Hello,
Does anyone have any clue as to why I'm getting tons (about 80) of rpc.rexd process
in my process table? This rexd process has been commented out in my inetd.conf so I'm
very confused why it is even running. I used "ps -ef | grep rpc.rexd" and I got about
80 rpc.rexd processes like this:
root 28894 1 0 Apr 23 ? 0:00 rpc.rexd
root 28936 1 0 Apr 23 ? 0:00 rpc.rexd
root 28983 1 0 Apr 23 ? 0:00 rpc.rexd
root 29072 1 0 Apr 23 ? 0:00 rpc.rexd
root 29093 1 0 Apr 23 ? 0:00 rpc.rexd
root 29350 1 0 Apr 23 ? 0:00 rpc.rexd
root 29162 1 0 Apr 23 ? 0:00 rpc.rexd
root 29300 1 0 Apr 23 ? 0:00 rpc.rexd
root 29197 1 0 Apr 23 ? 0:00 rpc.rexd
root 29237 1 0 Apr 23 ? 0:00 rpc.rexd
I have not edited inetd.conf recently. The process report last week didn't show any
rpc.rexd process. I have only discovered this yesterday. The time stamps on these
rpc.rexd all have yesterday and today's time stamps. I can kill these processes but
I'm a little concerned with the numbers of repeated rexd processes. Have I been
hacked? Is this a sign of rpc.rexd buffer overflow? I have checked all my essential
binary files and there has not been any time change. The only thing I found was a new
and empty directory called /tmp_rex.
I have two systems showing this repeated rpc.rexd processes, one is running Solaris 6
and another one Solaris 7. Four other machines (two running Solaris 6 and two running
Solaris 7) don't have rpc.rexd process running at all.
Recently we have been attacked by snmpXdmid buffer overflow so security has become a
big concern of ours.
Mei
P.S. I just rebooted the systems. The rpc.rexd processes are gone. This seems like a
port attack and we still don't know how they got in and if they will get in again.
This archive was generated by hypermail 2b30 : Thu Apr 26 2001 - 03:53:02 PDT