fbb4f67a000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0xb000) = 0x7fbb4f67a000
close(5) = 0
open("/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 5
read(5,
"\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`\25\2\0\0\0\0\0@\0\0\0\0\0\0\0\320\310\31\0\0\0\0\0\0\0\0\0@\0008\0\n\0@\0%\0\"\0\6\0\0\0\5\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0000\2\0\0\0\0\0\0000\2\0\0\0\0\0\0\10\0\0\0\0\0\0\0\3\0\0\0\4\0\0\0pp\26\0\0\0\0\0pp\26\0\0\0\0\0pp\26\0\0\0\0\0\32\0\0\0\0\0\0\0\32\0\0\0\0\0\0\0\20\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\314n\31\0\0\0\0\0\314n\31\0\0\0\0\0\0\0
\0\0\0\0\0\1\0\0\0\6\0\0\0\30w\31\0\0\0\0\0\30w9\0\0\0\0\0"..., 832) = 832
fstat(5, {st_mode=S_IFREG|0755, st_size=1983446, ...}) = 0
mmap(NULL, 3804112, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5,
0) = 0x7fbb4f0ce000
mprotect(0x7fbb4f265000, 2097152, PROT_NONE) = 0
mmap(0x7fbb4f465000, 24576, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0x197000) = 0x7fbb4f465000
mmap(0x7fbb4f46b000, 15312, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fbb4f46b000
close(5) = 0
open("/lib/libdl.so.2", O_RDONLY|O_CLOEXEC) = 5
read(5,
"\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\16\0\0\0\0\0\0@\0\0\0\0\0\0\0\2601\0\0\0\0\0\0\0\0\0\0@\0008\0\t\0@\0\36\0\35\0\6\0\0\0\5\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\370\1\0\0\0\0\0\0\370\1\0\0\0\0\0\0\10\0\0\0\0\0\0\0\3\0\0\0\4\0\0\0P\32\0\0\0\0\0\0P\32\0\0\0\0\0\0P\32\0\0\0\0\0\0\32\0\0\0\0\0\0\0\32\0\0\0\0\0\0\0\20\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20
\0\0\0\0\0\0\20 \0\0\0\0\0\0\0\0
\0\0\0\0\0\1\0\0\0\6\0\0\0H-\0\0\0\0\0\0H- \0\0\0\0\0"..., 832) = 832
fstat(5, {st_mode=S_IFREG|0755, st_size=14640, ...}) = 0
mmap(NULL, 2109688, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5,
0) = 0x7fbb4eeca000
mprotect(0x7fbb4eecd000, 2093056, PROT_NONE) = 0
mmap(0x7fbb4f0cc000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0x2000) = 0x7fbb4f0cc000
close(5) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
= 0x7fbb4fc9e000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
= 0x7fbb4fc9d000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
= 0x7fbb4fc9c000
arch_prctl(ARCH_SET_FS, 0x7fbb4fc9d700) = 0
mprotect(0x7fbb4f465000, 16384, PROT_READ) = 0
mprotect(0x7fbb4f0cc000, 4096, PROT_READ) = 0
mprotect(0x7fbb4f67a000, 4096, PROT_READ) = 0
mprotect(0x7fbb4f883000, 4096, PROT_READ) = 0
mprotect(0x7fbb4fa8a000, 4096, PROT_READ) = 0
mprotect(0x65d000, 4096, PROT_READ) = 0
mprotect(0x7fbb4fcad000, 4096, PROT_READ) = 0
munmap(0x7fbb4fca0000, 48662) = 0
fcntl(0, F_SETFL, O_RDONLY|O_NONBLOCK) = 0
fcntl(1, F_SETFL, O_RDONLY|O_NONBLOCK) = 0
stat(".", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
chdir("%USER@%HOST") = 0
stat("loginexec", 0x7fff32e1cd70) = -1 ENOENT (No such file or
directory)
stat(".", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
geteuid() = 999
getegid() = 999
uname({sys="Linux", node="%HOST", ...}) = 0
brk(0) = 0xbce000
brk(0xbef000) = 0xbef000
rt_sigaction(SIGPIPE, {SIG_IGN, [PIPE], SA_RESTORER|SA_RESTART,
0x7fbb4f102cb0}, {SIG_DFL, [], 0}, 8) = 0
unlink("tmp/courier-imap.clockskew.chk") = -1 ENOENT (No such file or
directory)
open("tmp/courier-imap.clockskew.chk", O_RDWR|O_CREAT|O_TRUNC, 0666) = 5
