The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

problem with cppop

Discussion in 'General Discussion' started by makersky, Feb 16, 2007.

  1. makersky

    makersky Member

    Joined:
    Nov 26, 2003
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    hi,

    I have problem with cppop every morning. Between 7 and 9 AM it hangs. When I try to telnet to port 110 connection is established but no server banner is sent and connection is frozen. cppop process is present, but it does not fork. After restarting cppop everything is ok till next morning.

    WHM 10.8.0 cPanel 10.9.0-S119
    RedHat Enterprise 3 i686 - WHM X v3.1.0
    kernel 2.4.21-47.0.1.ELsmp
     
  2. slor

    slor Member

    Joined:
    Feb 17, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I am seeing the same thing as of updating cPanel a couple days ago. The time of day isn't the same, but it's been consistent the last couple days with the same symtoms described here.

    WHM 10.8.0 cPanel 10.9.0-R118
    CentOS 4.4 i686 - WHM X v3.1.0

    If there is any info I can get from the server to help troubleshooting, please let me know.


    thanks
    James
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Since cppop is now deprecated it would seem prudent to convert to maildir and use courier-imap instead.

    The older mbox format, and cppop itself, are a less reliable mechanism, especially with clients leaving emails on the server instead of retrieving and deleting them as they should.
     
  4. makersky

    makersky Member

    Joined:
    Nov 26, 2003
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Well that's not an answer for my question, but thank you. Something is wrong since last upgrade of cpanel/whm. Everything was fine, my clients were not complaining until software upgrade to newer/better version.
     
  5. Curious Too

    Curious Too Well-Known Member

    Joined:
    Aug 31, 2001
    Messages:
    427
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Port 110 is being flooded on all of my servers (30). I have servers in three different datacenters and they are all affected. Here is an example:

    COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
    pop3login 77 root 0u IPv4 44208389 TCP server.domain.com:pop3->72-4-175-183.ptr.primarydns.com:3161 (ESTABLISHED)
    pop3login 77 root 1u IPv4 44208389 TCP server.domain.com:pop3->72-4-175-183.ptr.primarydns.com:3161 (ESTABLISHED)
    pop3login 612 root 0u IPv4 44235484 TCP server.domain.com:pop3->72-4-175-208.ptr.primarydns.com:3314 (ESTABLISHED)
    pop3login 612 root 1u IPv4 44235484 TCP server.domain.com:pop3->72-4-175-208.ptr.primarydns.com:3314 (ESTABLISHED)
    pop3login 1571 root 0u IPv4 44170925 TCP server.domain.com:pop3->72.52.158.189:2450 (ESTABLISHED)
    pop3login 1571 root 1u IPv4 44170925 TCP server.domain.com:pop3->72.52.158.189:2450 (ESTABLISHED)
    pop3login 2613 root 0u IPv4 44208381 TCP server.domain.com:pop3->72-4-175-208.ptr.primarydns.com:3265 (ESTABLISHED)
    pop3login 2613 root 1u IPv4 44208381 TCP server.domain.com:pop3->72-4-175-208.ptr.primarydns.com:3265 (ESTABLISHED)
    pop3login 2979 root 0u IPv4 44180563 TCP server.domain.com:pop3->72.32.99.10:3399 (ESTABLISHED)
    pop3login 2979 root 1u IPv4 44180563 TCP server.domain.com:pop3->72.32.99.10:3399 (ESTABLISHED)
    pop3login 3368 root 0u IPv4 44227365 TCP server.domain.com:pop3->72-4-175-187.ptr.primarydns.com:2336 (ESTABLISHED)
    pop3login 3368 root 1u IPv4 44227365 TCP server.domain.com:pop3->72-4-175-187.ptr.primarydns.com:2336 (ESTABLISHED)
    pop3login 3757 root 0u IPv4 44227203 TCP server.domain.com:pop3->ip-72-55-133-48.static.privatedns.com:1266 (ESTABLISHED)
    pop3login 3757 root 1u IPv4 44227203 TCP server.domain.com:pop3->ip-72-55-133-48.static.privatedns.com:1266 (ESTABLISHED)
    pop3login 4089 root 0u IPv4 44186317 TCP server.domain.com:pop3->72-4-175-226.ptr.primarydns.com:2586 (ESTABLISHED)
    pop3login 4089 root 1u IPv4 44186317 TCP server.domain.com:pop3->72-4-175-226.ptr.primarydns.com:2586 (ESTABLISHED)
    pop3login 5467 root 0u IPv4 44166326 TCP server.domain.com:pop3->72-4-175-226.ptr.primarydns.com:2161 (ESTABLISHED)
    pop3login 5467 root 1u IPv4 44166326 TCP server.domain.com:pop3->72-4-175-226.ptr.primarydns.com:2161 (ESTABLISHED)
    pop3login 6002 root 0u IPv4 44132262 TCP server.domain.com:pop3->netblock-72-25-64-35.dslextreme.com:3912 (ESTABLISHED)
    pop3login 6002 root 1u IPv4 44132262 TCP server.domain.com:pop3->netblock-72-25-64-35.dslextreme.com:3912 (ESTABLISHED)
    pop3login 6146 root 0u IPv4 44208512 TCP server.domain.com:pop3->72-4-175-203.ptr.primarydns.com:1783 (ESTABLISHED)
    pop3login 6146 root 1u IPv4 44208512 TCP server.domain.com:pop3->72-4-175-203.ptr.primarydns.com:1783 (ESTABLISHED)
    pop3login 7006 root 0u IPv4 44215654 TCP server.domain.com:pop3->vision.edu:2359 (ESTABLISHED)
    pop3login 7006 root 1u IPv4 44215654 TCP server.domain.com:pop3->vision.edu:2359 (ESTABLISHED)
    pop3login 7626 root 0u IPv4 44136701 TCP server.domain.com:pop3->72-4-175-168.ptr.primarydns.com:3425 (ESTABLISHED)
    pop3login 7626 root 1u IPv4 44136701 TCP server.domain.com:pop3->72-4-175-168.ptr.primarydns.com:3425 (ESTABLISHED)
    pop3login 8139 root 0u IPv4 44137278 TCP server.domain.com:pop3->znetshows.com:3311 (ESTABLISHED)
    pop3login 8139 root 1u IPv4 44137278 TCP server.domain.com:pop3->znetshows.com:3311 (ESTABLISHED)
    pop3login 9075 root 0u IPv4 44165411 TCP server.domain.com:pop3->72-4-175-118.ptr.primarydns.com:4702 (ESTABLISHED)
    pop3login 9075 root 1u IPv4 44165411 TCP server.domain.com:pop3->72-4-175-118.ptr.primarydns.com:4702 (ESTABLISHED)
    pop3login 11647 root 0u IPv4 44151782 TCP server.domain.com:pop3->72-4-175-183.ptr.primarydns.com:1909 (ESTABLISHED)
    pop3login 11647 root 1u IPv4 44151782 TCP server.domain.com:pop3->72-4-175-183.ptr.primarydns.com:1909 (ESTABLISHED)
    pop3login 12085 root 0u IPv4 44189666 TCP server.domain.com:pop3->host.boydaworld.com:1399 (ESTABLISHED)
    pop3login 12085 root 1u IPv4 44189666 TCP server.domain.com:pop3->host.boydaworld.com:1399 (ESTABLISHED)
    pop3login 13115 root 0u IPv4 44247961 TCP server.domain.com:pop3->ds1.webserve.ca:2136 (ESTABLISHED)
    pop3login 13115 root 1u IPv4 44247961 TCP server.domain.com:pop3->ds1.webserve.ca:2136 (ESTABLISHED)
    pop3login 14067 root 0u IPv4 44264936 TCP server.domain.com:pop3->72-4-175-40.ptr.primarydns.com:4866 (ESTABLISHED)
    pop3login 14067 root 1u IPv4 44264936 TCP server.domain.com:pop3->72-4-175-40.ptr.primarydns.com:4866 (ESTABLISHED)
