On 05/25/2012 11:39 PM, Sam Varshavchik wrote: > The next time this starts happening, telnet to port 143, find the > newly-spawned imaplogin process, attach "strace -o strace.log -s 256 > -p <PID>" to it, then proceed to log in manually, and see what strace > captures. > I replaced %USER, %PASS and %HOST, the rest is cat strace.log:
select(1, [0], NULL, NULL, {1782, 35496}) = 1 (in [0], left {1773, 249425}) read(0, "0 LOGIN %USER %PASS\r\n", 8192) = 28 access("/usr/bin/couriertls", X_OK) = 0 socket(PF_FILE, SOCK_STREAM, 0) = 3 fcntl(3, F_SETFL, O_RDONLY|O_NONBLOCK) = 0 connect(3, {sa_family=AF_FILE, sun_path="/var/run/authdaemon/socket"}, 110) = 0 fcntl(3, F_SETFL, O_RDONLY) = 0 select(4, NULL, [3], NULL, {10, 0}) = 1 (out [3], left {9, 999997}) write(3, "AUTH 30\nimap\nlogin\n%USER\n%PASS\n", 38) = 38 select(4, [3], NULL, NULL, {30, 0}) = 1 (in [3], left {29, 999471}) read(3, "UID=999\nGID=999\nHOME=/www/mail\nADDRESS=%USER\nMAILDIR=%USER@%HOST\nPASSWD2=%PASS\n.\n", 8191) = 100 setgid(999) = 0 getuid() = 0 setgroups(1, [999]) = 0 setuid(999) = 0 chdir("/www/mail") = 0 alarm(0) = 33 execve("/usr/bin/imapd", ["/usr/bin/imapd", "%USER@%HOST"], [/* 65 vars */]) = 0 brk(0) = 0xbce000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fbb4fcac000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=48662, ...}) = 0 mmap(NULL, 48662, PROT_READ, MAP_PRIVATE, 5, 0) = 0x7fbb4fca0000 close(5) = 0 open("/usr/lib/libfam.so.0", O_RDONLY|O_CLOEXEC) = 5 read(5, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\27\0\0\0\0\0\0@\0\0\0\0\0\0\0\30c\0\0\0\0\0\0\0\0\0\0@\0008\0\7\0@\0\32\0\31\0\1\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0lS\0\0\0\0\0\0lS\0\0\0\0\0\0\0\0 \0\0\0\0\0\1\0\0\0\6\0\0\0\320]\0\0\0\0\0\0\320] \0\0\0\0\0\320] \0\0\0\0\0004\4\0\0\0\0\0\0\20\5\0\0\0\0\0\0\0\0 \0\0\0\0\0\2\0\0\0\6\0\0\0\370]\0\0\0\0\0\0\370] \0\0\0\0\0\370] \0\0\0\0\0\220\1\0\0\0\0\0\0\220\1\0\0\0\0\0\0\10\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\310\1\0\0\0\0\0\0\310\1\0\0\0\0\0\0"..., 832) = 832 fstat(5, {st_mode=S_IFREG|0755, st_size=27032, ...}) = 0 mmap(NULL, 2122464, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5, 0) = 0x7fbb4f885000 mprotect(0x7fbb4f88b000, 2093056, PROT_NONE) = 0 mmap(0x7fbb4fa8a000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0x5000) = 0x7fbb4fa8a000 close(5) = 0 open("/usr/lib/libgdbm.so.4", O_RDONLY|O_CLOEXEC) = 5 read(5, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\36\0\0\0\0\0\0@\0\0\0\0\0\0\0008\203\0\0\0\0\0\0\0\0\0\0@\0008\0\7\0@\0\33\0\32\0\1\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0ln\0\0\0\0\0\0ln\0\0\0\0\0\0\0\0 \0\0\0\0\0\1\0\0\0\6\0\0\0\0}\0\0\0\0\0\0\0} \0\0\0\0\0\0} \0\0\0\0\0\30\5\0\0\0\0\0\0000\5\0\0\0\0\0\0\0\0 \0\0\0\0\0\2\0\0\0\6\0\0\0\20~\0\0\0\0\0\0\20~ \0\0\0\0\0\20~ \0\0\0\0\0\220\1\0\0\0\0\0\0\220\1\0\0\0\0\0\0\10\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\310\1\0\0\0\0\0\0\310\1\0\0\0\0\0\0"..., 832) = 832 fstat(5, {st_mode=S_IFREG|0755, st_size=35320, ...