fstat(5, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
close(5) = 0
unlink("tmp/courier-imap.clockskew.chk") = 0
getcwd("/www/mail/%USER@%HOST", 4095) = 34
alarm(15) = 0
rt_sigaction(SIGUSR2, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigaction(SIGUSR2, {0x7fbb4f888cd0, [USR2], SA_RESTORER|SA_RESTART,
0x7fbb4f102cb0}, {SIG_DFL, [], 0}, 8) = 0
getuid() = 999
socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 5
connect(5, {sa_family=AF_FILE, sun_path="/var/run/nscd/socket"}, 110) =
-1 ENOENT (No such file or directory)
close(5) = 0
socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 5
connect(5, {sa_family=AF_FILE, sun_path="/var/run/nscd/socket"}, 110) =
-1 ENOENT (No such file or directory)
close(5) = 0
open("/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 5
fstat(5, {st_mode=S_IFREG|0644, st_size=223, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
= 0x7fbb4fcab000
read(5, "# Begin /etc/nsswitch.conf\n\npasswd: files\ngroup:
files\nshadow: files\n\npublickey: files\n\nhosts: files dns\nnetworks:
files\n\nprotocols: files\nservices: files\nethers: files\nrpc:
files\n\nnetgroup: files\n\n# End /etc/nsswitch.conf\n", 4096) = 223
read(5, "", 4096) = 0
close(5) = 0
munmap(0x7fbb4fcab000, 4096) = 0
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 5
fstat(5, {st_mode=S_IFREG|0644, st_size=48662, ...}) = 0
mmap(NULL, 48662, PROT_READ, MAP_PRIVATE, 5, 0) = 0x7fbb4fca0000
close(5) = 0
open("/lib/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 5
read(5,
"\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\"\0\0\0\0\0\0@\0\0\0\0\0\0\0(\304\0\0\0\0\0\0\0\0\0\0@\0008\0\t\0@\0\36\0\35\0\6\0\0\0\5\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\370\1\0\0\0\0\0\0\370\1\0\0\0\0\0\0\10\0\0\0\0\0\0\0\3\0\0\0\4\0\0\0`\223\0\0\0\0\0\0`\223\0\0\0\0\0\0`\223\0\0\0\0\0\0\32\0\0\0\0\0\0\0\32\0\0\0\0\0\0\0\20\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\314\260\0\0\0\0\0\0\314\260\0\0\0\0\0\0\0\0
\0\0\0\0\0\1\0\0\0\6\0\0\0p\275\0\0\0\0\0\0p\275 \0\0\0\0\0"..., 832) = 832
fstat(5, {st_mode=S_IFREG|0755, st_size=52136, ...}) = 0
mmap(NULL, 2148136, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5,
0) = 0x7fbb4ecbd000
mprotect(0x7fbb4ecc9000, 2093056, PROT_NONE) = 0
mmap(0x7fbb4eec8000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0xb000) = 0x7fbb4eec8000
close(5) = 0
mprotect(0x7fbb4eec8000, 4096, PROT_READ) = 0
munmap(0x7fbb4fca0000, 48662) = 0
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 5
fstat(5, {st_mode=S_IFREG|0644, st_size=534, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
= 0x7fbb4fcab000
read(5,
"root:x:0:0:root:/root:/bin/bash\nbin:x:1:1:bin:/bin:/bin/false\ndaemon:x:2:2:daemon:/sbin:/bin/false\nmail:x:8:12:mail:/var/spool/mail:/bin/false\nftp:x:14:11:ftp:/srv/ftp:/bin/false\nhttp:x:33:33:http:/srv/http:/bin/false\nnobody:x:99:99:nobody:/:/bin/false\ndbu"...,
4096) = 534
close(5) = 0
munmap(0x7fbb4fcab000, 4096) = 0
socket(PF_FILE, SOCK_STREAM, 0) = 5
connect(5, {sa_family=AF_FILE, sun_path=@"/tmp/fam-www-"}, 110) = ?
ERESTARTSYS (To be restarted if SA_RESTART is set)
--- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} ---
+++ killed by SIGALRM +++
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Courier-imap mailing list
Courier-imap@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
