makersky

Member
Nov 26, 2003
19
0
151
hi,

I have problem with cppop every morning. Between 7 and 9 AM it hangs. When I try to telnet to port 110 connection is established but no server banner is sent and connection is frozen. cppop process is present, but it does not fork. After restarting cppop everything is ok till next morning.

WHM 10.8.0 cPanel 10.9.0-S119
RedHat Enterprise 3 i686 - WHM X v3.1.0
kernel 2.4.21-47.0.1.ELsmp
 

slor

Member
Feb 17, 2007
12
0
151
cPanel Access Level
Root Administrator
I am seeing the same thing as of updating cPanel a couple days ago. The time of day isn't the same, but it's been consistent the last couple days with the same symtoms described here.

WHM 10.8.0 cPanel 10.9.0-R118
CentOS 4.4 i686 - WHM X v3.1.0

If there is any info I can get from the server to help troubleshooting, please let me know.


thanks
James
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,465
30
473
Go on, have a guess
Since cppop is now deprecated it would seem prudent to convert to maildir and use courier-imap instead.

The older mbox format, and cppop itself, are a less reliable mechanism, especially with clients leaving emails on the server instead of retrieving and deleting them as they should.
 

makersky

Member
Nov 26, 2003
19
0
151
Since cppop is now deprecated it would seem prudent to convert to maildir and use courier-imap instead.

The older mbox format, and cppop itself, are a less reliable mechanism, especially with clients leaving emails on the server instead of retrieving and deleting them as they should.
Well that's not an answer for my question, but thank you. Something is wrong since last upgrade of cpanel/whm. Everything was fine, my clients were not complaining until software upgrade to newer/better version.
 

Curious Too

Well-Known Member
Aug 31, 2001
429
1
318
cPanel Access Level
Root Administrator
Port 110 is being flooded on all of my servers (30). I have servers in three different datacenters and they are all affected. Here is an example:

