[SunHELP] rpc.rexd repeated process

[Xiaomei Zhou]

I have not edited inetd.conf recently. The process report last week didn't show any 
rpc.rexd process. I have only discovered this today. The time stamps on these 
rpc.rexd all have today's time stamps. I can kill these processes but I'm a little 
concerned with the numbers of repeated rexd processes. Have I been hacked? Is this a 
sign of rpc.rexd buffer overflow? I have checked all my essential binary files and 
there has not been any time change.

I have two systems showing this repeated rpc.rexd processes, one is running Solaris 6 
and another one Solaris 7. Four other machines (two running Solaris 6 and two running 
Solaris 7) don't have rpc.rexd process running at all.

Recently we have been attacked by snmpXdmid buffer overflow so security has become a 
big concern of ours.


Mei

 
> Date: Mon, 23 Apr 2001 13:43:23 -0400 (EDT)
> From: Dale Ghent <daleg at elemental.org>
> To: <sunhelp at sunhelp.org>
> cc: <mei at prc.utexas.edu>
> Subject: Re: [SunHELP] rpc.rexd repeated process
> MIME-Version: 1.0
> 
> On Mon, 23 Apr 2001, Xiaomei Zhou wrote:
> 
> | Hello,
> |
> | Does anyone have any clue as to why I'm getting tons of rpc.rexd
> | process in my process table? This rexd process has been commented out
> | in my inetd.conf so I'm very confused why it is even running. I used
> | "ps -ef | grep rpc.rexd" and I got about 80 rpc.rexd processes like
> | this:
> 
> Were you sure to restart inetd after commenting out the rexd entry in
> inetd.conf?
> 
> Also, you can kill off any remaining rexd processes if you dont want them
> there anymore.
> 
> /dale
>