I finally got all seven entries expected from the xauth list command to display. After much research, I'm still not sure how five IP addresses came to have magic cookies assigned in my home/user/.Xauthority file.
I've never used telnet, rlogin, xhosts or ssh or anything similar. I was silly enough to think firefox browsing was safe due to conservativeness of firewall default settings.
Anyway, on balance I felt I had to remove all the entries belonging to IP addresses. Done. But that leaves me with a few more questions:
Given I haven't used any remote login software, (and assuming that these entries actually do mean that "security" had been compromised), how could it have happened? Firewall remains in default settings (suse 10.1).
Before I change all the passwords, how do I know there isn't something else left behind, such as a keystroke monitor? I suppose that's a pretty tough question.
Can anyone recommend any resource that summarises the basic security steps that even a complete security newbie should and could implement? Stuff like: never browse internet as root? How to know if default firewall settings are safe? etc etc.