We had an e-smith 4.12 box running for 2 weeks without problems, but 2 hours after forwarding port 22 through the hardware router and turning on ssh we were no longer able to login as root or admin.
Booting from the rescue floppy allowed us to check a few things out. The admin password had been changed, the log files tampered with - /var/log/secure and lastlog started from the time of our most recent attempts to log in. There was nothing showing in the command history for root - deleted too, we think.
It is extremely unlikely that anyone had physical access to the box to fiddle with it in the 2 hours, but then it's hard to believe that ssh could be breached so quickly. We did attempt a remote login over the net, so the password must have been sent. All a bit of a mystery at the moment. We took the box offline and will reformat.
Richard