    pop3login 14479 root 0u IPv4 44133541 TCP server.domain.com:pop3->vision.edu:4705 (ESTABLISHED)
    pop3login 14479 root 1u IPv4 44133541 TCP server.domain.com:pop3->vision.edu:4705 (ESTABLISHED)
    couriertc 14480 root 3u IPv4 44121024 TCP *:pop3 (LISTEN)
    pop3login 15492 root 0u IPv4 44203564 TCP server.domain.com:pop3->72.15.144.209:3273 (ESTABLISHED)
    pop3login 15492 root 1u IPv4 44203564 TCP server.domain.com:pop3->72.15.144.209:3273 (ESTABLISHED)
    pop3login 15840 root 0u IPv4 44177837 TCP server.domain.com:pop3->210.95.232.72.reverse.layeredtech.com:2569 (ESTABLISHED)
    pop3login 15840 root 1u IPv4 44177837 TCP server.domain.com:pop3->210.95.232.72.reverse.layeredtech.com:2569 (ESTABLISHED)
    pop3login 16545 root 0u IPv4 44152915 TCP server.domain.com:pop3->72.18.137.162:2156 (ESTABLISHED)
    pop3login 16545 root 1u IPv4 44152915 TCP server.domain.com:pop3->72.18.137.162:2156 (ESTABLISHED)
    pop3login 16854 root 0u IPv4 44148778 TCP server.domain.com:pop3->vision.edu:3398 (ESTABLISHED)
    pop3login 16854 root 1u IPv4 44148778 TCP server.domain.com:pop3->vision.edu:3398 (ESTABLISHED)
    pop3login 17015 root 0u IPv4 44281850 TCP server.domain.com:pop3->72-4-175-118.ptr.primarydns.com:2989 (ESTABLISHED)
    pop3login 17015 root 1u IPv4 44281850 TCP server.domain.com:pop3->72-4-175-118.ptr.primarydns.com:2989 (ESTABLISHED)
    pop3login 17041 root 0u IPv4 44255936 TCP server.domain.com:pop3->72.15.144.206:2134 (ESTABLISHED)
    pop3login 17041 root 1u IPv4 44255936 TCP server.domain.com:pop3->72.15.144.206:2134 (ESTABLISHED)
    pop3login 19767 root 0u IPv4 44189378 TCP server.domain.com:pop3->72.52.158.189:2656 (ESTABLISHED)
    pop3login 19767 root 1u IPv4 44189378 TCP server.domain.com:pop3->72.52.158.189:2656 (ESTABLISHED)
    pop3login 20659 root 0u IPv4 44210464 TCP server.domain.com:pop3->72-4-175-196.ptr.primarydns.com:1042 (ESTABLISHED)
    pop3login 20659 root 1u IPv4 44210464 TCP server.domain.com:pop3->72-4-175-196.ptr.primarydns.com:1042 (ESTABLISHED)
    pop3login 23318 root 0u IPv4 44246991 TCP server.domain.com:pop3->72-4-175-40.ptr.primarydns.com:1393 (ESTABLISHED)
    pop3login 23318 root 1u IPv4 44246991 TCP server.domain.com:pop3->72-4-175-40.ptr.primarydns.com:1393 (ESTABLISHED)
    pop3login 23573 root 0u IPv4 44205121 TCP server.domain.com:pop3->72-4-175-185.ptr.primarydns.com:3874 (ESTABLISHED)
    pop3login 23573 root 1u IPv4 44205121 TCP server.domain.com:pop3->72-4-175-185.ptr.primarydns.com:3874 (ESTABLISHED)
    pop3login 23636 root 0u IPv4 44246928 TCP server.domain.com:pop3->host.tavalendo.com.br:2187 (ESTABLISHED)
    pop3login 23636 root 1u IPv4 44246928 TCP server.domain.com:pop3->host.tavalendo.com.br:2187 (ESTABLISHED)
    pop3login 25744 root 0u IPv4 44170040 TCP server.domain.com:pop3->72-4-175-253.ptr.primarydns.com:2731 (ESTABLISHED)
    pop3login 25744 root 1u IPv4 44170040 TCP server.domain.com:pop3->72-4-175-253.ptr.primarydns.com:2731 (ESTABLISHED)
    pop3login 27313 root 0u IPv4 44238255 TCP server.domain.com:pop3->72-4-175-159.ptr.primarydns.com:4558 (ESTABLISHED)
    pop3login 27313 root 1u IPv4 44238255 TCP server.domain.com:pop3->72-4-175-159.ptr.primarydns.com:4558 (ESTABLISHED)
    pop3login 28074 root 0u IPv4 44203576 TCP server.domain.com:pop3->72-4-175-203.ptr.primarydns.com:4832 (ESTABLISHED)
    pop3login 28074 root 1u IPv4 44203576 TCP server.domain.com:pop3->72-4-175-203.ptr.primarydns.com:4832 (ESTABLISHED)
    pop3login 28337 root 0u IPv4 44203779 TCP server.domain.com:pop3->ds1.webserve.ca:2427 (ESTABLISHED)
    pop3login 28337 root 1u IPv4 44203779 TCP server.domain.com:pop3->ds1.webserve.ca:2427 (ESTABLISHED)
    pop3login 28418 root 0u IPv4 44281556 TCP server.domain.com:pop3->host.mitechnews.com:4188 (ESTABLISHED)
    pop3login 28418 root 1u IPv4 44281556 TCP server.domain.com:pop3->host.mitechnews.com:4188 (ESTABLISHED)
    pop3login 29538 root 0u IPv4 44172580 TCP server.domain.com:pop3->netblock-72-25-64-35.dslextreme.com:3820 (ESTABLISHED)
    pop3login 29538 root 1u IPv4 44172580 TCP server.domain.com:pop3->netblock-72-25-64-35.dslextreme.com:3820 (ESTABLISHED)
    pop3login 30347 root 0u IPv4 44242679 TCP server.domain.com:pop3->72-4-175-153.ptr.primarydns.com:2086 (ESTABLISHED)
    pop3login 30347 root 1u IPv4 44242679 TCP server.domain.com:pop3->72-4-175-153.ptr.primarydns.com:2086 (ESTABLISHED)
    pop3login 30728 root 0u IPv4 44282138 TCP
     
