problem with cppop

I am seeing the same thing as of updating cPanel a couple days ago. The time of day isn't the same, but it's been consistent the last couple days with the same symtoms described here.

WHM 10.8.0 cPanel 10.9.0-R118
CentOS 4.4 i686 - WHM X v3.1.0

If there is any info I can get from the server to help troubleshooting, please let me know.


thanks
James

 

Since cppop is now deprecated it would seem prudent to convert to maildir and use courier-imap instead.

The older mbox format, and cppop itself, are a less reliable mechanism, especially with clients leaving emails on the server instead of retrieving and deleting them as they should.

 

Port 110 is being flooded on all of my servers (30). I have servers in three different datacenters and they are all affected. Here is an example:

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
pop3login 77 root 0u IPv4 44208389 TCP server.domain.com:pop3->72-4-175-183.ptr.primarydns.com:3161 (ESTABLISHED)
pop3login 77 root 1u IPv4 44208389 TCP server.domain.com:pop3->72-4-175-183.ptr.primarydns.com:3161 (ESTABLISHED)
pop3login 612 root 0u IPv4 44235484 TCP server.domain.com:pop3->72-4-175-208.ptr.primarydns.com:3314 (ESTABLISHED)
pop3login 612 root 1u IPv4 44235484 TCP server.domain.com:pop3->72-4-175-208.ptr.primarydns.com:3314 (ESTABLISHED)
pop3login 1571 root 0u IPv4 44170925 TCP server.domain.com:pop3->72.52.158.189:2450 (ESTABLISHED)
pop3login 1571 root 1u IPv4 44170925 TCP server.domain.com:pop3->72.52.158.189:2450 (ESTABLISHED)
pop3login 2613 root 0u IPv4 44208381 TCP server.domain.com:pop3->72-4-175-208.ptr.primarydns.com:3265 (ESTABLISHED)
pop3login 2613 root 1u IPv4 44208381 TCP server.domain.com:pop3->72-4-175-208.ptr.primarydns.com:3265 (ESTABLISHED)
pop3login 2979 root 0u IPv4 44180563 TCP server.domain.com:pop3->72.32.99.10:3399 (ESTABLISHED)
pop3login 2979 root 1u IPv4 44180563 TCP server.domain.com:pop3->72.32.99.10:3399 (ESTABLISHED)
pop3login 3368 root 0u IPv4 44227365 TCP server.domain.com:pop3->72-4-175-187.ptr.primarydns.com:2336 (ESTABLISHED)
pop3login 3368 root 1u IPv4 44227365 TCP server.domain.com:pop3->72-4-175-187.ptr.primarydns.com:2336 (ESTABLISHED)
pop3login 3757 root 0u IPv4 44227203 TCP server.domain.com:pop3->ip-72-55-133-48.static.privatedns.com:1266 (ESTABLISHED)
pop3login 3757 root 1u IPv4 44227203 TCP server.domain.com:pop3->ip-72-55-133-48.static.privatedns.com:1266 (ESTABLISHED)
pop3login 4089 root 0u IPv4 44186317 TCP server.domain.com:pop3->72-4-175-226.ptr.primarydns.com:2586 (ESTABLISHED)
pop3login 4089 root 1u IPv4 44186317 TCP server.domain.com:pop3->72-4-175-226.ptr.primarydns.com:2586 (ESTABLISHED)
pop3login 5467 root 0u IPv4 44166326 TCP server.domain.com:pop3->72-4-175-226.ptr.primarydns.com:2161 (ESTABLISHED)
pop3login 5467 root 1u IPv4 44166326 TCP server.domain.com:pop3->72-4-175-226.ptr.primarydns.com:2161 (ESTABLISHED)
pop3login 6002 root 0u IPv4 44132262 TCP server.domain.com:pop3->netblock-72-25-64-35.dslextreme.com:3912 (ESTABLISHED)
pop3login 6002 root 1u IPv4 44132262 TCP server.domain.com:pop3->netblock-72-25-64-35.dslextreme.com:3912 (ESTABLISHED)