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
pop3login 77 root 0u IPv4 44208389 TCP server.domain.com:pop3->72-4-175-183.ptr.primarydns.com:3161 (ESTABLISHED)
pop3login 77 root 1u IPv4 44208389 TCP server.domain.com:pop3->72-4-175-183.ptr.primarydns.com:3161 (ESTABLISHED)
pop3login 612 root 0u IPv4 44235484 TCP server.domain.com:pop3->72-4-175-208.ptr.primarydns.com:3314 (ESTABLISHED)
pop3login 612 root 1u IPv4 44235484 TCP server.domain.com:pop3->72-4-175-208.ptr.primarydns.com:3314 (ESTABLISHED)
pop3login 1571 root 0u IPv4 44170925 TCP server.domain.com:pop3->72.52.158.189:2450 (ESTABLISHED)
pop3login 1571 root 1u IPv4 44170925 TCP server.domain.com:pop3->72.52.158.189:2450 (ESTABLISHED)
pop3login 2613 root 0u IPv4 44208381 TCP server.domain.com:pop3->72-4-175-208.ptr.primarydns.com:3265 (ESTABLISHED)
pop3login 2613 root 1u IPv4 44208381 TCP server.domain.com:pop3->72-4-175-208.ptr.primarydns.com:3265 (ESTABLISHED)
pop3login 2979 root 0u IPv4 44180563 TCP server.domain.com:pop3->72.32.99.10:3399 (ESTABLISHED)
pop3login 2979 root 1u IPv4 44180563 TCP server.domain.com:pop3->72.32.99.10:3399 (ESTABLISHED)
pop3login 3368 root 0u IPv4 44227365 TCP server.domain.com:pop3->72-4-175-187.ptr.primarydns.com:2336 (ESTABLISHED)
pop3login 3368 root 1u IPv4 44227365 TCP server.domain.com:pop3->72-4-175-187.ptr.primarydns.com:2336 (ESTABLISHED)
pop3login 3757 root 0u IPv4 44227203 TCP server.domain.com:pop3->ip-72-55-133-48.static.privatedns.com:1266 (ESTABLISHED)
pop3login 3757 root 1u IPv4 44227203 TCP server.domain.com:pop3->ip-72-55-133-48.static.privatedns.com:1266 (ESTABLISHED)
pop3login 4089 root 0u IPv4 44186317 TCP server.domain.com:pop3->72-4-175-226.ptr.primarydns.com:2586 (ESTABLISHED)
pop3login 4089 root 1u IPv4 44186317 TCP server.domain.com:pop3->72-4-175-226.ptr.primarydns.com:2586 (ESTABLISHED)
pop3login 5467 root 0u IPv4 44166326 TCP server.domain.com:pop3->72-4-175-226.ptr.primarydns.com:2161 (ESTABLISHED)
pop3login 5467 root 1u IPv4 44166326 TCP server.domain.com:pop3->72-4-175-226.ptr.primarydns.com:2161 (ESTABLISHED)
pop3login 6002 root 0u IPv4 44132262 TCP server.domain.com:pop3->netblock-72-25-64-35.dslextreme.com:3912 (ESTABLISHED)
pop3login 6002 root 1u IPv4 44132262 TCP server.domain.com:pop3->netblock-72-25-64-35.dslextreme.com:3912 (ESTABLISHED)
pop3login 6146 root 0u IPv4 44208512 TCP server.domain.com:pop3->72-4-175-203.ptr.primarydns.com:1783 (ESTABLISHED)
pop3login 6146 root 1u IPv4 44208512 TCP server.domain.com:pop3->72-4-175-203.ptr.primarydns.com:1783 (ESTABLISHED)
pop3login 7006 root 0u IPv4 44215654 TCP server.domain.com:pop3->vision.edu:2359 (ESTABLISHED)
pop3login 7006 root 1u IPv4 44215654 TCP server.domain.com:pop3->vision.edu:2359 (ESTABLISHED)
pop3login 7626 root 0u IPv4 44136701 TCP server.domain.com:pop3->72-4-175-168.ptr.primarydns.com:3425 (ESTABLISHED)
pop3login 7626 root 1u IPv4 44136701 TCP server.domain.com:pop3->72-4-175-168.ptr.primarydns.com:3425 (ESTABLISHED)
pop3login 8139 root 0u IPv4 44137278 TCP server.domain.com:pop3->znetshows.com:3311 (ESTABLISHED)
pop3login 8139 root 1u IPv4 44137278 TCP server.domain.com:pop3->znetshows.com:3311 (ESTABLISHED)
pop3login 9075 root 0u IPv4 44165411 TCP server.domain.com:pop3->72-4-175-118.ptr.primarydns.com:4702 (ESTABLISHED)
pop3login 9075 root 1u IPv4 44165411 TCP server.domain.com:pop3->72-4-175-118.ptr.primarydns.com:4702 (ESTABLISHED)
pop3login 11647 root 0u IPv4 44151782 TCP server.domain.com:pop3->72-4-175-183.ptr.primarydns.com:1909 (ESTABLISHED)
pop3login 11647 root 1u IPv4 44151782 TCP server.domain.com:pop3->72-4-175-183.ptr.primarydns.com:1909 (ESTABLISHED)
pop3login 12085 root 0u IPv4 44189666 TCP server.domain.com:pop3->host.boydaworld.com:1399 (ESTABLISHED)
pop3login 12085 root 1u IPv4 44189666 TCP server.domain.com:pop3->host.boydaworld.com:1399 (ESTABLISHED)
pop3login 13115 root 0u IPv4 44247961 TCP server.domain.com:pop3->ds1.webserve.ca:2136 (ESTABLISHED)
pop3login 13115 root 1u IPv4 44247961 TCP server.domain.com:pop3->ds1.webserve.ca:2136 (ESTABLISHED)
pop3login 14067 root 0u IPv4 44264936 TCP server.domain.com:pop3->72-4-175-40.ptr.primarydns.com:4866 (ESTABLISHED)
pop3login 14067 root 1u IPv4 44264936 TCP server.domain.com:pop3->72-4-175-40.ptr.primarydns.com:4866 (ESTABLISHED)
