.
Lawrence Sheed
COMPUTER SOLUTIONS
Room 401-402 Han Wen Xuan Building 2
No.14, 955 Yan An Middle Road
Shanghai China 200040
Tel: +86 21 62890765
+86 21 62890056
Fax: +86 21 62890700
Mobile: +86 13901 802 269
Skype: computersolutions.cn
Twitter: compsolutions
Web
Corrected that in the conf file.
If I check the dovecot user, I see its been compromised also - a bunch
of crap in their login folder.
I didn't create the dovecot.conf with a /var/run/dotvecot though, so
someone else did that.
More updates as I check further.
On May 18, 2008, at 2:54 PM,
, the the attacker has changed the dovecot.conf to
point at dotvecot
I'm guessing around the 13th as thats when the /var/run/dovecot folder
was updated.
I'll do the rest offlist.
Andraz, thank you.
Washington, you're an asshole.
Cheers,
Lawrence.
On May 18, 2008, at 3:03 PM, Lawrence Sheed wrote
I am running Debian on both servers, but updated both the keys and the
ssh server as I saw it on Slashdot.
(A few days ago).
The intrusion seems to be around the 13th.
They changed the dovecot configuration (as noted).
If I turned off the iptables firewalling, I see that
port 6244 and 6243
I'm running 1.0.13
If I run dovecot for a while, I see a /var/run/dotvecot folder created
with the following:
drwxr-xr-x 3 rootroot4096 2008-05-18 13:30 dotvecot
drwxr-xr-x 3 root root4096 2008-05-18 13:47 .
drwxr-xr-x 18 root root4096 2008-05-18 13:47 ..