}) = 0 mmap(NULL, 2130480, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5, 0) = 0x7fbb4f67c000 mprotect(0x7fbb4f683000, 2097152, PROT_NONE) = 0 mmap(0x7fbb4f883000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0x7000) = 0x7fbb4f883000 close(5) = 0 open("/usr/lib/libcourierauth.so", O_RDONLY|O_CLOEXEC) = 5 read(5, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\3602\0\0\0\0\0\0@\0\0\0\0\0\0\0\250\305\0\0\0\0\0\0\0\0\0\0@\0008\0\7\0@\0\32\0\31\0\1\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0T\267\0\0\0\0\0\0T\267\0\0\0\0\0\0\0\0 \0\0\0\0\0\1\0\0\0\6\0\0\0\270\275\0\0\0\0\0\0\270\275 \0\0\0\0\0\270\275 \0\0\0\0\0\300\6\0\0\0\0\0\0p\n\0\0\0\0\0\0\0\0 \0\0\0\0\0\2\0\0\0\6\0\0\0\320\275\0\0\0\0\0\0\320\275 \0\0\0\0\0\320\275 \0\0\0\0\0\340\1\0\0\0\0\0\0\340\1\0\0\0\0\0\0\10\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\310\1\0\0\0\0\0\0\310\1\0\0\0\0\0\0"..., 832) = 832 fstat(5, {st_mode=S_IFREG|0755, st_size=52264, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fbb4fc9f000 mmap(NULL, 2148392, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5, 0) = 0x7fbb4f46f000 mprotect(0x7fbb4f47b000, 2093056, PROT_NONE) = 0 mmap(0x7fbb4f67a000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0xb000) = 0x7fbb4f67a000 close(5) = 0 open("/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 5 read(5, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`\25\2\0\0\0\0\0@\0\0\0\0\0\0\0\320\310\31\0\0\0\0\0\0\0\0\0@\0008\0\n\0@\0%\0\"\0\6\0\0\0\5\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0000\2\0\0\0\0\0\0000\2\0\0\0\0\0\0\10\0\0\0\0\0\0\0\3\0\0\0\4\0\0\0pp\26\0\0\0\0\0pp\26\0\0\0\0\0pp\26\0\0\0\0\0\32\0\0\0\0\0\0\0\32\0\0\0\0\0\0\0\20\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\314n\31\0\0\0\0\0\314n\31\0\0\0\0\0\0\0 \0\0\0\0\0\1\0\0\0\6\0\0\0\30w\31\0\0\0\0\0\30w9\0\0\0\0\0"..., 832) = 832 fstat(5, {st_mode=S_IFREG|0755, st_size=1983446, ...}) = 0 mmap(NULL, 3804112, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5, 0) = 0x7fbb4f0ce000 mprotect(0x7fbb4f265000, 2097152, PROT_NONE) = 0 mmap(0x7fbb4f465000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0x197000) = 0x7fbb4f465000 mmap(0x7fbb4f46b000, 15312, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fbb4f46b000 close(5) = 0 open("/lib/libdl.so.2", O_RDONLY|O_CLOEXEC) = 5 read(5, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\16\0\0\0\0\0\0@\0\0\0\0\0\0\0\2601\0\0\0\0\0\0\0\0\0\0@\0008\0\t\0@\0\36\0\35\0\6\0\0\0\5\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\370\1\0\0\0\0\0\0\370\1\0\0\0\0\0\0\10\0\0\0\0\0\0\0\3\0\0\0\4\0\0\0P\32\0\0\0\0\0\0P\32\0\0\0\0\0\0P\32\0\0\0\0\0\0\32\0\0\0\0\0\0\0\32\0\0\0\0\0\0\0\20\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20 \0\0\0\0\0\0\20 \0\0\0\0\0\0\0\0 \0\0\0\0\0\1\0\0\0\6\0\0\0H-\0\0\0\0\0\0H- \0\0\0\0\0"..., 832) = 832 fstat(5, {st_mode=S_IFREG|0755, st_size=14640, ...}) = 0 mmap(NULL, 2109688, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5, 0) = 0x7fbb4eeca000 mprotect(0x7fbb4eecd000, 2093056, PROT_NONE) = 0 mmap(0x7fbb4f0cc000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0x2000) = 0x7fbb4f0cc000 close(5) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fbb4fc9e000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fbb4fc9d000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fbb4fc9c000 arch_prctl(ARCH_SET_FS, 0x7fbb4fc9d700) = 0 mprotect(0x7fbb4f465000, 16384, PROT_READ) = 0 mprotect(0x7fbb4f0cc000, 4096, PROT_READ) = 0 mprotect(0x7fbb4f67a000, 4096, PROT_READ) = 0 mprotect(0x7fbb4f883000, 4096, PROT_READ) = 0 mprotect(0x7fbb4fa8a000, 4096, PROT_READ) = 0 mprotect(0x65d000, 4096, PROT_READ) = 0 mprotect(0x7fbb4fcad000, 4096, PROT_READ) = 0 munmap(0x7fbb4fca0000, 48662) = 0 fcntl(0, F_SETFL, O_RDONLY|O_NONBLOCK) = 0 fcntl(1, F_SETFL, O_RDONLY|O_NONBLOCK) = 0 stat(".", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 chdir("%USER@%HOST") = 0 stat("loginexec", 0x7fff32e1cd70) = -1 ENOENT (No such file or directory) stat(".", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 geteuid() = 999 getegid() = 999 uname({sys="Linux", node="%HOST", ...