Break-in attempt from 203.197.38.247

[Cronje Schalk <schalkc () NTABA CO ZA>]

This morning we discovered a possible break-in attempt. The alert came
from continous retries on the pop3 and telnet ports. POP3 was
accidentely was left open although no pop3 service nor mail service is
installed.

> From /var/log/secure:
--------------------
Aug 22 01:09:34 jupiter ipop3d[3954]: connect from 203.197.38.247
Aug 22 01:09:34 jupiter ipop3d[3954]: error: cannot execute
/usr/sbin/ipop3d: No such file or directory

> From /var/log/messages:
-----------------------
Aug 22 01:09:43 jupiter telnetd[3957]: ttloop:  peer died: Invalid or
incomplete multibyte or wide character

What is really strange is a replacement of certain files

?---------  14559 root     46449    4294967295 Mar 27 21:57 bashrc
?---------  14559 root     46449    4294967295 Mar 27 21:57 info-dir
?---------  14138 root     8567     4294967295 May 13  1999 named.boot
?---------  14694 root     2584     4294967295 Jul  7 18:49 rpc
?---------  14441 root     12171    4294967295 Aug 17 17:02 shells
?---------  14099 root     8165     4294967295 Aug 21 15:28 termcap

The dates are strange, but then so is most of the file info.

No binaries have been replaced. At this point I am somewhat confused. I
cannot determine if this was an attempted of a successfull break-in. On
thger otehr hand it can simply be a damaged filesystem. Can anyone shed
some light on this?

------------------------------------------------------------------
Schalk W. Cronjé |
083-279-7047     |
------------------