So, at first I thought the box was comprimised, but nothing has been changed. Looking at the logs I found the following:
Code:
Mar 13 19:02:46 mail2 sshd[1942]: Accepted publickey for root from XXX.XXX.XXX.XXX port 48404 ssh2
Mar 13 17:09:36 mail2 sshd[3519]: Accepted password for root from XXX.XXX.XXX.XXX port 61894 ssh2
Mar 14 00:09:36 mail2 sshd[3520]: Accepted password for root from XXX.XXX.XXX.XXX port 61894 ssh2
Mar 14 00:10:45 mail2 sshd[3554]: Accepted password for root from XXX.XXX.XXX.XXX port 54004 ssh2
Mar 13 17:10:45 mail2 sshd[3553]: Accepted password for root from XXX.XXX.XXX.XXX port 54004 ssh2
Having that many SSH's isn't abnormal, and the IP's are all internal and completely valid, but why does it go back and forth from Mar 13 to 14 and back? Its only on this system. I checked the time, date and DST settings, they're all nominal. The systems that we're logging in from remotely are also ok.
As I said prior, this caused me to think we'd been compromised, but I can't find any changes, rootkits, extra users, etc. Any ideas?