Commands su and login listening on UDP

[rjw]

Hi all,

I've just recently completed a bunch of updates to my systems running FreeBSD 9.0/9.1 on my local LAN, of which I have a local SVN repository which is synchronized from FreeBSD.org daily, and I've noticed new behavior which was not present before:

[cmd]# sockstat -4[/cmd]
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
...
root     su         9991  4  udp4   *:628                 *:*
root     login      1026  4  udp4   *:960                 *:*
...

Amongst the other known services listening on sockets I now have the commands su and login which were definitely not present before the update. In fact if I check another system of mine running FreeBSD 9.0-p7 which is not on my local network and uses FreeBSD.org's direct SVN repository I don't see these commands listening on sockets.

This is happening on both i386 and amd64 architectures.

Is this normal or can I safely assume my system hosting my SVN repository has been compromised and my repository tampered with/root-kitted?

Thanks folks.

 

[rjw]

I think I may have an answer to my own question. The difference between the systems with the listening commands is: they use NIS.

So it's likely NIS.

 

[kpa]

This could be a case of some system utility or port messing up/leaking file descriptors, a listening socket is a file in techical terms.

I have seen such case myself with my OpenVPN server. If I call service ntpd restart from the up.sh script of my VPN server I will suddenly have the ntpd(8) service listening on UDP port 1194 that is the port in use by the OpenVPN server. I think the reason is that the OpenVPN server leaves some dangling open file descriptors in the environment of the up.sh script.