pop3login 14479 root 0u IPv4 44133541 TCP server.domain.com:pop3->vision.edu:4705 (ESTABLISHED)
pop3login 14479 root 1u IPv4 44133541 TCP server.domain.com:pop3->vision.edu:4705 (ESTABLISHED)
couriertc 14480 root 3u IPv4 44121024 TCP *:pop3 (LISTEN)
pop3login 15492 root 0u IPv4 44203564 TCP server.domain.com:pop3->72.15.144.209:3273 (ESTABLISHED)
pop3login 15492 root 1u IPv4 44203564 TCP server.domain.com:pop3->72.15.144.209:3273 (ESTABLISHED)
pop3login 15840 root 0u IPv4 44177837 TCP server.domain.com:pop3->210.95.232.72.reverse.layeredtech.com:2569 (ESTABLISHED)
pop3login 15840 root 1u IPv4 44177837 TCP server.domain.com:pop3->210.95.232.72.reverse.layeredtech.com:2569 (ESTABLISHED)
pop3login 16545 root 0u IPv4 44152915 TCP server.domain.com:pop3->72.18.137.162:2156 (ESTABLISHED)
pop3login 16545 root 1u IPv4 44152915 TCP server.domain.com:pop3->72.18.137.162:2156 (ESTABLISHED)
pop3login 16854 root 0u IPv4 44148778 TCP server.domain.com:pop3->vision.edu:3398 (ESTABLISHED)
pop3login 16854 root 1u IPv4 44148778 TCP server.domain.com:pop3->vision.edu:3398 (ESTABLISHED)
pop3login 17015 root 0u IPv4 44281850 TCP server.domain.com:pop3->72-4-175-118.ptr.primarydns.com:2989 (ESTABLISHED)
pop3login 17015 root 1u IPv4 44281850 TCP server.domain.com:pop3->72-4-175-118.ptr.primarydns.com:2989 (ESTABLISHED)
pop3login 17041 root 0u IPv4 44255936 TCP server.domain.com:pop3->72.15.144.206:2134 (ESTABLISHED)
pop3login 17041 root 1u IPv4 44255936 TCP server.domain.com:pop3->72.15.144.206:2134 (ESTABLISHED)
pop3login 19767 root 0u IPv4 44189378 TCP server.domain.com:pop3->72.52.158.189:2656 (ESTABLISHED)
pop3login 19767 root 1u IPv4 44189378 TCP server.domain.com:pop3->72.52.158.189:2656 (ESTABLISHED)
pop3login 20659 root 0u IPv4 44210464 TCP server.domain.com:pop3->72-4-175-196.ptr.primarydns.com:1042 (ESTABLISHED)
pop3login 20659 root 1u IPv4 44210464 TCP server.domain.com:pop3->72-4-175-196.ptr.primarydns.com:1042 (ESTABLISHED)
pop3login 23318 root 0u IPv4 44246991 TCP server.domain.com:pop3->72-4-175-40.ptr.primarydns.com:1393 (ESTABLISHED)
pop3login 23318 root 1u IPv4 44246991 TCP server.domain.com:pop3->72-4-175-40.ptr.primarydns.com:1393 (ESTABLISHED)
pop3login 23573 root 0u IPv4 44205121 TCP server.domain.com:pop3->72-4-175-185.ptr.primarydns.com:3874 (ESTABLISHED)
pop3login 23573 root 1u IPv4 44205121 TCP server.domain.com:pop3->72-4-175-185.ptr.primarydns.com:3874 (ESTABLISHED)
pop3login 23636 root 0u IPv4 44246928 TCP server.domain.com:pop3->host.tavalendo.com.br:2187 (ESTABLISHED)
pop3login 23636 root 1u IPv4 44246928 TCP server.domain.com:pop3->host.tavalendo.com.br:2187 (ESTABLISHED)
pop3login 25744 root 0u IPv4 44170040 TCP server.domain.com:pop3->72-4-175-253.ptr.primarydns.com:2731 (ESTABLISHED)
pop3login 25744 root 1u IPv4 44170040 TCP server.domain.com:pop3->72-4-175-253.ptr.primarydns.com:2731 (ESTABLISHED)
pop3login 27313 root 0u IPv4 44238255 TCP server.domain.com:pop3->72-4-175-159.ptr.primarydns.com:4558 (ESTABLISHED)
pop3login 27313 root 1u IPv4 44238255 TCP server.domain.com:pop3->72-4-175-159.ptr.primarydns.com:4558 (ESTABLISHED)
pop3login 28074 root 0u IPv4 44203576 TCP server.domain.com:pop3->72-4-175-203.ptr.primarydns.com:4832 (ESTABLISHED)
pop3login 28074 root 1u IPv4 44203576 TCP server.domain.com:pop3->72-4-175-203.ptr.primarydns.com:4832 (ESTABLISHED)
pop3login 28337 root 0u IPv4 44203779 TCP server.domain.com:pop3->ds1.webserve.ca:2427 (ESTABLISHED)
pop3login 28337 root 1u IPv4 44203779 TCP server.domain.com:pop3->ds1.webserve.ca:2427 (ESTABLISHED)
pop3login 28418 root 0u IPv4 44281556 TCP server.domain.com:pop3->host.mitechnews.com:4188 (ESTABLISHED)
pop3login 28418 root 1u IPv4 44281556 TCP server.domain.com:pop3->host.mitechnews.com:4188 (ESTABLISHED)
pop3login 29538 root 0u IPv4 44172580 TCP server.domain.com:pop3->netblock-72-25-64-35.dslextreme.com:3820 (ESTABLISHED)
pop3login 29538 root 1u IPv4 44172580 TCP server.domain.com:pop3->netblock-72-25-64-35.dslextreme.com:3820 (ESTABLISHED)
pop3login 30347 root 0u IPv4 44242679 TCP server.domain.com:pop3->72-4-175-153.ptr.primarydns.com:2086 (ESTABLISHED)
pop3login 30347 root 1u IPv4 44242679 TCP server.domain.com:pop3->72-4-175-153.ptr.primarydns.com:2086 (ESTABLISHED)
pop3login 30728 root 0u IPv4 44282138 TCP
 

