Forum OpenACS Q&A: Response to Security Issue - Can't ls as nsadmin or other none root user

When I did a seach in google, I found this trojan LVK4 ( Looks like my box has the same behavior as LVK4 installed. I did a /sbin/ifconfig and got the following result:
[root@server1 bin]# /sbin/ifconfig
eth0      Link encap:Ethernet  HWaddr 00:90:27:43:87:D7
          inet addr:  Bcast:  Mask:
          RX packets:67632 errors:0 dropped:0 overruns:0 frame:0
          TX packets:58572 errors:0 dropped:0 overruns:0 carrier:1
          collisions:4651 txqueuelen:100
          Interrupt:10 Base address:0xa000

lo        Link encap:Local Loopback
          inet addr:  Mask:
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:33 errors:0 dropped:0 overruns:0 frame:0
          TX packets:33 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
I did a netstat and got the following:
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0     20         1xx.41.128.54:779       ESTABLISHED
tcp        0      0         1xx.41.128.54:709       ESTABLISHED
tcp        0      0  ESTABLISHED
First two ssh are established by me. But where does this ircd come from? Anyone has this kind of problem before? After I got the advice from David (Thanks. David. That's pretty quick. I was still debuging my box when your answer came up.) , I downloaded the sash and tar xvzf into my box. After "make install", I tried "su nsadmin -lc sash" in the sash folder. I was prompted with "Stand-alone shell (version 3.4) >". Then I tried several command and got the following info:
> ls
ls: Permission denied
> ps awux | grep nsd
sh: /bin/ps: Permission denied
> ls /lib
ls: Permission denied
> locate libshow
locate: Permission denied
Then I came across with this article I did check the system, following the instruction. I didn't find on my box. The following are ports open in my box:
The following ports are allowed incoming all ports are allowed outgoing:

    TCP/5190    AOL Browser
    TCP/8000    AOL Server
    TCP/53        DNS
    TCP/21        FTP
    TCP/80        HTTP
    TCP/443      HTTPS
    TCP/110        POP3
    TCP/25        SMTP
    TCP/22        SSH
    TCP/23        TELNET
I did use ws_ftp to upload my file from windows box to this server. I guess that's where my password was sniffed. Any idea? Jay