It sends "Did not receive identification string from ::ffff:10.0.0.12" every five minutes exactly. One question I have on top of this though. I have OpenNMS installed on the Debian machine, is it probing to see if the ssh server is still running or should it still get this from SNMP?
Looks like a good explanation, and I know I've seen similar with other tools like Nagios and Monit. Corellating timings between the NMS probe and the log entry should prove it.
or is in fact been hacked?
I strongly doubt that is the case (and even then *I* am not responsable for the box but you, so it's your call), but just in case you want to make certain the box is not cracked, start here:
Intruder Detection Checklist (CERT):
http://www.cert.org/tech_tips/intrud...checklist.html
Steps for Recovering from a UNIX or NT System Compromise (CERT):
http://www.cert.org/tech_tips/root_compromise.html
LQ FAQ: Security references:
http://www.linuxquestions.org/questi...threadid=45261