nas hacked?

dbott67 wrote:
1. What day did you re-install the SSH add-on (ie. June 18 at 16:05)? If this is the date & time, then these entries were created when re-installing the SSH add-on:

Not ín my life ;)
If you take a look at your /etc/passwd file, you'll see that the 'sshd' user not only has a completely different homedir but also that he's got a 'nologin' shell. So, yes, TJ is right in that his system was broken into.

dbott67 wrote:
2. What IP address were you trying to login from (i.e. 79.112.138.182)?

I doubt he's from Romania ;)

Anyway: I'd do a Firmware re-install for most likely a hacked/modified version of the SSH daemon was installed on the system. At least the reloading of the SSH daemon points to that conclusion. Since a "clean start" is easily possible with a firmware re-install, that'd be my choice of action.
Next I'd opt for picking a better password. And from the log excerpts I'd say checking the /etc/crontab, /etc/cron.d, /etc/cron.daily, /etc/cron.weekly, /etc/cron.hourly and /etc/cron.monthly directories / files for suspicious entries would be in order.

Also after the re-install check the settings for the sshd user in /etc/passwd and /etc/group. They should look like this:

readypro:~# grep sshd /etc/passwd
sshd:x:40:65534::/var/local/:/usr/sbin/nologin
readypro:~# id sshd
uid=40(sshd) gid=65534(nogroup) groups=65534(nogroup)

-Stefan