No APC software installed. I have discovered the following.
1. a fresh install of E-smith server has xinetd listeninng on port :113 (auth)
2. I had installed Portsentry which was listening on port :6667 (IRC) I dont know why that port should show as open and listaning to the outside, but it did, and Portsentry was the culprit.
3. sshell is what you get when you try to log on remotly as a regular user when this feature is disabled.
I was very alarmed after reading about the DOS attacks on grc.com. Long and short of it, he found a Trojan that listens on port :113 and :6667. when I saw this on my own machine I got concerned. Thats when I looked into my machine and was not sure if what I was finding was normal or not, so I posted it here for feedback.
I did e-mail security@e-smith.com, and they are looking into it. The reason I posted it first is beacuse I thought the answer might be simply explained as normal .
I have since read allot about Linux hacks and found out that if you have been compromized, you can not trust the output of your own commands, like ls, top, and netstat, as they can be replaced or modified by an intruder.
I hope I have not coused any one any alarm, in the futur I will be much more carefull about what I post in this forum. I may just be being parranoid.
Thanks for all or the response
Aaron