[SunHELP] Re:(Carl Marino)repeated rpc.rexd processes
Xiaomei Zhou
sunhelp at sunhelp.org
Wed May 9 09:46:36 CDT 2001
Carl,
Was there something wrong with your mail server? My message was returned to me.
Mei
------------- Begin Forwarded Message -------------
Date: Wed, 9 May 2001 09:35:17 -0500 (CDT)
From: Xiaomei Zhou <mei at prc.utexas.edu>
Subject: Re: repeated rpc.rexd processes
To: mei at prc.utexas.edu, cmarino at skynet.be
MIME-Version: 1.0
Content-MD5: FWRynC4V2/PtwLk8yUIO3w==
Carl,
I have gotten some replies from securityfocus site and everyone says that I have been
compromised (which is obvious) but no one could tell me the source of the attack.
Here is what I have done:
1. Rebooted the affected systems immediately. (Three of ours were compromised, two
2.6 machines and one 2.7 machine)
2. We changed the permission on /tmp_rex to
dr-x------ 2 root root 512 Apr 22 21:16 tmp_rex
3. We applied the last patch clusters from sunsolve site.
So far we haven't experiencing any more rexd attack. We think the attacker is using
our server as a stepping stone of some sort. The attacker opened hunderds of our
ports using rpc.rexd processes but didn't seem to do any other harm.
Good Luck!
Mei
> Date: Wed, 9 May 2001 16:25:34 +0200
> From: Carl Marino <cmarino at skynet.be>
> To: Xiaomei Zhou <mei at prc.utexas.edu>
> Subject: Re: repeated rpc.rexd processes
> Mime-Version: 1.0
> Content-Disposition: inline
> User-Agent: Mutt/1.2.5i
>
> On Wed, Apr 25, 2001 at 10:36:45AM -0500, Xiaomei Zhou wrote:
> > Hello,
> >
> > Does anyone have any clue as to why I'm getting tons (about 80) of rpc.rexd
process
> > in my process table? This rexd process has been commented out in my inetd.conf so
I'm
> > very confused why it is even running. I used "ps -ef | grep rpc.rexd" and I got
about
> > 80 rpc.rexd processes like this:
> >
> > root 28894 1 0 Apr 23 ? 0:00 rpc.rexd
> > root 28936 1 0 Apr 23 ? 0:00 rpc.rexd
> > root 28983 1 0 Apr 23 ? 0:00 rpc.rexd
> > root 29072 1 0 Apr 23 ? 0:00 rpc.rexd
> > root 29093 1 0 Apr 23 ? 0:00 rpc.rexd
> > root 29350 1 0 Apr 23 ? 0:00 rpc.rexd
> > root 29162 1 0 Apr 23 ? 0:00 rpc.rexd
> > root 29300 1 0 Apr 23 ? 0:00 rpc.rexd
> > root 29197 1 0 Apr 23 ? 0:00 rpc.rexd
> > root 29237 1 0 Apr 23 ? 0:00 rpc.rexd
> >
> > I have not edited inetd.conf recently. The process report last week didn't show
any
> > rpc.rexd process. I have only discovered this yesterday. The time stamps on these
> > rpc.rexd all have yesterday and today's time stamps. I can kill these processes
but
> > I'm a little concerned with the numbers of repeated rexd processes. Have I been
> > hacked? Is this a sign of rpc.rexd buffer overflow? I have checked all my
essential
> > binary files and there has not been any time change. The only thing I found was a
new
> > and empty directory called /tmp_rex.
> >
> > I have two systems showing this repeated rpc.rexd processes, one is running
Solaris 6
> > and another one Solaris 7. Four other machines (two running Solaris 6 and two
running
> > Solaris 7) don't have rpc.rexd process running at all.
> >
> > Recently we have been attacked by snmpXdmid buffer overflow so security has
become a
> > big concern of ours.
> >
> >
> > Mei
> >
> > P.S. I just rebooted the systems. The rpc.rexd processes are gone. This seems
like a
> > port attack and we still don't know how they got in and if they will get in
again.
>
> Xiaomei,
>
> I'm experiencing the same behaviour on several servers here in Belgium. I see no
one
> responded on the list, anyone respond to you personally. Have learned anything
else?
>
> Regarding /tmp_rex, I found this in the rexd man page:
>
> /tmp_rex/rexd??????
> temporary mount points for remote file systems.
>
> Regards,
> Carl
>
> --
> Carl Marino
> +32 475 / 93.39.09
------------- End Forwarded Message -------------
More information about the SunHELP
mailing list