Dovecot and iroffer ???

[nhouse]

Hello People!

I have been fighting a security breach for a while now and have learned a lot about how to track down the places where scrpt kiddies deposit stuff. It appears most of the stuff involves IRC junk. Anyway, apart from my frustration, I have learned a lot but I came across something that was really suprising this morning. I searched from possible cron jobs and this came up:
/usr/local/directadmin/customapache/dovecot-1.0.0/doc/wiki/__/.../.../.../iroffer.cron

Also, these patchs are in play:
/usr/local/directadmin/customapache/dovecot-1.0.0/doc/wiki/__/.../.../.../obj/iroffer_dccchat.o
/usr/local/directadmin/customapache/dovecot-1.0.0/doc/wiki/__/.../.../.../src/iroffer_headers.h

So, I guess the question is this... is there any reason at all that this would be a part of the dovecot installation? I think not... but I wanted to verify with some of you gurus out there. I find it odd that there would be a wiki directory anyway within this area... but the other deeply embedded directories look suspicious. Also, how could they have gotten into the customapache directory under directadmin?

Please advise... I appreciate it a lot!!!

 

[resolveit]

The simple answer is NO

If you see .../.../ of any directory starting with a "." it is likely not part of a normal program.

This can be found at iroffer.org

What is iroffer?
iroffer is a software program that acts as a fileserver for IRC. It is similar to a FTP server or WEB server, but users can download files using the DCC protocol of IRC instead of a web browser.

Unlike similar programs, iroffer is not a script, it is a standalone executable written entirely in c from scratch with high transfer speed and effeciency in mind. iroffer has been found to transfer over 50MByte/sec over a gigabit ethernet connection.

Regards,

 

[nhouse]

Hey, thanks... I did a bit of research on what iroffer is but I just want to make sure that it is NOT supposed to be there... or to be more specific that somehow the author didn't include it in the installation package. I know that sometimes extra stuff like documentation and modules are included... although I certainly don't know why an IRC server would be used in conjunction with dovecot.

 

[DirectAdmin Support]

Just as an addition, the custombuild and customapache directories are for compiling and installing only. Nothing is to be run from there during server operation (except updates, etc).

So, in theory if you're short on space you can remove all contents of the custombuild and customapache directory if you want to. Then just download a new build file when you want to update again.

John

 

[nhouse]

John... thanks a bunch for the tip. That answers my question about what to do about this particular item.

Does anyone else know if this "iroffer" stuff actually has any relationship to dovecot?

 

[DirectAdmin Support]

I've never even heard of iroffer and have worked with dovecot quite a bit.
Also, the /.../.../ parts in the path are not normal at all.

The ./ diectory is your current directory,
The ../ directory is up one level.
The .../ (the ones you have) would be a directory name, meaning they're designed to fool you... they're trying to be hidden.

So basically, whatever put it there was trying to hide it in a pile of source code that happend to be on your system. It's not supposed to be there. I can't say *how* it got there though.

John