Here's my synopsis from 2:30AM on the 24th:
Oddly enough this is one case where using cppop would be somewhat beneficial, as it disconnects you after 5 minutes if simply establish a connection but don't try to log in, which is what's occurring with these MailEnable servers. courier on the other hand doesn't appear to have such a timeout at all. Thus, for each connection on port 110 that the infected MailEnable servers make to your server, 1 less daemon is available from the MAXDAEMONS as set in /usr/lib/courier-imap/etc/pop3d.
RFC 1939 has this to say:
A POP3 server MAY have an inactivity autologout timer. Such a timer
MUST be of at least 10 minutes' duration.
but what about connections where the remote host doesn't even attempt to auth? I'm no C guru, but looking at the source of courier-0.54.2, imap/pop3dserver.c specifically, it appears there is a 300 second inactivity autodisconnect routine:
Code:
863 signal(SIGALRM, bye);
864 [b]while (alarm(300), fgets(buf, sizeof(buf), stdin))[/b]
865 {
[b][color=red][ checks for various valid pop3 commands here, which would assume auth previously took place ][/color][/b]
972 }
973 [b]acctout("INFO: DISCONNECTED");[/b]
Code:
848 static RETSIGTYPE bye(int signum)
849 {
850 [b]acctout("INFO: TIMEOUT");[/b]
851 exit(0);
852 #if RETSIGTYPE != void
853 return (0);
854 #endif
855 }
That's basically my long way of saying that I don't think courier has a configurable inactivity timeout setting for connections where the source doesn't auth. Feel free to correct me on this
How can you tell if you're getting hit with this mess? If you see a bunch of root owned pop3login processes running for long periods of time, you're possibly getting hit from those MailEnable boxes.
Code:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 23760 0.0 0.0 1476 376 ? S 01:23 0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 23943 0.0 0.0 1468 380 ? S 01:24 0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 24094 0.0 0.0 1464 380 ? S 01:24 0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 24610 0.0 0.0 1472 376 ? S 01:26 0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 24638 0.0 0.0 1484 376 ? S 01:26 0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 24873 0.0 0.0 1468 380 ? S 01:27 0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 25271 0.0 0.0 1476 380 ? S 01:29 0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 25611 0.0 0.0 1468 376 ? S 01:30 0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 25655 0.0 0.0 1488 376 ? S 01:30 0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 25749 0.0 0.0 1468 376 ? S 01:30 0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 25764 0.0 0.0 1480 380 ? S 01:30 0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 25943 0.0 0.0 1476 380 ? S 01:31 0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 26012 0.0 0.0 1476 380 ? S 01:32 0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 26263 0.0 0.0 1480 380 ? S 01:32 0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 27032 0.0 0.0 1472 380 ? S 01:33 0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 27289 0.0 0.0 1464 376 ? S 01:33 0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 27994 0.0 0.0 1468 380 ? S 01:35 0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 27998 0.0 0.0 1484 380 ? S 01:35 0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 28216 0.0 0.0 1476 376 ? S 01:36 0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 28252 0.0 0.0 1480 380 ? S 01:36 0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 28577 0.0 0.0 1476 380 ? S 01:37 0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 29080 0.0 0.0 1464 376 ? S 01:39 0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 29839 0.0 0.0 1476 380 ? S 01:40 0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 29997 0.0 0.0 1480 376 ? S 01:41 0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 30078 0.0 0.0 1464 380 ? S 01:41 0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 30110 0.0 0.0 1484 380 ? S 01:42 0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 30221 0.0 0.0 1476 380 ? S 01:42 0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 30438 0.0 0.0 1468 380 ? S 01:43 0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 31138 0.0 0.0 1460 376 ? S 01:45 0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 31301 0.0 0.0 1472 376 ? S 01:45 0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 31554 0.0 0.0 1472 380 ? S 01:46 0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 31624 0.0 0.0 1464 380 ? S 01:46 0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 32039 0.0 0.0 1476 380 ? S 01:47 0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 32048 0.0 0.0 1468 380 ? S 01:47 0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 32266 0.0 0.0 1476 380 ? S 01:48 0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 532 0.0 0.0 1468 380 ? S 01:49 0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 574 0.0 0.0 1480 380 ? S 01:49 0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 584 0.0 0.0 1468 372 ? S 01:49 0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 683 0.0 0.0 1476 380 ? S 01:50 0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 689 0.0 0.0 1476 376 ? S 01:50 0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
After authentication is successful, the process will run as the user, and not root (thanks bvierra).
As far as
what the servers are doing when they connect, the answer appears to be.. nothing. They are just connecting and doing nothing more. In fact, they're actually connecting twice:
The first connection is to port 110, and if successful, the remote host gracefully closes the connection after the handshake has been completed.
Then the second connection is made immediately after. Only this time, after the connection is established and the local server sends the "+OK Hello there", the infected servers basically do nothing.
Unless I'm missing something painfully obvious, I speculate this is just the effect of a poorly written worm that is waiting for a MailEnable banner that never come. But then why wouldn't it just check that on the first connection? Perhaps this virus/worm was just "practice" for someone. I'd love to know the purpose of connecting and doing absolutely nothing myself.
Hopefully this info is somehow able to help others experiencing the same problem.