On Sun, 2008-05-18 at 13:52 +0800, Lawrence Sheed wrote: It would be helpful to have some more information, such as:
> If I run dovecot for a while, I see a /var/run/dotvecot folder created > with the following: > > drwxr-xr-x 3 root root 4096 2008-05-18 13:30 dotvecot .. > I've tried removing any dovecot remnants and reinstalling from the > 1.0.13 tar.gz from the site. > After starting dovecot again after a few minutes the files appear. Even if you change base_dir back to /var/run/dovecot? What if you unplug the network, does it still come back too? > The processes are running something on 6243 and 6244 netstat -ln don't show them? That would mean the attacker gained root access, which is very unlikely to have happened directly through Dovecot (but getting non-root via Dovecot -> root via some other exploit is possible of course). > passdb vpopmail { > #args = > } vpopmail would be one possibility, I have some doubts about its security.
signature.asc
Description: This is a digitally signed message part