  6. Curious Too

    Curious Too Well-Known Member

    Joined:
    Aug 31, 2001
    Messages:
    427
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    I also see this in the maillog:

    maillog.1:Feb 12 12:05:36 server pop3d: LOGIN FAILED, method=CRAM-MD5, ip=[::ffff:67.180.40.221]

    Increasing the max number of pop3 daemons seems to help.
     
  7. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Just noticed this myself. All the rogue connections - if you telnet back to them on port 25/110, they all appear to be VPS servers - at least most are VPS servers running Mailenable.

    There would be no reason on earth for those servers to be connecting to any of our machines on TCP 110 under normal circumstances.

    I'm seeing multiple class Cs within many hosting providers that are hitting our TCP 110 from most if not all of their IPs on each of the class Cs. _every_ time I've telnetted port 25 of one of the machines it was a VPS with mailenable. Now whether it has anything to do with some problem they are having with Mailenable or whether it is totally unrelated to Mailenable and instead related to some problem with exploitation of the VPS, I don't know.

    Mike
     
  8. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Also,

    I'm wondering if the IP address of your server that you are monitoring this traffic from starts with 72.x.x.x?

    I ask because EVERY rogue 110 connection that I'm seeing (and there are lots - about 50 unique hosts at present - many in the same class Cs or provider netblocks) are coming from 209.x.x.x - and the server I'm monitoring from has an IP address starting with 209.x.x.x

    So looks like whatever it is, the remote system targets other hosts in the same class A that it is in. Of course I'm only basing this on what I've seen myself and what you posted.

    mike
     
  9. Curious Too

    Curious Too Well-Known Member

    Joined:
    Aug 31, 2001
    Messages:
    427
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    The IP addresses of the servers vary. The attacks had been random but last night at about 12:30 a.m. every server in three different datacenters were attacked at exactly the same time by the same IP addresses.
     
  10. rochen

    rochen Active Member
    PartnerNOC

    Joined:
    Mar 5, 2002
    Messages:
    33
    Likes Received:
    0
    Trophy Points:
    6
    We are seeing this problem as of last night as well. Servers at Colo4Dallas, The Planet and FrotressITX are all being hit. All of these servers are running 'maildir'.
     
