I'm afraid I've been cracked.

[Steve Juranich <sjuranic@kant.ee.washington.edu>]

Well, I wasn't paying a whole lot of attention and I had every unnecessary
port closed... or so I thought.  I was still running the portmapper.  So
when I ssh'd home today and nmapped myself, a couple of mysterious processes
popped up.

To begin with: I nmapped my box and saw, much to my dismay:

Port    State       Protocol  Service
22      open        tcp        ssh             
111     open        tcp        sunrpc          
515     open        tcp        printer         
1527    open        tcp        tlisrv          
6000    open        tcp        X11             

As soon as I killed the portmapper, port 111 (the portmapper) and port 1527
(the mystery process) both died.  Then later today, I ssh'd home again and
saw:

Port    State       Protocol  Service
22      open        tcp        ssh             
515     open        tcp        printer         
2027    open        tcp        shadowserver    
6000    open        tcp        X11             

Then, by looking through /var/log/auth.log, I see that every morning at
around 7:35, three sessions are being opened.  Two for user 'news' by
(uid=0) and one for user 'nobody' also by (uid=0).

I plan on removing nntp from my box immediately, since I don't use my box as
a server in any way.  Can anybody please explain to me what's going on?
Has my box been compromised?  What do I do?

Copious thanks in advance for any help.

----------------------------------------------------------------------
Stephen W. Juranich                         sjuranic@ee.washington.edu
Electrical Engineering         http://students.washington.edu/sjuranic
University of Washington             http://rcs.ee.washington.edu/ssli