Hi, during the last days ive noticed a weird problem on my ispconfig3 box, im running lenny with the latest ispconfig3. when i create a new mail account for some reason it has root ownership... here is the output of ls -la /var/vmail/domain.tld drwx------ 10 vmail vmail 4096 2010-08-17 01:16 marketing drwx------ 9 root vmail 4096 2010-08-17 10:50 melek first one an old email account and the second one is a newly created one... ive checked all the config files and everything looks ok... the annoyin part is that when i create new mailbox i have to chown to vmail by hand... any idea ? thanks!
Log into your admin panel, go to System -> Server Config -> -Click on your server- -> Tab: Mail check the field: Mailuser Name it should read "vmail" (the same as "Mailuser Group")
who's the owner of the dir /var/vmail ? mark@mail:~$ ls -al /var/vmail/ total 44 drwxr-xr-x 7 vmail vmail 4096 2010-06-17 09:02 . drwxr-xr-x 16 root root 4096 2010-06-17 12:27 ..
www1:~# ls -al /var/vmail total 52 drwxr-xr-x 8 vmail vmail 4096 2010-04-21 12:02 . drwxr-xr-x 20 root root 4096 2010-08-03 17:13 .. -rw-r--r-- 1 vmail vmail 220 2008-05-12 22:02 .bash_logout -rw-r--r-- 1 vmail vmail 3116 2008-05-12 22:02 .bashrc drwx------ 46 vmail vmail 4096 2010-08-17 20:22 d1.tld drwx------ 4 vmail vmail 4096 2010-06-26 16:58 d2.tld drwx------ 11 vmail vmail 4096 2010-08-17 10:44 d3.tld -rw------- 1 vmail vmail 1382 2010-08-17 10:17 .mailfilter -rw-r--r-- 1 vmail vmail 1382 2010-08-17 10:17 .mailfilter~ drwxr-xr-x 7 vmail vmail 4096 2010-04-22 13:13 mailfilters drwx------ 3 vmail vmail 4096 2009-11-29 03:31 d4.tld drwx------ 2 vmail vmail 4096 2010-02-22 14:18 d5.tld -rw-r--r-- 1 vmail vmail 675 2008-05-12 22:02 .profile
hmm, strange .. i think falko of till should have a look .. i've looked into the ispconfig code, and did found the code where the folders get chown-ed .. and it clearly says "chown vmail ..." .. so i'm out of idea's sry
Yes, this is very strange. My server was hacked a few days ago and since then i got this problem. I can say that the attacker did a state of the art hack there, he exploited a new phpmyadmin bug thru setup.php (i advice all the users to rename or delete that file) after that he installed a non commercial version of openssh which leaves the root password unchanged and sets up a backup password used for remote root login, unfortunattely for him my sharp eyes noticed that the private key was changed. Well, after that the problems came up... when a create new mailbox its gets owned by root and i get the connection dropped by imap server error when im trying to login via sqmail, and i have to change the mailbox permisions by hand... of course i did a little sh script which does this every 10 mins... but this a temporaru solution... Any ideas are welcomed!
oh, did that already... it took 10 mins to get rid of the attacker ) the system is secured the only problem i have right now is the one with permissions
Did you run chkrootkit or rkhunter? Maybe the hacker changed some binaries, e.g. the chown tool. That would explain why the owners are wrong.
Problem solved: www1:~#postfix check www1:~#postfix flush those commands will set the right files/folders permissions everything is back to normal now