    #10 rochen, Feb 24, 2007
    Last edited: Feb 24, 2007
  11. abrender

    abrender Active Member

    Joined:
    Dec 5, 2002
    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    6
    We have 3 cpanel servers that are also being attacked - 'flooded' with pop3 connections reaching the max of 40 very often... but it's targeting our cpanel servers, our non-cpanel servers aren't effected. odd? all ips from different ranges
     
  12. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Just did a quick check using 'netstat -an|grep 110|grep ESTAB'

    64.217.100.146
    66.51.103.167
    66.98.184.9
    66.199.231.218
    66.221.87.131
    66.235.194.175
    69.25.11.35
    69.46.31.162
    69.64.36.85
    69.50.208.211
    72.29.12.75
    72.130.75.151
    85.25.9.28
    210.245.164.92
    216.139.232.43

    I believe at least 12 of those are running Mailenable. Obviously some IPs accessing POP3 are legitimate users. So it looks like all non-legit traffic seems to be from Mailenable servers - or servers that are VPSs. I'm not sure which is the problem - if its a mailenable exploit or a VPS exploit of some VPS that just happens to use Mailenable by default.

    Mike
     
  13. abrender

    abrender Active Member

    Joined:
    Dec 5, 2002
    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    6
    Yup same here...

    root@alexis [/var/log]# netstat -apn | grep 110 -c
    40

    (40 is the max connections)

    just chose a random IP:

    root@XXXX [/var/log]# telnet 66.235.194.175 110
    Trying 66.235.194.175...
    Connected to 66.235.194.175.
    Escape character is '^]'.
    +OK Welcome to MailEnable POP3 Server


    Is there a way to change the pop3 timeout settings?
     
  14. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    No idea - I imagine there is. But I'm going to just increase the number of allowed POP3 connections per Chirpy's insructions at http://forums.cpanel.net/showthread.php?p=296686#post296686

    Mike
     
  15. vissa

    vissa Well-Known Member

    Joined:
    May 12, 2003
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    I'm experiencing POP having to restart several times per day all of the sudden as well (sometimes 20 times an hour). Never happened before.

    When I manually try to restart it I get the following error


    ---
    Attempting to restart cppop
    Waiting for cppop to restart.... . . . . . . . . . . finished.

    cppop statuscouriertcpd is disabled


    Service: [cppop] has been disabled by the sys admin
    ---

    -vissa
     
  16. deanstev

    deanstev Well-Known Member

    Joined:
    Jun 10, 2004
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    0
    Could the MailEnable ones be related to this new Virus?

     
  17. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Yep I imagine they sure could. Interesting. Thanks for posting :)

    Mike
     
  18. jpetersen

    jpetersen Well-Known Member

    Joined:
    Dec 31, 2006
    Messages:
    113
    Likes Received:
    4
    Trophy Points:
    18
    Here's my synopsis from 2:30AM on the 24th:

    Oddly enough this is one case where using cppop would be somewhat beneficial, as it disconnects you after 5 minutes if simply establish a connection but don't try to log in, which is what's occurring with these MailEnable servers. courier on the other hand doesn't appear to have such a timeout at all. Thus, for each connection on port 110 that the infected MailEnable servers make to your server, 1 less daemon is available from the MAXDAEMONS as set in /usr/lib/courier-imap/etc/pop3d.

    RFC 1939 has this to say:

    but what about connections where the remote host doesn't even attempt to auth? I'm no C guru, but looking at the source of courier-0.54.2, imap/pop3dserver.c specifically, it appears there is a 300 second inactivity autodisconnect routine:

    Code:
       863          signal(SIGALRM, bye);
       864          [b]while (alarm(300), fgets(buf, sizeof(buf), stdin))[/b]
       865          {
    [b][color=red][ checks for various valid pop3 commands here, which would assume auth previously took place ][/color][/b]
       972          }
       973          [b]acctout("INFO: DISCONNECTED");[/b]
    
    Code:
       848  static RETSIGTYPE bye(int signum)
       849  {
       850          [b]acctout("INFO: TIMEOUT");[/b]
       851          exit(0);
       852  #if     RETSIGTYPE != void
       853          return (0);
       854  #endif
       855  }
    
    That's basically my long way of saying that I don't think courier has a configurable inactivity timeout setting for connections where the source doesn't auth. Feel free to correct me on this :)


    How can you tell if you're getting hit with this mess? If you see a bunch of root owned pop3login processes running for long periods of time, you're possibly getting hit from those MailEnable boxes.

