Sanjay:
From the looks of it, you should be very worried... First I would suggest that you take a loook at the following site:
http://www.cert.org/tech_tips/win-UNIX-system_compromise.htmlIt would appear that your user francis is doing something less than honourable :) check your /etc/passwd file - he may have given himself a UID of 0 (ie equivalent to root) If you look at the PIDs of the ftpd, it looks like it is delaying logging.
What I would do is to user /var/adm/inetd.sec to block the suspicious IP address that is trying the ftp PORT command.
Next, you might want to look on your system for a trojan (check /var/spool/cron/crontabs ) for all files in the crontabs
Turn on verbose logging for ftpd (in your inetd.conf) do a man on ftpd
GET your installation media ready and backup your data. Verify that the data is valid and be prepared for Disaster recovery, if you find something less than decent.
BTW what timezone are you in? are you running ntp of some sort? is it possible that one of your users is changing the dates?
do a:
more /home/*/.sh_history
and look for any dubious actions. BTW bear in mind that if the system was indeed compromised, the culprit would have tried to clean up after...
Next, if you can get a machine on the same subnet on which to run ethereal or tcpdump, look at the traffic coming out/into the server... I would say use
netstat -a | grep LISTEN
to check for tcp ports that are open (in case there is trojan on your system)
most importantly, be prepared to kick into disaster recovery mode.
nothing wrong with me that a few lines of code cannot fix!
