# Commands su and login listening on UDP



## rjw (May 14, 2013)

Hi all,

I've just recently completed a bunch of updates to my systems running FreeBSD 9.0/9.1 on my local LAN, of which I have a local SVN repository which is synchronized from FreeBSD.org daily, and I've noticed new behavior which was not present before:


```
[cmd]# sockstat -4[/cmd]
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
...
root     su         9991  4  udp4   *:628                 *:*
root     login      1026  4  udp4   *:960                 *:*
...
```

Amongst the other known services listening on sockets I now have the commands su and login which were definitely not present before the update. In fact if I check another system of mine running FreeBSD 9.0-p7 which is not on my local network and uses FreeBSD.org's direct SVN repository I don't see these commands listening on sockets.

This is happening on both i386 and amd64 architectures.

Is this normal or can I safely assume my system hosting my SVN repository has been compromised and my repository tampered with/root-kitted?

Thanks folks.


----------



## rjw (May 14, 2013)

I think I may have an answer to my own question. The difference between the systems with the listening commands is: they use NIS.

So it's likely NIS.


----------



## kpa (May 14, 2013)

This could be a case of some system utility or port messing up/leaking file descriptors, a listening socket is a file in techical terms.

I have seen such case myself with my OpenVPN server. If I call `service ntpd restart` from the up.sh script of my VPN server I will suddenly have the ntpd(8) service listening on UDP port 1194 that is the port in use by the OpenVPN server. I think the reason is that the OpenVPN server leaves some dangling open file descriptors  in the environment of the up.sh script.


----------

