The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cppop exploit + attack

Discussion in 'General Discussion' started by rpmws, Jun 27, 2007.

  1. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    what are you doing running cppop?
     
  2. EchoHost

    EchoHost Well-Known Member

    Joined:
    Jul 27, 2003
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    6
    Today my server started going extremly slowly and when I went to check it out it turned out that there were a ton of instances of cppop all from a single IP flood. 1000+ instances. In the tweak settings I have time per hour set to 60 and prevent pop3 flood enabled yet I had 1000+ isntances of cppop started. It's only when I banned the IP that the server returned back to normal.

    Furthermore it seemed like these cppop were handing around still processing so when I pulled up maillog I found entries such as this.
    How do you prevent something like this?
     
  3. EchoHost

    EchoHost Well-Known Member

    Joined:
    Jul 27, 2003
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    6
    What am I supposed to be running?
     
  4. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    If you're machine's running Cpanel, then you really want to consider upgrading to Courier. Although you really want to search the Cpanel forums and read everything you can about Courier / maildir / upgrading / etc. before attempting it.

    The link below is a good starting point...

    http://forums.cpanel.net/showthread.php?t=44941&highlight=courier+upgrade

    Mike
     
  5. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Unfortunately there are still many individuals running their servers on the outdated mbox format :/
     
  6. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    I am starting to see that more and more, especially during the cp11 upgrades. I am just glad I did the conversion back in 2004-2005 whenever it was!! ha

    as for protection for brute force attacks and many other protections check out Chirpy's CSF/LFD
     
  7. EchoHost

    EchoHost Well-Known Member

    Joined:
    Jul 27, 2003
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    6
    I'm surprised it doesn't come standard with courier then. This server is about a year and a half old and I had configservers set it up once I got it but I'm a bit dissapointed that we never find out from cpanel that using cppop is dangerous.
     
  8. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    it's all over the forums. just search for maildir or mbox or convert2maildir
     
  9. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Courier-imap is installed by default now and if you're running cPanel v11 then the daily upcp email includes a warning if you still run the deprecated cppop advising to migrate to the new configuration.

    Word is that cPanel v12 will drop support for cppop and force an update to courier-imap - I hope it does.
     
  10. mambovince

    mambovince Well-Known Member

    Joined:
    Jan 15, 2005
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    London, UK
    How can I make sure we are not running cppop?
    I did upgrade to maildir, so would that also mean not running cppop now?

    Sorry for lame question. :confused:

    - Vince
     
  11. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Correct, cppop is not used on systems running maildir.
     
  12. mambovince

    mambovince Well-Known Member

    Joined:
    Jan 15, 2005
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    London, UK
    Thanks very much David.

    Someday you guys will have the spammers licked - I hope. :)

    - Vince
     
  13. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    I don't think we wanna go licking them, God knows where those guys have been. ;)
     
  14. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    I'd lick em, or do just about anything else to them, in exchange for a percentage of the money that those guys make. At least I'd do that with the top 10 ROKSO spammers :)

    M
     
  15. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    I agree. CSF/LFD has been an invaluable tool for my Linux servers. It works very well.
     
  16. claudio

    claudio Well-Known Member

    Joined:
    Jul 31, 2004
    Messages:
    201
    Likes Received:
    0
    Trophy Points:
    16
    i was just wondering that having an old server, a populated one, with some serious companys using neomail and old cppop format (as the name says cp-pop or cpanel pop i mean) is not a real sin

    i do have one cpanel11 still with cppop because i cannot simply impose horde or squirell over neomail or other imap based webmails over pop3 ones

    so my server is suffering this POP3 FLOOD ATTACKS

    Mar 18 20:56:08 main cpanelpop[8973]: Connection from host=141.157.27.182 to ip=x.x.x.1
    Mar 18 20:56:09 main cpanelpop[8993]: Connection from host=141.157.27.182 to ip=x.x.x.2
    Mar 18 20:56:10 main cpanelpop[8980]: Connection from host=141.157.27.182 to ip=x.x.x.3

    as i could also realise inside of Tweak Settings there is no more the pop3 limit per hour that users could check their mailboxes, how can i manually configure this?

    in fact this guy cannot connect because he is trying to guess the user and password and he is not getting this

    is there any place to avoid this i mean manually configure cppop ?
     
  17. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    chirpy's CSF/LFD takes care of all of that :) LOL
     

Share This Page