    Code:
    USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND
    root     23760  0.0  0.0  1476  376 ?        S    01:23   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
    root     23943  0.0  0.0  1468  380 ?        S    01:24   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
    root     24094  0.0  0.0  1464  380 ?        S    01:24   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
    root     24610  0.0  0.0  1472  376 ?        S    01:26   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
    root     24638  0.0  0.0  1484  376 ?        S    01:26   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
    root     24873  0.0  0.0  1468  380 ?        S    01:27   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
    root     25271  0.0  0.0  1476  380 ?        S    01:29   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
    root     25611  0.0  0.0  1468  376 ?        S    01:30   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
    root     25655  0.0  0.0  1488  376 ?        S    01:30   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
    root     25749  0.0  0.0  1468  376 ?        S    01:30   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
    root     25764  0.0  0.0  1480  380 ?        S    01:30   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
    root     25943  0.0  0.0  1476  380 ?        S    01:31   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
    root     26012  0.0  0.0  1476  380 ?        S    01:32   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
    root     26263  0.0  0.0  1480  380 ?        S    01:32   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
    root     27032  0.0  0.0  1472  380 ?        S    01:33   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
    root     27289  0.0  0.0  1464  376 ?        S    01:33   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
    root     27994  0.0  0.0  1468  380 ?        S    01:35   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
    root     27998  0.0  0.0  1484  380 ?        S    01:35   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
    root     28216  0.0  0.0  1476  376 ?        S    01:36   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
    root     28252  0.0  0.0  1480  380 ?        S    01:36   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
    root     28577  0.0  0.0  1476  380 ?        S    01:37   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
    root     29080  0.0  0.0  1464  376 ?        S    01:39   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
    root     29839  0.0  0.0  1476  380 ?        S    01:40   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
    root     29997  0.0  0.0  1480  376 ?        S    01:41   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
    root     30078  0.0  0.0  1464  380 ?        S    01:41   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
    root     30110  0.0  0.0  1484  380 ?        S    01:42   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
    root     30221  0.0  0.0  1476  380 ?        S    01:42   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
    root     30438  0.0  0.0  1468  380 ?        S    01:43   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
    root     31138  0.0  0.0  1460  376 ?        S    01:45   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
    root     31301  0.0  0.0  1472  376 ?        S    01:45   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
    root     31554  0.0  0.0  1472  380 ?        S    01:46   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
    root     31624  0.0  0.0  1464  380 ?        S    01:46   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
    root     32039  0.0  0.0  1476  380 ?        S    01:47   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
    root     32048  0.0  0.0  1468  380 ?        S    01:47   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
    root     32266  0.0  0.0  1476  380 ?        S    01:48   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
    root       532  0.0  0.0  1468  380 ?        S    01:49   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
    root       574  0.0  0.0  1480  380 ?        S    01:49   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
    root       584  0.0  0.0  1468  372 ?        S    01:49   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
    root       683  0.0  0.0  1476  380 ?        S    01:50   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
    root       689  0.0  0.0  1476  376 ?        S    01:50   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
    
    After authentication is successful, the process will run as the user, and not root (thanks bvierra).

    As far as what the servers are doing when they connect, the answer appears to be.. nothing. They are just connecting and doing nothing more. In fact, they're actually connecting twice:

    The first connection is to port 110, and if successful, the remote host gracefully closes the connection after the handshake has been completed.

    Then the second connection is made immediately after. Only this time, after the connection is established and the local server sends the "+OK Hello there", the infected servers basically do nothing.

    Unless I'm missing something painfully obvious, I speculate this is just the effect of a poorly written worm that is waiting for a MailEnable banner that never come. But then why wouldn't it just check that on the first connection? Perhaps this virus/worm was just "practice" for someone. I'd love to know the purpose of connecting and doing absolutely nothing myself.

    Hopefully this info is somehow able to help others experiencing the same problem.
     
  19. edwardycho

    edwardycho Registered

    Joined:
    Apr 4, 2006
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    We've been able to minimize the impact of this by upping the max daemons to 60 from 40 and limiting connections for each ip to 5. I guess there's no way around this except to wait for some sysadmins to fix their machines....
     
  20. useradmin

    useradmin Well-Known Member

    Joined:
    Oct 8, 2004
    Messages:
    107
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    INDIA
    ip ban

    HI,



    'netstat -an|grep 110|grep ESTAB'

    as per result of above command i ban one ip but still i see established connection from same ip... why so???

    even i restart apf firewall but no use...
     
Loading...

Share This Page