I am used to catch those scripts, usually in the /tmp, but last months they tend to be stored in the apache/proxy.
So I made a script, I put in the cron for every 5 minutes to remove all files in these directories, from owner nobody, that has execute-rights.
This is reasonably effective in fighting those hackers....
So I can't tell you any more what script it were........
You should never do something like that! I would highly suggest modifying the script to have them place it in a root owned directory. By doing that you take away the chance to easily investigate what went wrong. If you think you are doing good by removing the file consider most script kiddies today have the file download and execute immediatly so by the time you have deleted it they already have done what they want. You should look at securing your server so they cannot get on the server in the first place!
Now as for the pop3, can they login to their ftp accouts or do those not work as well? You may just try a upcp --force.
John W, CISSP, C|EH
MS Information Security and Assurance ITEagleEye.com - Server Administration and Security Yawig.com - Managed VPS and Dedicated Servers with VIP Service
Try to verify the exact error by using the following commands on the shell :
telnet $yourip 110
Did you verify if its a server wide problem or limited to a particular domain or user. If you are searching for pop authentication logs I think you should use /var/log/maillog as in cpanel servers, or you could check /etc/syslog.conf to find out where it is logged (if you made any changes in the process).
SupportExpertz.com - the name says it all!
Managed Cloud Servers
Server Management and Monitoring
24x7 outsourced customer support