On Tuesday 11 May 2010 05:58:28 Grant wrote:
> I nmap'ed one of my remote Gentoo servers today and besides the
> expected open ports were these:
> 
> 1080/tcp open  socks
> 3128/tcp open  squid-http
> 8080/tcp open  http-proxy
> 
> I'm not running any sort of proxy software that I know of and I should
> be the only person whatsoever with access to the machine.  'netstat
> -l' doesn't show any info on those ports at all so I suppose it's been
> hacked as well?  I installed and ran 'rkhunter --check' (what happened
> to the chrootkit ebuild?) but it doesn't seem to be much use since I
> hadn't established a "file of stored file properties".
> 
> What do you guys think is going on?  What should I do from here?

What does lsof (I'd reinstall it afresh) show with regards to strange users? 
What users the above services run under.  If indeed they are not legitimate 
and you confirm that they are not being run as packages that you installed, 
then I'm afraid the only sane option is to reinstall.

-- 
Regards,
Mick