DoS/exploit affecting ipop3d???

[Mikael Fors <mf () MORADATORER SE>]

Last monday, one of my customers Linux boxes running on their site started to behave very strange. I din't trust this 
behaviour so I put the box offline, and installed the spare, and properly patched machine instead to be able to have a 
forensic fresh copy of the machine, I also dd'ed partition images to a couple of 2GB Jaz disks and verified 
mountability on other boxes of the images.

> From the maillog (servers ip and domain removed):
<until now everything worked like a charm>
Feb 12 04:45:38 ns ipop3d[19033]: Login user=eje93n130 host=pc62.nnnnnnnnnn.nnn [192.168.130.62] nmsgs=0/0
Feb 12 04:45:38 ns ipop3d[19033]: Logout user=eje93n130 host=pc62.nnnnnnnnnn.nnn [192.168.130.62] nmsgs=0 ndele=0
Feb 12 04:49:07 ns ipop3d[19034]: pop3 service init from nnn.nn.nnn.nnn
Feb 12 04:49:07 ns ipop3d[19034]: Command stream end of file while reading line user=??? host=UNKNOWN
Feb 12 04:50:41 ns ipop3d[19035]: pop3 service init from nnn.nn.nnn.nnn
Feb 12 04:52:01 ns ipop3d[19035]: Command stream end of file while reading line user=??? host=[192.168.130.45]
Feb 12 04:53:28 ns ipop3d[19038]: pop3 service init from nnn.nn.nnn.nnn
Feb 12 04:53:28 ns ipop3d[19038]: Broken pipe while reading line user=??? host=UNKNOWN
Feb 12 04:53:56 ns ipop3d[19039]: pop3 service init from nnn.nn.nnn.nnn
Feb 12 04:55:16 ns ipop3d[19039]: Command stream end of file while reading line user=??? host=[192.168.130.154]
Feb 12 04:58:13 ns ipop3d[19040]: pop3 service init from nnn.nn.nnn.nnn
Feb 12 04:58:13 ns ipop3d[19040]: Command stream end of file while reading line user=??? host=UNKNOWN
Feb 12 05:00:12 ns ipop3d[19041]: pop3 service init from nnn.nn.nnn.nnn
Feb 12 05:00:12 ns ipop3d[19041]: Command stream end of file while reading line user=??? host=UNKNOWN
Feb 12 05:04:14 ns ipop3d[19046]: pop3 service init from nnn.nn.nnn.nnn
Feb 12 05:04:14 ns ipop3d[19046]: Command stream end of file while reading line user=??? host=UNKNOWN
Feb 12 05:06:41 ns ipop3d[19047]: pop3 service init from nnn.nn.nnn.nnn
<now the pop3d is completely unresponsive and no connects can be made>

Got no pre-warning from snort, and the traffic logger can't find any evidence of strange behaviour in any log. The 
strange thing is that about 2 hours later, users on another private subnet (which is supposed to be able to fetch/send 
mail through this server) seem to be able to connect, even though the pop3 server is dead????

Feb 12 07:50:22 ns ipop3d[19162]: Command stream end of file while reading line user=??? host=[192.168.130.154]
Feb 12 07:50:40 ns ipop3d[19164]: pop3 service init from 192.168.130.100
Feb 12 07:50:59 ns ipop3d[19161]: Login user=jan67p8 host=[192.168.8.163] nmsgs=0/0
Feb 12 07:50:59 ns ipop3d[19161]: Logout user=jan67p8 host=[192.168.8.163] nmsgs=0 ndele=0
Feb 12 07:52:00 ns ipop3d[19164]: Login user=per68p8 host=[192.168.8.165] nmsgs=0/0
Feb 12 07:52:00 ns ipop3d[19164]: Logout user=per68p8 host=[192.168.8.165] nmsgs=0 ndele=0
Feb 12 07:52:27 ns ipop3d[19168]: pop3 service init from 192.168.130.100
Feb 12 07:52:44 ns ipop3d[19169]: pop3 service init from 192.168.130.100
Feb 12 07:53:31 ns ipop3d[19167]: pop3 service init from nnn.nn.nnn.nnn

The machine was running Sendmail 8.11.0 and AFAIK tight and utterly stripped RH6.2 patched to the ears when this 
happened. Tripwire doesn't say anything is changed, or missing checksum..... (databases stored on Jaz disks)

Is there a known attack affecting ipop3d? Or is it just me being paranoid (sysadms should be, especially when hired in 
to do a job like I am)?

Yours

Mikael Fors
Networked Systems Professional
Mora Datorer AB