}) = 0 brk(0) = 0xbce000 brk(0xbef000) = 0xbef000 rt_sigaction(SIGPIPE, {SIG_IGN, [PIPE], SA_RESTORER|SA_RESTART, 0x7fbb4f102cb0}, {SIG_DFL, [], 0}, 8) = 0 unlink("tmp/courier-imap.clockskew.chk") = -1 ENOENT (No such file or directory) open("tmp/courier-imap.clockskew.chk", O_RDWR|O_CREAT|O_TRUNC, 0666) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0 close(5) = 0 unlink("tmp/courier-imap.clockskew.chk") = 0 getcwd("/www/mail/%USER@%HOST", 4095) = 34 alarm(15) = 0 rt_sigaction(SIGUSR2, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGUSR2, {0x7fbb4f888cd0, [USR2], SA_RESTORER|SA_RESTART, 0x7fbb4f102cb0}, {SIG_DFL, [], 0}, 8) = 0 getuid() = 999 socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 5 connect(5, {sa_family=AF_FILE, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory) close(5) = 0 socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 5 connect(5, {sa_family=AF_FILE, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory) close(5) = 0 open("/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=223, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fbb4fcab000 read(5, "# Begin /etc/nsswitch.conf\n\npasswd: files\ngroup: files\nshadow: files\n\npublickey: files\n\nhosts: files dns\nnetworks: files\n\nprotocols: files\nservices: files\nethers: files\nrpc: files\n\nnetgroup: files\n\n# End /etc/nsswitch.conf\n", 4096) = 223 read(5, "", 4096) = 0 close(5) = 0 munmap(0x7fbb4fcab000, 4096) = 0 open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=48662, ...}) = 0 mmap(NULL, 48662, PROT_READ, MAP_PRIVATE, 5, 0) = 0x7fbb4fca0000 close(5) = 0 open("/lib/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 5 read(5, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\"\0\0\0\0\0\0@\0\0\0\0\0\0\0(\304\0\0\0\0\0\0\0\0\0\0@\0008\0\t\0@\0\36\0\35\0\6\0\0\0\5\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\370\1\0\0\0\0\0\0\370\1\0\0\0\0\0\0\10\0\0\0\0\0\0\0\3\0\0\0\4\0\0\0`\223\0\0\0\0\0\0`\223\0\0\0\0\0\0`\223\0\0\0\0\0\0\32\0\0\0\0\0\0\0\32\0\0\0\0\0\0\0\20\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\314\260\0\0\0\0\0\0\314\260\0\0\0\0\0\0\0\0 \0\0\0\0\0\1\0\0\0\6\0\0\0p\275\0\0\0\0\0\0p\275 \0\0\0\0\0"..., 832) = 832 fstat(5, {st_mode=S_IFREG|0755, st_size=52136, ...}) = 0 mmap(NULL, 2148136, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5, 0) = 0x7fbb4ecbd000 mprotect(0x7fbb4ecc9000, 2093056, PROT_NONE) = 0 mmap(0x7fbb4eec8000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0xb000) = 0x7fbb4eec8000 close(5) = 0 mprotect(0x7fbb4eec8000, 4096, PROT_READ) = 0 munmap(0x7fbb4fca0000, 48662) = 0 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=534, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fbb4fcab000 read(5, "root:x:0:0:root:/root:/bin/bash\nbin:x:1:1:bin:/bin:/bin/false\ndaemon:x:2:2:daemon:/sbin:/bin/false\nmail:x:8:12:mail:/var/spool/mail:/bin/false\nftp:x:14:11:ftp:/srv/ftp:/bin/false\nhttp:x:33:33:http:/srv/http:/bin/false\nnobody:x:99:99:nobody:/:/bin/false\ndbu"..., 4096) = 534 close(5) = 0 munmap(0x7fbb4fcab000, 4096) = 0 socket(PF_FILE, SOCK_STREAM, 0) = 5 connect(5, {sa_family=AF_FILE, sun_path=@"/tmp/fam-www-"}, 110) = ? ERESTARTSYS (To be restarted if SA_RESTART is set) --- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} --- +++ killed by SIGALRM +++ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Courier-imap mailing list Courier-imap@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap