Those open UDP ports are most probably connections for the syslog. For a process to send UDP packets, it needs to open a UDP socket. Once "openlog" runs, it opens a socket for later use. I saw "probably" because it is always possible that someone has subverted the code and is using the socket for more than syslog, but that would be far more clever than anything I've ever seen a real intruder do. --spaf