Hi,
I tried to track a similar problem by making observation in csf a change of /home/vpopmail/etc/vpopmail.mysql. Then I knew precisely if that got changed and when.
I have a cron to reset the pass at a certain odd time.
When I receive an email from csf for that time, I know that it was by my cron. If not, then there is a problem that a trojaner exists the system, most likely that got through any of weak scripts residing on the server.