It's very common for a box that's been broken into to run some service on a non-standard port, to allow login to the intruder, preferably without showing up in records used by w(1) and last(1), or logging via syslog.
Robert: Thank you for your reply. You are correct: I did some more snooping and was able to determine that a SSH daemon (an older version than I have running on port 22) is answering on port 31965. I have tried "netstat -anp | grep 31965" but that provides no information. It looks like I have some work to do this weekend. Despite all of the helpful replies from list members, I remain confused about how this occurred. Because this machine is located on my home LAN, I believe that a local compromise is unlikely. Chris Quinn