On Fri, Feb 16, 2007 at 03:30:26PM -0500, jonc wrote: > The user didn't do a lot of troubleshooting (at least that was relayed > in the message). Most folks aren't going to simply jump in and suggest > things when the user gives the appearance of being too clueless to > effect any of the suggestions... Unless the error is specific enough or > common enough to have a stock solution. > > Sometimes the nicest form of criticism an Open Source community can give > someone is silence.
Apparently I didn't give enough detail. I suppose I didn't want to bore those who are not interested, but I guess that was a mistake on my part. Here is a little more detail in case jonc has any more to offer...... Jan 13. Get a call from my son that squirrel ail is not working properly. Checked the symptoms. The whole page is not coming up. refreshing the page seems to bring up all the pieces but this is a change in behaviour from Jan 11 which was the last time he checked his mail. Shut down BOINC as it is chewing up alot of processor time and may be slowing down the system causing the page not to complete properly. No change. Checked the logs on the system hosting squirrel mail. Nothing of note in the apache logs that look unusual when comparing the 10th to the 13th although one or two systems have been requesting files that don't exist on my system. Made a note for later. Check the maillog logs on the mail server. On the 11th each session of squirrel mail when connecting would stay connected till the user logged off. Noted the text for the logon method changed from "plain" to PLAIN" Most interesting since I did not make any changes to the system. Obviously something has changed. Checked the config file to find the logon method. it is entered as PLAIN. I have made no changes to this. On the 13th, starting at the session would disconnect generally within the same second that the logon happened. No changes were made over the weekend. Matter of fact the system has not been changed since mid december when I installed v 1.4.8. The only other change that happens is the system builds a new set of root hints for the DNS server automatically. This has been going on for years and never created an issue, so chances are good it will not cause it now. ran root kit checks and looked for files in /bin /sbin /usr/bin /usr/sbin usr/local/bin and /usr/local/sbin with recent dates. found none. ran rootkit found nothing. rkhunter runs nightly and found nothing either over the weekend. Connections from thunderbird stay logged on till the session is closed or times out. It is not seeing the same issue as squirrel mail seems to be. Cannot determine if it is dovecot or squirrel mail but it is looking like it is squirrel mail related. So I installed the latest squirrel mail with a standard install. the issue is still happening. the logon method is still PLAIN. Updated dovecot. didn't need to but I figured why not. something is broken and the install of squirrel mail did not fix it. if Dovecot is compromised then this should resolve it. No change. Not squirrel mail nor dovecott. Looked at PHP next ran tests on the php install on the squirrel mail server with other php based software I have setup on the server. they all work fine. It is not looking like PHP. did a bit more checking on the files that were being requested from the internet to see if the system may have been compromised. none of the requested files existed on my system so I don't think there was anything exploited in this fashion. No strange requests in the ssl loggs or the non ssl logs that would indicate a web based exploit. Logs appear intact with no gapping holes. confidence is good that the system is still intact. check the physical connection between the squirrel server and the hub. Looks good. I am fairly confident that it is not apache, php, or squirrel mail. Also confident it is not dovecot as it works as expected with thunderbird. Hairpulling begins. I need to step back and get advice on where to look. Fresh eyes so to speak. Checked with Brian to see if he has ever heard of this issue as it has me stumped and I could use some advice where to look for problems. He hasn't either so he submitted my note to the TriLUG mailing list to see if anyone had any useful suggestions. Please let me know if anyone has any ideas of what I should be looking at. -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