Curious Too

Well-Known Member
Aug 31, 2001
429
1
318
cPanel Access Level
Root Administrator
I also see this in the maillog:

maillog.1:Feb 12 12:05:36 server pop3d: LOGIN FAILED, method=CRAM-MD5, ip=[::ffff:67.180.40.221]

Increasing the max number of pop3 daemons seems to help.
 

mtindor

Well-Known Member
Sep 14, 2004
1,363
65
178
inside a catfish
cPanel Access Level
Root Administrator
Just noticed this myself. All the rogue connections - if you telnet back to them on port 25/110, they all appear to be VPS servers - at least most are VPS servers running Mailenable.

There would be no reason on earth for those servers to be connecting to any of our machines on TCP 110 under normal circumstances.

I'm seeing multiple class Cs within many hosting providers that are hitting our TCP 110 from most if not all of their IPs on each of the class Cs. _every_ time I've telnetted port 25 of one of the machines it was a VPS with mailenable. Now whether it has anything to do with some problem they are having with Mailenable or whether it is totally unrelated to Mailenable and instead related to some problem with exploitation of the VPS, I don't know.

Mike
 

mtindor

Well-Known Member
Sep 14, 2004
1,363
65
178
inside a catfish
cPanel Access Level
Root Administrator
Also,

I'm wondering if the IP address of your server that you are monitoring this traffic from starts with 72.x.x.x?

I ask because EVERY rogue 110 connection that I'm seeing (and there are lots - about 50 unique hosts at present - many in the same class Cs or provider netblocks) are coming from 209.x.x.x - and the server I'm monitoring from has an IP address starting with 209.x.x.x

So looks like whatever it is, the remote system targets other hosts in the same class A that it is in. Of course I'm only basing this on what I've seen myself and what you posted.

mike
 

Curious Too

Well-Known Member
Aug 31, 2001
429
1
318
cPanel Access Level
Root Administrator
Also,

I'm wondering if the IP address of your server that you are monitoring this traffic from starts with 72.x.x.x?

I ask because EVERY rogue 110 connection that I'm seeing (and there are lots - about 50 unique hosts at present - many in the same class Cs or provider netblocks) are coming from 209.x.x.x - and the server I'm monitoring from has an IP address starting with 209.x.x.x

So looks like whatever it is, the remote system targets other hosts in the same class A that it is in. Of course I'm only basing this on what I've seen myself and what you posted.

mike
The IP addresses of the servers vary. The attacks had been random but last night at about 12:30 a.m. every server in three different datacenters were attacked at exactly the same time by the same IP addresses.
 

rochen

Active Member
PartnerNOC
Mar 5, 2002
33
0
306
We are seeing this problem as of last night as well. Servers at Colo4Dallas, The Planet and FrotressITX are all being hit. All of these servers are running 'maildir'.
 
Last edited:

abrender

Active Member
Dec 5, 2002
37
0
156
We have 3 cpanel servers that are also being attacked - 'flooded' with pop3 connections reaching the max of 40 very often... but it's targeting our cpanel servers, our non-cpanel servers aren't effected. odd? all ips from different ranges
 

mtindor

Well-Known Member
Sep 14, 2004
1,363
65
178
inside a catfish
cPanel Access Level
Root Administrator
Just did a quick check using 'netstat -an|grep 110|grep ESTAB'

64.217.100.146
66.51.103.167
66.98.184.9
66.199.231.218
66.221.87.131
66.235.194.175
69.25.11.35
69.46.31.162
69.64.36.85
69.50.208.211
72.29.12.75
72.130.75.151
85.25.9.28
210.245.164.92
216.139.232.43

I believe at least 12 of those are running Mailenable. Obviously some IPs accessing POP3 are legitimate users. So it looks like all non-legit traffic seems to be from Mailenable servers - or servers that are VPSs. I'm not sure which is the problem - if its a mailenable exploit or a VPS exploit of some VPS that just happens to use Mailenable by default.

Mike
 

abrender

Active Member
Dec 5, 2002
37
0
156
Yup same here...

[email protected] [/var/log]# netstat -apn | grep 110 -c
40

(40 is the max connections)

just chose a random IP:

[email protected] [/var/log]# telnet 66.235.194.175 110
Trying 66.235.194.175...
Connected to 66.235.194.175.
Escape character is '^]'.
+OK Welcome to MailEnable POP3 Server


Is there a way to change the pop3 timeout settings?
 

mtindor

Well-Known Member
Sep 14, 2004
1,363
65
178
inside a catfish
cPanel Access Level
Root Administrator
Yup same here...

[email protected] [/var/log]# netstat -apn | grep 110 -c
40

(40 is the max connections)

just chose a random IP:

[email protected] [/var/log]# telnet 66.235.194.175 110
Trying 66.235.194.175...
Connected to 66.235.194.175.
Escape character is '^]'.
+OK Welcome to MailEnable POP3 Server


Is there a way to change the pop3 timeout settings?
No idea - I imagine there is. But I'm going to just increase the number of allowed POP3 connections per Chirpy's insructions at http://forums.cpanel.net/showthread.php?p=296686#post296686

Mike
 

vissa

Well-Known Member
May 12, 2003
46
0
156
I'm experiencing POP having to restart several times per day all of the sudden as well (sometimes 20 times an hour). Never happened before.

When I manually try to restart it I get the following error


---
Attempting to restart cppop
Waiting for cppop to restart.... . . . . . . . . . . finished.

cppop statuscouriertcpd is disabled


Service: [cppop] has been disabled by the sys admin
---

-vissa
 

deanstev

Well-Known Member
Jun 10, 2004
110
0
166
Could the MailEnable ones be related to this new Virus?

PowerVPS said:
There is currently a virus affecting Windows Plesk servers online. The point of infection seems to be Mailenable, and SWSoft is aware of it, and has confirmed that it is a known issue not limited to PowerVPS.

At this time, there is no known solution, but SWSoft is working on it. We do not yet have a solution, but if your VPS is infected we can rebuild it for you to remove the virus. We recommend backing up all of your data asap if you are on an MSVS or Virtuozzo for Windows VPS running Plesk and Mailenable.

At this time, we're recommending that anyone with Plesk for Windows DISABLE MAILENABLE until further notice.
 

jpetersen

Well-Known Member
Dec 31, 2006
113
4
168
Here's my synopsis from 2:30AM on the 24th:

Oddly enough this is one case where using cppop would be somewhat beneficial, as it disconnects you after 5 minutes if simply establish a connection but don't try to log in, which is what's occurring with these MailEnable servers. courier on the other hand doesn't appear to have such a timeout at all. Thus, for each connection on port 110 that the infected MailEnable servers make to your server, 1 less daemon is available from the MAXDAEMONS as set in /usr/lib/courier-imap/etc/pop3d.

RFC 1939 has this to say:

A POP3 server MAY have an inactivity autologout timer. Such a timer
MUST be of at least 10 minutes' duration.
but what about connections where the remote host doesn't even attempt to auth? I'm no C guru, but looking at the source of courier-0.54.2, imap/pop3dserver.c specifically, it appears there is a 300 second inactivity autodisconnect routine:

Code:
   863          signal(SIGALRM, bye);
   864          [b]while (alarm(300), fgets(buf, sizeof(buf), stdin))[/b]
   865          {
[b][color=red][ checks for various valid pop3 commands here, which would assume auth previously took place ][/color][/b]
   972          }
   973          [b]acctout("INFO: DISCONNECTED");[/b]
Code:
   848  static RETSIGTYPE bye(int signum)
   849  {
   850          [b]acctout("INFO: TIMEOUT");[/b]
   851          exit(0);
   852  #if     RETSIGTYPE != void
   853          return (0);
   854  #endif
   855  }
That's basically my long way of saying that I don't think courier has a configurable inactivity timeout setting for connections where the source doesn't auth. Feel free to correct me on this :)


How can you tell if you're getting hit with this mess? If you see a bunch of root owned pop3login processes running for long periods of time, you're possibly getting hit from those MailEnable boxes.