pop3login 6146 root 0u IPv4 44208512 TCP server.domain.com:pop3->72-4-175-203.ptr.primarydns.com:1783 (ESTABLISHED)
pop3login 6146 root 1u IPv4 44208512 TCP server.domain.com:pop3->72-4-175-203.ptr.primarydns.com:1783 (ESTABLISHED)
pop3login 7006 root 0u IPv4 44215654 TCP server.domain.com:pop3->vision.edu:2359 (ESTABLISHED)
pop3login 7006 root 1u IPv4 44215654 TCP server.domain.com:pop3->vision.edu:2359 (ESTABLISHED)
pop3login 7626 root 0u IPv4 44136701 TCP server.domain.com:pop3->72-4-175-168.ptr.primarydns.com:3425 (ESTABLISHED)
pop3login 7626 root 1u IPv4 44136701 TCP server.domain.com:pop3->72-4-175-168.ptr.primarydns.com:3425 (ESTABLISHED)
pop3login 8139 root 0u IPv4 44137278 TCP server.domain.com:pop3->znetshows.com:3311 (ESTABLISHED)
pop3login 8139 root 1u IPv4 44137278 TCP server.domain.com:pop3->znetshows.com:3311 (ESTABLISHED)
pop3login 9075 root 0u IPv4 44165411 TCP server.domain.com:pop3->72-4-175-118.ptr.primarydns.com:4702 (ESTABLISHED)
pop3login 9075 root 1u IPv4 44165411 TCP server.domain.com:pop3->72-4-175-118.ptr.primarydns.com:4702 (ESTABLISHED)
pop3login 11647 root 0u IPv4 44151782 TCP server.domain.com:pop3->72-4-175-183.ptr.primarydns.com:1909 (ESTABLISHED)
pop3login 11647 root 1u IPv4 44151782 TCP server.domain.com:pop3->72-4-175-183.ptr.primarydns.com:1909 (ESTABLISHED)
pop3login 12085 root 0u IPv4 44189666 TCP server.domain.com:pop3->host.boydaworld.com:1399 (ESTABLISHED)
pop3login 12085 root 1u IPv4 44189666 TCP server.domain.com:pop3->host.boydaworld.com:1399 (ESTABLISHED)
pop3login 13115 root 0u IPv4 44247961 TCP server.domain.com:pop3->ds1.webserve.ca:2136 (ESTABLISHED)
pop3login 13115 root 1u IPv4 44247961 TCP server.domain.com:pop3->ds1.webserve.ca:2136 (ESTABLISHED)
pop3login 14067 root 0u IPv4 44264936 TCP server.domain.com:pop3->72-4-175-40.ptr.primarydns.com:4866 (ESTABLISHED)
pop3login 14067 root 1u IPv4 44264936 TCP server.domain.com:pop3->72-4-175-40.ptr.primarydns.com:4866 (ESTABLISHED)
pop3login 14479 root 0u IPv4 44133541 TCP server.domain.com:pop3->vision.edu:4705 (ESTABLISHED)
pop3login 14479 root 1u IPv4 44133541 TCP server.domain.com:pop3->vision.edu:4705 (ESTABLISHED)
couriertc 14480 root 3u IPv4 44121024 TCP *:pop3 (LISTEN)
pop3login 15492 root 0u IPv4 44203564 TCP server.domain.com:pop3->72.15.144.209:3273 (ESTABLISHED)
pop3login 15492 root 1u IPv4 44203564 TCP server.domain.com:pop3->72.15.144.209:3273 (ESTABLISHED)
pop3login 15840 root 0u IPv4 44177837 TCP server.domain.com:pop3->210.95.232.72.reverse.layeredtech.com:2569 (ESTABLISHED)
pop3login 15840 root 1u IPv4 44177837 TCP server.domain.com:pop3->210.95.232.72.reverse.layeredtech.com:2569 (ESTABLISHED)
pop3login 16545 root 0u IPv4 44152915 TCP server.domain.com:pop3->72.18.137.162:2156 (ESTABLISHED)
pop3login 16545 root 1u IPv4 44152915 TCP server.domain.com:pop3->72.18.137.162:2156 (ESTABLISHED)
pop3login 16854 root 0u IPv4 44148778 TCP server.domain.com:pop3->vision.edu:3398 (ESTABLISHED)
pop3login 16854 root 1u IPv4 44148778 TCP server.domain.com:pop3->vision.edu:3398 (ESTABLISHED)
pop3login 17015 root 0u IPv4 44281850 TCP server.domain.com:pop3->72-4-175-118.ptr.primarydns.com:2989 (ESTABLISHED)
