From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-user+bounces-110843-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1OBhZ4-0006zi-1P
	for garchives@archives.gentoo.org; Tue, 11 May 2010 04:59:30 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id F3A11E0729;
	Tue, 11 May 2010 04:58:28 +0000 (UTC)
Received: from mail-vw0-f53.google.com (mail-vw0-f53.google.com [209.85.212.53])
	by pigeon.gentoo.org (Postfix) with ESMTP id CF9BCE0729
	for <gentoo-user@lists.gentoo.org>; Tue, 11 May 2010 04:58:28 +0000 (UTC)
Received: by vws5 with SMTP id 5so161530vws.40
        for <gentoo-user@lists.gentoo.org>; Mon, 10 May 2010 21:58:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:received:received:date:message-id
         :subject:from:to:content-type;
        bh=YNnQwOZmw2D0r3Eyl4YZAxaCudXKqfweLtsv2nhch8U=;
        b=Xywqn215eO/H2tlcOMWWAZK11GcXZvbVcnyeAvwRSnTZZkO+wThAzrpr9dLqvv5/62
         x5HoVzbGiICOqtkFcSesyHRdhiJZYIuFILjZM4v4eQkI7NdBIlNAiMs9/K6/T/+4Mzsi
         QjxakRLEb3+f2i4zKP9ipnl60/yFqMiiVrFIg=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:date:message-id:subject:from:to:content-type;
        b=Kxk3WOE1dnLrVlQpA0jAgPi0csvs2PrfibDoCaEQayTVTKr0roe/qAaB+0SZJk8B5B
         1T6a6oyFs98JlMVsezB523jaE2RQVTGmCWMijIM0sLPn2bwJE5AoDugdcr5KH73Z+HNQ
         QobsIDqPW1zTpBtS8fxMJaknzLI3jTxkg7nfA=
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Received: by 10.220.62.204 with SMTP id y12mr3873734vch.186.1273553908495; 
	Mon, 10 May 2010 21:58:28 -0700 (PDT)
Received: by 10.220.86.198 with HTTP; Mon, 10 May 2010 21:58:28 -0700 (PDT)
Date: Mon, 10 May 2010 21:58:28 -0700
Message-ID: <AANLkTinWKgK1KPab78jdi4oSJ7ga55WFVTMYyjcRTCRY@mail.gmail.com>
Subject: [gentoo-user] I've been hacked.
From: Grant <emailgrant@gmail.com>
To: Gentoo mailing list <gentoo-user@lists.gentoo.org>
Content-Type: text/plain; charset=ISO-8859-1
X-Archives-Salt: 9b1b1cf9-c320-45b9-b21c-ce1e002ee0d6
X-Archives-Hash: abe335660728cb203b2b3114097e7162

I nmap'ed one of my remote Gentoo servers today and besides the
expected open ports were these:

1080/tcp open  socks
3128/tcp open  squid-http
8080/tcp open  http-proxy

I'm not running any sort of proxy software that I know of and I should
be the only person whatsoever with access to the machine.  'netstat
-l' doesn't show any info on those ports at all so I suppose it's been
hacked as well?  I installed and ran 'rkhunter --check' (what happened
to the chrootkit ebuild?) but it doesn't seem to be much use since I
hadn't established a "file of stored file properties".

What do you guys think is going on?  What should I do from here?

- Grant