Code:
USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND
root     23760  0.0  0.0  1476  376 ?        S    01:23   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     23943  0.0  0.0  1468  380 ?        S    01:24   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     24094  0.0  0.0  1464  380 ?        S    01:24   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     24610  0.0  0.0  1472  376 ?        S    01:26   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     24638  0.0  0.0  1484  376 ?        S    01:26   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     24873  0.0  0.0  1468  380 ?        S    01:27   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     25271  0.0  0.0  1476  380 ?        S    01:29   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     25611  0.0  0.0  1468  376 ?        S    01:30   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     25655  0.0  0.0  1488  376 ?        S    01:30   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     25749  0.0  0.0  1468  376 ?        S    01:30   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     25764  0.0  0.0  1480  380 ?        S    01:30   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     25943  0.0  0.0  1476  380 ?        S    01:31   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     26012  0.0  0.0  1476  380 ?        S    01:32   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     26263  0.0  0.0  1480  380 ?        S    01:32   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     27032  0.0  0.0  1472  380 ?        S    01:33   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     27289  0.0  0.0  1464  376 ?        S    01:33   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     27994  0.0  0.0  1468  380 ?        S    01:35   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     27998  0.0  0.0  1484  380 ?        S    01:35   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     28216  0.0  0.0  1476  376 ?        S    01:36   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     28252  0.0  0.0  1480  380 ?        S    01:36   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     28577  0.0  0.0  1476  380 ?        S    01:37   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     29080  0.0  0.0  1464  376 ?        S    01:39   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     29839  0.0  0.0  1476  380 ?        S    01:40   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     29997  0.0  0.0  1480  376 ?        S    01:41   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     30078  0.0  0.0  1464  380 ?        S    01:41   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     30110  0.0  0.0  1484  380 ?        S    01:42   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     30221  0.0  0.0  1476  380 ?        S    01:42   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     30438  0.0  0.0  1468  380 ?        S    01:43   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     31138  0.0  0.0  1460  376 ?        S    01:45   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     31301  0.0  0.0  1472  376 ?        S    01:45   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     31554  0.0  0.0  1472  380 ?        S    01:46   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     31624  0.0  0.0  1464  380 ?        S    01:46   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     32039  0.0  0.0  1476  380 ?        S    01:47   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     32048  0.0  0.0  1468  380 ?        S    01:47   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root     32266  0.0  0.0  1476  380 ?        S    01:48   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root       532  0.0  0.0  1468  380 ?        S    01:49   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root       574  0.0  0.0  1480  380 ?        S    01:49   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root       584  0.0  0.0  1468  372 ?        S    01:49   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root       683  0.0  0.0  1476  380 ?        S    01:50   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root       689  0.0  0.0  1476  376 ?        S    01:50   0:00 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
After authentication is successful, the process will run as the user, and not root (thanks bvierra).

As far as what the servers are doing when they connect, the answer appears to be.. nothing. They are just connecting and doing nothing more. In fact, they're actually connecting twice:

The first connection is to port 110, and if successful, the remote host gracefully closes the connection after the handshake has been completed.

Then the second connection is made immediately after. Only this time, after the connection is established and the local server sends the "+OK Hello there", the infected servers basically do nothing.

Unless I'm missing something painfully obvious, I speculate this is just the effect of a poorly written worm that is waiting for a MailEnable banner that never come. But then why wouldn't it just check that on the first connection? Perhaps this virus/worm was just "practice" for someone. I'd love to know the purpose of connecting and doing absolutely nothing myself.

Hopefully this info is somehow able to help others experiencing the same problem.
 

edwardycho

Registered
Apr 4, 2006
2
0
151
We've been able to minimize the impact of this by upping the max daemons to 60 from 40 and limiting connections for each ip to 5. I guess there's no way around this except to wait for some sysadmins to fix their machines....
 

useradmin

Well-Known Member
Oct 8, 2004
107
0
166
INDIA
ip ban

HI,



'netstat -an|grep 110|grep ESTAB'

as per result of above command i ban one ip but still i see established connection from same ip... why so???

even i restart apf firewall but no use...