pop3login 17015 root 1u IPv4 44281850 TCP server.domain.com:pop3->72-4-175-118.ptr.primarydns.com:2989 (ESTABLISHED)
pop3login 17041 root 0u IPv4 44255936 TCP server.domain.com:pop3->72.15.144.206:2134 (ESTABLISHED)
pop3login 17041 root 1u IPv4 44255936 TCP server.domain.com:pop3->72.15.144.206:2134 (ESTABLISHED)
pop3login 19767 root 0u IPv4 44189378 TCP server.domain.com:pop3->72.52.158.189:2656 (ESTABLISHED)
pop3login 19767 root 1u IPv4 44189378 TCP server.domain.com:pop3->72.52.158.189:2656 (ESTABLISHED)
pop3login 20659 root 0u IPv4 44210464 TCP server.domain.com:pop3->72-4-175-196.ptr.primarydns.com:1042 (ESTABLISHED)
pop3login 20659 root 1u IPv4 44210464 TCP server.domain.com:pop3->72-4-175-196.ptr.primarydns.com:1042 (ESTABLISHED)
pop3login 23318 root 0u IPv4 44246991 TCP server.domain.com:pop3->72-4-175-40.ptr.primarydns.com:1393 (ESTABLISHED)
pop3login 23318 root 1u IPv4 44246991 TCP server.domain.com:pop3->72-4-175-40.ptr.primarydns.com:1393 (ESTABLISHED)
pop3login 23573 root 0u IPv4 44205121 TCP server.domain.com:pop3->72-4-175-185.ptr.primarydns.com:3874 (ESTABLISHED)
pop3login 23573 root 1u IPv4 44205121 TCP server.domain.com:pop3->72-4-175-185.ptr.primarydns.com:3874 (ESTABLISHED)
pop3login 23636 root 0u IPv4 44246928 TCP server.domain.com:pop3->host.tavalendo.com.br:2187 (ESTABLISHED)
pop3login 23636 root 1u IPv4 44246928 TCP server.domain.com:pop3->host.tavalendo.com.br:2187 (ESTABLISHED)
pop3login 25744 root 0u IPv4 44170040 TCP server.domain.com:pop3->72-4-175-253.ptr.primarydns.com:2731 (ESTABLISHED)
pop3login 25744 root 1u IPv4 44170040 TCP server.domain.com:pop3->72-4-175-253.ptr.primarydns.com:2731 (ESTABLISHED)
pop3login 27313 root 0u IPv4 44238255 TCP server.domain.com:pop3->72-4-175-159.ptr.primarydns.com:4558 (ESTABLISHED)
pop3login 27313 root 1u IPv4 44238255 TCP server.domain.com:pop3->72-4-175-159.ptr.primarydns.com:4558 (ESTABLISHED)
pop3login 28074 root 0u IPv4 44203576 TCP server.domain.com:pop3->72-4-175-203.ptr.primarydns.com:4832 (ESTABLISHED)
pop3login 28074 root 1u IPv4 44203576 TCP server.domain.com:pop3->72-4-175-203.ptr.primarydns.com:4832 (ESTABLISHED)
pop3login 28337 root 0u IPv4 44203779 TCP server.domain.com:pop3->ds1.webserve.ca:2427 (ESTABLISHED)
pop3login 28337 root 1u IPv4 44203779 TCP server.domain.com:pop3->ds1.webserve.ca:2427 (ESTABLISHED)
pop3login 28418 root 0u IPv4 44281556 TCP server.domain.com:pop3->host.mitechnews.com:4188 (ESTABLISHED)
pop3login 28418 root 1u IPv4 44281556 TCP server.domain.com:pop3->host.mitechnews.com:4188 (ESTABLISHED)
pop3login 29538 root 0u IPv4 44172580 TCP server.domain.com:pop3->netblock-72-25-64-35.dslextreme.com:3820 (ESTABLISHED)
pop3login 29538 root 1u IPv4 44172580 TCP server.domain.com:pop3->netblock-72-25-64-35.dslextreme.com:3820 (ESTABLISHED)
pop3login 30347 root 0u IPv4 44242679 TCP server.domain.com:pop3->72-4-175-153.ptr.primarydns.com:2086 (ESTABLISHED)
pop3login 30347 root 1u IPv4 44242679 TCP server.domain.com:pop3->72-4-175-153.ptr.primarydns.com:2086 (ESTABLISHED)
pop3login 30728 root 0u IPv4 44282138 TCP

