Well, I wasn't paying a whole lot of attention and I had every unnecessary port closed... or so I thought. I was still running the portmapper. So when I ssh'd home today and nmapped myself, a couple of mysterious processes popped up.
To begin with: I nmapped my box and saw, much to my dismay: Port State Protocol Service 22 open tcp ssh 111 open tcp sunrpc 515 open tcp printer 1527 open tcp tlisrv 6000 open tcp X11 As soon as I killed the portmapper, port 111 (the portmapper) and port 1527 (the mystery process) both died. Then later today, I ssh'd home again and saw: Port State Protocol Service 22 open tcp ssh 515 open tcp printer 2027 open tcp shadowserver 6000 open tcp X11 Then, by looking through /var/log/auth.log, I see that every morning at around 7:35, three sessions are being opened. Two for user 'news' by (uid=0) and one for user 'nobody' also by (uid=0). I plan on removing nntp from my box immediately, since I don't use my box as a server in any way. Can anybody please explain to me what's going on? Has my box been compromised? What do I do? Copious thanks in advance for any help. ---------------------------------------------------------------------- Stephen W. Juranich [EMAIL PROTECTED] Electrical Engineering http://students.washington.edu/sjuranic University of Washington http://rcs.ee.washington.edu/ssli