[Dovecot] rkhunter alert dovecot using port 1984 - dovecot - dovecot.org

newer
[Dovecot] warnings from 2.0.11

[Dovecot] rkhunter alert dovecot using port 1984

older
[Dovecot] Dict spams in my Log-File

Mark Adams

8 Mar 2011 8 Mar '11

12:43 p.m.

Hi all,

Debian Lenny, dovecot 1.0.15

My rkhunter script has picked up dovecot using port 1984 temporarily. When I run it now however, it is gone.

Warning: Network TCP port 1984 is being used by /usr/lib/dovecot/imap. Possible rootkit: Fuckit Rootkit Use the 'lsof -i' or 'netstat -an' command to check this.

Does dovecot use this port for any reason? anyone seen this before?

Regards, Mark

Reply

Sign in to reply online Use email software

Show replies by date

Timo Sirainen

9 Mar 9 Mar

8:23 p.m.

On 8.3.2011, at 12.43, Mark Adams wrote:

No & no.

Reply

Sign in to reply online Use email software

Mark Adams

16 Mar 16 Mar

11:54 a.m.

Hi Timo,

I've had another one this morning (on port 2006), and can see its still open

mailhub:~# netstat -tulnap | grep 2006 tcp 0 0 10.0.0.24:143 10.0.3.96:2006 ESTABLISHED 19372/imap

This all looks ok - The client should be communcating over a higher port right?

On Wed, Mar 09, 2011 at 08:23:40PM +0200, Timo Sirainen wrote:

Reply

Sign in to reply online Use email software

Timo Sirainen

6:23 p.m.

On Wed, 2011-03-16 at 09:54 +0000, Mark Adams wrote:

Yeah. Client is connected to IMAP port.

Reply

Sign in to reply online Use email software

Peter Evans

7:06 p.m.

perfectly normal, if your rkhunter is freaking out because its seeing remote ports that it doesn't like, it needs to take some valium. Anything over 1024 is fair game for unprivileged stuff like mail clients.

P
on 10.0.0.6 ^^;

Reply

Sign in to reply online Use email software

5264

Age (days ago)

5272

Last active (days ago)

4 comments

3 participants

tags

participants (3)

Mark Adams
Peter Evans
Timo Sirainen