 

I also see this in the maillog:

maillog.1:Feb 12 12:05:36 server pop3d: LOGIN FAILED, method=CRAM-MD5, ip=[::ffff:67.180.40.221]

Increasing the max number of pop3 daemons seems to help.

 

Just noticed this myself. All the rogue connections - if you telnet back to them on port 25/110, they all appear to be VPS servers - at least most are VPS servers running Mailenable.

There would be no reason on earth for those servers to be connecting to any of our machines on TCP 110 under normal circumstances.

I'm seeing multiple class Cs within many hosting providers that are hitting our TCP 110 from most if not all of their IPs on each of the class Cs. _every_ time I've telnetted port 25 of one of the machines it was a VPS with mailenable. Now whether it has anything to do with some problem they are having with Mailenable or whether it is totally unrelated to Mailenable and instead related to some problem with exploitation of the VPS, I don't know.

Mike

 

Also,

I'm wondering if the IP address of your server that you are monitoring this traffic from starts with 72.x.x.x?

I ask because EVERY rogue 110 connection that I'm seeing (and there are lots - about 50 unique hosts at present - many in the same class Cs or provider netblocks) are coming from 209.x.x.x - and the server I'm monitoring from has an IP address starting with 209.x.x.x

So looks like whatever it is, the remote system targets other hosts in the same class A that it is in. Of course I'm only basing this on what I've seen myself and what you posted.

mike

 

The IP addresses of the servers vary. The attacks had been random but last night at about 12:30 a.m. every server in three different datacenters were attacked at exactly the same time by the same IP addresses.

 

We are seeing this problem as of last night as well. Servers at Colo4Dallas, The Planet and FrotressITX are all being hit. All of these servers are running 'maildir'.

 

We have 3 cpanel servers that are also being attacked - 'flooded' with pop3 connections reaching the max of 40 very often... but it's targeting our cpanel servers, our non-cpanel servers aren't effected. odd? all ips from different ranges

 

Just did a quick check using 'netstat -an|grep 110|grep ESTAB'

64.217.100.146
66.51.103.167
66.98.184.9
66.199.231.218
66.221.87.131
66.235.194.175
69.25.11.35
69.46.31.162
69.64.36.85
69.50.208.211
72.29.12.75
72.130.75.151
85.25.9.28
210.245.164.92
216.139.232.43

I believe at least 12 of those are running Mailenable. Obviously some IPs accessing POP3 are legitimate users. So it looks like all non-legit traffic seems to be from Mailenable servers - or servers that are VPSs. I'm not sure which is the problem - if its a mailenable exploit or a VPS exploit of some VPS that just happens to use Mailenable by default.

Mike

 

Yup same here...

root@alexis [/var/log]# netstat -apn | grep 110 -c
40

(40 is the max connections)

just chose a random IP:

root@XXXX [/var/log]# telnet 66.235.194.175 110
Trying 66.235.194.175...
Connected to 66.235.194.175.
Escape character is '^]'.
+OK Welcome to MailEnable POP3 Server


Is there a way to change the pop3 timeout settings?

 

No idea - I imagine there is. But I'm going to just increase the number of allowed POP3 connections per Chirpy's insructions at http://forums.cpanel.net/showthread.php?p=296686#post296686

Mike

 

I'm experiencing POP having to restart several times per day all of the sudden as well (sometimes 20 times an hour). Never happened before.

When I manually try to restart it I get the following error


---
Attempting to restart cppop
Waiting for cppop to restart.... . . . . . . . . . . finished.

cppop statuscouriertcpd is disabled


Service: [cppop] has been disabled by the sys admin
---

-vissa

 

Could the MailEnable ones be related to this new Virus?

 

Yep I imagine they sure could. Interesting. Thanks for posting

Mike

 

Here's my synopsis from 2:30AM on the 24th:

Oddly enough this is one case where using cppop would be somewhat beneficial, as it disconnects you after 5 minutes if simply establish a connection but don't try to log in, which is what's occurring with these MailEnable servers. courier on the other hand doesn't appear to have such a timeout at all. Thus, for each connection on port 110 that the infected MailEnable servers make to your server, 1 less daemon is available from the MAXDAEMONS as set in /usr/lib/courier-imap/etc/pop3d.

RFC 1939 has this to say:

but what about connections where the remote host doesn't even attempt to auth? I'm no C guru, but looking at the source of courier-0.54.2, imap/pop3dserver.c specifically, it appears there is a 300 second inactivity autodisconnect routine:

Code:

   863          signal(SIGALRM, bye);
   864          [b]while (alarm(300), fgets(buf, sizeof(buf), stdin))[/b]
   865          {
[b][color=red][ checks for various valid pop3 commands here, which would assume auth previously took place ][/color][/b]
   972          }
   973          [b]acctout("INFO: DISCONNECTED");[/b]

Code:

   848  static RETSIGTYPE bye(int signum)
   849  {
   850          [b]acctout("INFO: TIMEOUT");[/b]
   851          exit(0);
   852  #if     RETSIGTYPE != void
   853          return (0);
   854  #endif
   855  }

That's basically my long way of saying that I don't think courier has a configurable inactivity timeout setting for connections where the source doesn't auth. Feel free to correct me on this


How can you tell if you're getting hit with this mess? If you see a bunch of root owned pop3login processes running for long periods of time, you're possibly getting hit from those MailEnable boxes.

