For the last two days I've been seeing lots of lines in my /var/log/auth.log that look like:
sshd[xxxxx]: error: connect_to 0.gravatar.com port 80: failed
sshd[xxxxx]: error: connect_to 1.gravatar.com port 80: failed
sshd[xxxxx]: error: connect_to 2.gravatar.com port 80: failed
I don't think anything on my server uses gravatar, and even if it did I don't see why sshd should be involved. Further, the reports showed up "randomly" and there's been around 100 failed attempts for each gravatar address per day.
I've tried doing a bit of diagnostics myself, but I'm not an expert. I tried looking for scripts which use gravatar (with grep on my web directory) and haven't found anything (which is extra suspicious).
While digging I found two directories that I'm concerned about:
/tmp/.X11-unix
/tmp/.ICE-unix
I thought I disabled X11 on my server since I don't use it, and I have nothing to do with the IRC or anything else that I can imagine would be in .ICE-unix. There's nothing in either directory, but their very existence is suspicious to me (possibly due to my own ignorance).
I can't find any other evidence that I've been hacked, and I thought I ran a pretty tight ship, but I'm obviously concerned about this. I run a Debian server and I make sure every single package is updated every week. I'm new to this site and to investigating a hack, so I appreciate your patience and if there's anything I can do to help you help me, please let me know (I'll let you know that I've read tons of articles and tried as hard on my own as I could before asking here, because I value all of your time).