Thanks. I found when the id was created in the secure log, but didn't see anything unusual in bash history. Also, the server has hung a couple of time over the past couple of days which required a re-boot. I see many failed login attempts (sample below). Could this be a DOS attack?
Aug 4 07:46:21 server1 sshd[5096]: input_userauth_request: invalid user collins
Aug 4 07:46:22 server1 sshd[5096]: Received disconnect from 62.42.240.249: 11: Bye Bye
Aug 4 07:46:23 server1 sshd[5110]: Invalid user collins from 62.42.240.249
Aug 4 07:46:23 server1 sshd[5111]: input_userauth_request: invalid user collins
Aug 4 07:46:23 server1 sshd[5111]: Received disconnect from 62.42.240.249: 11: Bye Bye
Aug 4 07:46:24 server1 sshd[5116]: Invalid user collins from 62.42.240.249
Aug 4 07:46:24 server1 sshd[5117]: input_userauth_request: invalid user collins
Aug 4 07:46:24 server1 sshd[5117]: Received disconnect from 62.42.240.249: 11: Bye Bye
Aug 4 07:46:25 server1 sshd[5132]: Invalid user com from 62.42.240.249
Aug 4 07:46:25 server1 sshd[5133]: input_userauth_request: invalid user com
Aug 4 07:46:25 server1 sshd[5133]: Received disconnect from 62.42.240.249: 11: Bye Bye
Aug 4 07:46:27 server1 sshd[5138]: Invalid user com from 62.42.240.249
Aug 4 07:46:27 server1 sshd[5141]: input_userauth_request: invalid user com
Aug 4 07:46:27 server1 sshd[5141]: Received disconnect from 62.42.240.249: 11: Bye Bye
Aug 4 07:46:28 server1 sshd[5144]: Invalid user com from 62.42.240.249
Aug 4 07:46:28 server1 sshd[5147]: input_userauth_request: invalid user com
Aug 4 07:46:28 server1 sshd[5147]: Received disconnect from 62.42.240.249: 11: Bye Bye
Aug 4 07:46:43 server1 sshd[5236]: Invalid user commando from 62.42.240.249
Aug 4 07:46:43 server1 sshd[5252]: input_userauth_request: invalid user commando
Aug 4 0
Aug 4 07:46:21 server1 sshd[5096]: input_userauth_request: invalid user collins
Aug 4 07:46:22 server1 sshd[5096]: Received disconnect from 62.42.240.249: 11: Bye Bye
Aug 4 07:46:23 server1 sshd[5110]: Invalid user collins from 62.42.240.249
Aug 4 07:46:23 server1 sshd[5111]: input_userauth_request: invalid user collins
Aug 4 07:46:23 server1 sshd[5111]: Received disconnect from 62.42.240.249: 11: Bye Bye
Aug 4 07:46:24 server1 sshd[5116]: Invalid user collins from 62.42.240.249
Aug 4 07:46:24 server1 sshd[5117]: input_userauth_request: invalid user collins
Aug 4 07:46:24 server1 sshd[5117]: Received disconnect from 62.42.240.249: 11: Bye Bye
Aug 4 07:46:25 server1 sshd[5132]: Invalid user com from 62.42.240.249
Aug 4 07:46:25 server1 sshd[5133]: input_userauth_request: invalid user com
Aug 4 07:46:25 server1 sshd[5133]: Received disconnect from 62.42.240.249: 11: Bye Bye
Aug 4 07:46:27 server1 sshd[5138]: Invalid user com from 62.42.240.249
Aug 4 07:46:27 server1 sshd[5141]: input_userauth_request: invalid user com
Aug 4 07:46:27 server1 sshd[5141]: Received disconnect from 62.42.240.249: 11: Bye Bye
Aug 4 07:46:28 server1 sshd[5144]: Invalid user com from 62.42.240.249
Aug 4 07:46:28 server1 sshd[5147]: input_userauth_request: invalid user com
Aug 4 07:46:28 server1 sshd[5147]: Received disconnect from 62.42.240.249: 11: Bye Bye
Aug 4 07:46:43 server1 sshd[5236]: Invalid user commando from 62.42.240.249
Aug 4 07:46:43 server1 sshd[5252]: input_userauth_request: invalid user commando
Aug 4 0