Unless aided by Something Else, software running as an unprivileged user can't "just" elevate privileges.

i tried and run alexs3's code, but i get this error:

isn't exactly what you need.
solves your problem.

thank you alexs3,
but i'm a total newbie...

i tried your code, but i get stuck on the second command:
what shall i enter as "socketcall"?

If not 'connect' then I don't know what.

Or 'socket'.

thank you again,
this is what i got:
then i started nethogs, waiting for one of those suspicious records...
after a couple of minutes i got this:
then i launched ausearch, but with no result:
am i missing something?

I don't think you're missing something, I think you have found something. That number range traces to fastweb.it, but at the time I try it didn't exist. Possible, with an isp. Why haven't you got all these crazy port numbers blocked in the firewall except the very few that you use?

well, they SHOULD be closed... i only have a few ports open...

there is one weird thing i found while checking the router virtual server, though: there is one rule i wouldn't say i've ever set:
rule name: Skype UDP at 192.168.1.113:4109 (2831)
start port: 4109
end port: 4109
protocol: udp
ip address: 192.168.1.113

i've just deactivated that rule, and pinging 192.168.1.113 gives no result.

hooray!

after deleting that rule on router virtual server, nethogs does not show those suspicious records anymore...

what i've learnt:
1) do never enable router remote administration: i swear, it has remained enabled for a few days some months ago. am i right if i suspect that someone bruteforced my pwd and added that virtual server rule to connect to my system? would it be possibile?

2) periodically check nethogs (do you know if it's scriptable?)

can you help me learning something from this case?

Guessing on this then. . .

Some hacker got in, messed with nothing except what he wanted. He probably had root if he could set a firewall rule, or user teo and he could sudo (I am guessing).

Setting a firewall rule by itself isn't enough. If you could trace what he was using, that would be good. There's may be something using inetd, or a second instance thereof. If you could plug how he got in, that would be better again. This is bad news for a sysadmin. He hardly breaks in every time, so something is open to him. I would be looking to reinstall elsewhere on a clean disk. Then shut down (yes, shut down) and swap them over. And skype on an internet facing box is a silly idea, imho. Have you changed your passwords for really obtuse ones? Is it still your girlfriend's name or something like that?

For some reason auditd doesn't catch all nethogs packets

sorry, maybe i wasn't clear: the firewall rule was not set on the machine but on the router.

a few months ago the router was set with "enable remote administration", so that i could connect to the router web interface from anywhere (i was on holiday). during this period a brute force attack COULD have found the password to log into the router administration page.

if i'm not wrong, this does not necessarily mean that someone broke into my server, right?

why an hacker should have opened that port for an unassigned ip (192.168.1.113)?

in this period i didn't notice any abnormal cpu nor network usage...

Well auditd isn't so comfortable as to map all ips to processes.
But after laboring through audit.log I have found some references to "/usr/sbin/exim4", uninstalled it and nethogs gives a clean picture so far.
Thank everybody for bearing with me.

Let me put it this way.

Whatever happened (and I don't know) I wouldn't rate the security of your network too highly. I have no information on your router. If it's a cisco thing, then you have some chance. If it's a modem/router, there's exploits for them lying about all over the web. Full marks for spotting the rule though.

To run skype, you must run X. One sysadmin told me he'd be fired if he ran X on a server. You have seen the likes of these
http://www.katerussell.co.uk/essenti...security-risk/ or http://www.makeuseof.com/tag/3-skype-security-issues/

They don't exactly inspire confidence. I think you need to rethink security, as the p[robability is that your punishment for getting compromised could have been much worse than it actually was.