So I just found that a server seems to have been compromised. Still looking into what/how. I've found the same foreign IP in the /home/account/.lastlogin of a couple accounts. I searched through access_logs and found the same IP had logged into all accounts all 2 seconds apart... like every two seconds logged into a different account. How is this possible? Has to be automated... but how without Root? Now, I'm not 100% that Root has been compromised yet... any suggestions on finding out? Can this automated login even be possible without Root?