Hello all!
i've already tried to find answer by searching usenet, but no results.
my problem is: I have my debian 3.1 sarge linux as 24/7 router/server
etc.
some day i found some strange activity.
there was a process called "barbut" (2 of them) using 49,2% CPU time
each :O
meanwhile netstat showed established connections to 195.73.177.146:666
+ several waiting.
I have no idea where did this process come from. Any clues?
this is whay ps -A printed
serwer:~# ps -A
PID TTY TIME CMD
1 ? 00:00:02 init
2 ? 00:00:00 keventd
3 ? 00:00:00 ksoftirqd_CPU0
4 ? 00:00:00 kswapd
5 ? 00:00:00 bdflush
6 ? 00:00:00 kupdated
99 ? 00:00:01 kjournald
295 ? 00:00:00 kcopyd
297 ? 00:00:00 kmirrord
498 ? 00:00:00 khubd
1267 ? 00:00:04 dhclient
1801 ? 00:00:01 syslogd
1807 ? 00:00:00 klogd
1851 ? 00:00:00 postmaster
1856 ? 00:00:00 postmaster
1857 ? 00:00:00 postmaster
1883 ? 00:00:00 courierlogger
1884 ? 00:00:00 authdaemond
1898 ? 00:00:00 authdaemond
1899 ? 00:00:00 authdaemond
1900 ? 00:00:00 authdaemond
1901 ? 00:00:00 authdaemond
1902 ? 00:00:00 authdaemond
1906 ? 00:00:00 cupsd
1916 ? 00:00:00 dhcpd
1948 ? 00:00:00 mysqld_safe
1985 ? 00:00:00 mysqld
1986 ? 00:00:00 logger
1987 ? 00:00:00 mysqld
1988 ? 00:00:00 mysqld
1989 ? 00:00:00 mysqld
1990 ? 00:00:00 mysqld
1991 ? 00:00:00 mysqld
2002 ? 00:00:00 mysqld
2003 ? 00:00:00 mysqld
2004 ? 00:00:00 mysqld
2005 ? 00:00:00 mysqld
2008 ? 00:00:00 mysqld
2046 ? 00:00:00 inetd
2112 ? 00:00:00 master
2121 ? 00:00:00 qmgr
2122 ? 00:00:02 nmbd
2123 ? 00:00:00 nmbd
2125 ? 00:00:00 smbd
2138 ? 00:00:00 smbd
2141 ? 00:00:00 sshd
2209 ? 00:00:00 ntpd
2228 ? 00:00:00 atd
2235 ? 00:00:00 cron
2256 ? 00:00:00 apache-ssl
2312 tty1 00:00:00 getty
2313 tty2 00:00:00 getty
2314 tty3 00:00:00 getty
2315 tty4 00:00:00 getty
2316 tty5 00:00:00 getty
2317 tty6 00:00:00 getty
14285 ? 00:00:00 gcache
14289 ? 00:00:00 apache-ssl
14290 ? 00:00:00 apache-ssl
14291 ? 00:00:00 apache-ssl
14292 ? 00:00:00 apache-ssl
14293 ? 00:00:00 apache-ssl
14302 ? 00:00:02 apache2
14327 ? 00:00:00 apache2
14328 ? 00:00:00 apache2
14329 ? 00:00:00 apache2
14330 ? 00:00:00 apache2
14331 ? 00:00:00 apache2
14798 ? 00:00:00 apache2
16306 ? 00:00:00 apache2
16381 ? 00:00:00 apache2
16382 ? 00:00:00 apache2
16383 ? 00:00:00 apache2
21869 ? 00:00:00 pickup
22055 ? 00:00:00 sshd
22059 pts/0 00:00:00 bash
22259 ? 00:00:00 sshd
22263 ? 00:00:00 sshd
22272 ? 00:00:00 barbut
22276 pts/0 00:00:00 ps

any strange processes? or something i should look for?

Hi,

krzysiek schrieb:
> there was a process called "barbut" (2 of them) using 49,2% CPU time
> each :O

Have you installed such a program? Where is it installed? What kind of
files are around that place?

> meanwhile netstat showed established connections to 195.73.177.146:666
> + several waiting.

Some host in .nl.

> I have no idea where did this process come from. Any clues?

I don't know about you, but I would take the machine off the net and
try to understand what happened.
After that, reinstall without the hole.

Cheers,
Jens

Barbut is a denial of service attack, it infects your system typically through an unpatched apache. It then logs in to an IRC server where people can issue commands to it to bombard hosts with packets.

Kill it off, check for root kits, etc..etc..