Code:

USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND
root     23760  0.0  0.0  1476  376 ?        S    01:23   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     23943  0.0  0.0  1468  380 ?        S    01:24   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     24094  0.0  0.0  1464  380 ?        S    01:24   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     24610  0.0  0.0  1472  376 ?        S    01:26   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     24638  0.0  0.0  1484  376 ?        S    01:26   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     24873  0.0  0.0  1468  380 ?        S    01:27   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     25271  0.0  0.0  1476  380 ?        S    01:29   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     25611  0.0  0.0  1468  376 ?        S    01:30   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     25655  0.0  0.0  1488  376 ?        S    01:30   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     25749  0.0  0.0  1468  376 ?        S    01:30   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     25764  0.0  0.0  1480  380 ?        S    01:30   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     25943  0.0  0.0  1476  380 ?        S    01:31   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     26012  0.0  0.0  1476  380 ?        S    01:32   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     26263  0.0  0.0  1480  380 ?        S    01:32   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     27032  0.0  0.0  1472  380 ?        S    01:33   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     27289  0.0  0.0  1464  376 ?        S    01:33   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     27994  0.0  0.0  1468  380 ?        S    01:35   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     27998  0.0  0.0  1484  380 ?        S    01:35   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     28216  0.0  0.0  1476  376 ?        S    01:36   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     28252  0.0  0.0  1480  380 ?        S    01:36   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     28577  0.0  0.0  1476  380 ?        S    01:37   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     29080  0.0  0.0  1464  376 ?        S    01:39   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     29839  0.0  0.0  1476  380 ?        S    01:40   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     29997  0.0  0.0  1480  376 ?        S    01:41   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     30078  0.0  0.0  1464  380 ?        S    01:41   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     30110  0.0  0.0  1484  380 ?        S    01:42   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     30221  0.0  0.0  1476  380 ?        S    01:42   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     30438  0.0  0.0  1468  380 ?        S    01:43   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     31138  0.0  0.0  1460  376 ?        S    01:45   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     31301  0.0  0.0  1472  376 ?        S    01:45   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     31554  0.0  0.0  1472  380 ?        S    01:46   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     31624  0.0  0.0  1464  380 ?        S    01:46   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     32039  0.0  0.0  1476  380 ?        S    01:47   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     32048  0.0  0.0  1468  380 ?        S    01:47   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     32266  0.0  0.0  1476  380 ?        S    01:48   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root       532  0.0  0.0  1468  380 ?        S    01:49   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root       574  0.0  0.0  1480  380 ?        S    01:49   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root       584  0.0  0.0  1468  372 ?        S    01:49   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root       683  0.0  0.0  1476  380 ?        S    01:50   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root       689  0.0  0.0  1476  376 ?        S    01:50   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir

After authentication is successful, the process will run as the user, and not root (thanks bvierra).

As far as what the servers are doing when they connect, the answer appears to be.. nothing. They are just connecting and doing nothing more. In fact, they're actually connecting twice:

The first connection is to port 110, and if successful, the remote host gracefully closes the connection after the handshake has been completed.

Then the second connection is made immediately after. Only this time, after the connection is established and the local server sends the "+OK Hello there", the infected servers basically do nothing.

Unless I'm missing something painfully obvious, I speculate this is just the effect of a poorly written worm that is waiting for a MailEnable banner that never come. But then why wouldn't it just check that on the first connection? Perhaps this virus/worm was just "practice" for someone. I'd love to know the purpose of connecting and doing absolutely nothing myself.

Hopefully this info is somehow able to help others experiencing the same problem.

 

We've been able to minimize the impact of this by upping the max daemons to 60 from 40 and limiting connections for each ip to 5. I guess there's no way around this except to wait for some sysadmins to fix their machines....

 

ip ban

HI,



'netstat -an|grep 110|grep ESTAB'

as per result of above command i ban one ip but still i see established connection from same ip... why so???

even i restart apf firewall but no use...