compromised?

[Nelson Garcia]

I'm not much of an expert but here's my take.

Looks like you are running anonymous FTP and some "r" servers.  Hopefully
you have ch'rooted your users in a pretty tight jail.
The activity below looks suspicious.  Why would anyone try to login as
"root" from an outside host?

I would not trust my logs if I even remotely suspected that I got rooted.

Some things that I would start with:
nmap scan yourself to see if you have any suspicious ports open,
particularly high numbered ports and known exploit ports.
check for unusual running processes.
look for traces of rootkits, hidden executables, suspicious symbolic links,
etc.
do a backup (including old logs)

This is the kind of stuff that would have triggered my suspicion:

> Jun  3 18:05:25 modemheads rshd[22804]: Connection from 211.10.72.240 on
> illegal port
> Jun  3 18:05:28 modemheads rlogind[22805]: Connection from 211.10.72.240
> on illegal port
> Jun  3 18:05:40 modemheads login[22991]: invalid password for `root' on
> `pts/3' from `gw1.cybercity.ne.jp'
> Jun  3 22:30:32 modemheads login[7635]: invalid password for `root' on
> `pts/1' from `u001707.ueda.ne.jp'
> Jun  3 22:30:42 modemheads login[7635]: invalid password for `UNKNOWN'
> on `pts/1' from `u001707.ueda.ne.jp'
> Jun  3 22:30:47 modemheads login[7635]: invalid password for `root' on
> `pts/1' from `u001707.ueda.ne.jp'
> Jun  3 22:30:47 modemheads login[7635]: REPEATED login failures on
> `pts/1' from `u001707.ueda.ne.jp'

Does that mean they connected but couldn't login?

> Jun  3 22:31:47 modemheads rhnsd[838]: Could not create pipe for forking
> process; Too many open files

I think the above is a known problem with redhat's autoupdate feature.
http://www.geek.com/news/geeknews/q22000/gee20001012002599.htm