>>netstat -pant only shows connections to port 22 from legit places.
>Hmmm. How many other admins does this machine have?
It's a small shop. Only me.
This really tends toward the "hacked" theory. Either no one is using the
connection illictly now, or it's hidden by a rootkit.
But let's try to eliminate other possibilities. The "netstat -pant" (as
root) should show you the process ids of the legit ssh sessions. Then, use
ps (or look in proc... whatever) and see what process is the parent of that
one. It should be /usr/bin/sshd.
If it's *not* /usr/bin/sshd, that's peculiar. But if it *is*, and "rpm -V
openssh-server" claims that the sshd is unmodifed, and yet it still claims
to be the debian binary, that's even *more* peculiar.
It appears to have been a hack. rpm -V openssh-server showed that
sshd has been modified.
I'll be damned if I know how they got in. I drop ssh packets after 3 attempts
in one minute in iptables. I review logs every morning.
I deleted all ssh packages from one of the minor servers and reinstalled them
and everything worked ok ppublickeys etc. I know that's not the solution.
Looks like I have several reinstalls to do. Unless someone has a better idea?
Thanks for everyone's help.
Mike