Is messages showing a hack attempt

I just can't seem to make sense of myvar-log-messages. Investigating why our production server went down and restarted last night, I'm finding weird entries. Such as timestamps that haven't happened yet, out of order, and unlike the usual "authentication failed"s in a long list indicating random scriptkiddie attempts, I'm seeing repeated attempts using one existing username, coming FROM another of our servers that can't be FTP'd from!

Aug 23 10:14:12 server1 ftpd9278: FTP session closed Aug 23 15:15:32 server1 ftpd5575: duane of ded140223210.yhti.net 66.140.223.210 created directorywww-home-printingautomati on-proofs-30220 Aug 23 15:15:43 server1 ftpd9450: FTP LOGIN FROM ded140223210.yhti.net 66.140.223.210, duane Aug 23 15:15:43 server1 ftpd9451: FTP LOGIN FROM ded140223210.yhti.net 66.140.223.210, duane Aug 23 15:16:19 server1 ftpd9451: FTP session closed Aug 23 15:17:05 server1 ftpd9450: FTP session closed Aug 23 10:19:11 server1 ftpd9653: FTP session closed Aug 23 10:24:12 server1 ftpd9981: FTP session closed Aug 23 10:29:11 server1 ftpd10405: FTP session closed Aug 23 15:29:34 server1 ftpd10430: FTP LOGIN FROM fileserve our server2 IP, duane Aug 23 15:29:34 server1 ftpd10431: FTP LOGIN FROM fileserve our server2 IP, publicpa Aug 23 15:29:34 server1 ftpd10432: FTP LOGIN FROM fileserve our server2 IP, ftpmarket Aug 23 10:34:11 server1 ftpd10898: FTP session closed

That "fileserve" does not have anyone logging into it, so to have FTP attempts FROM it is VERY suspicious! And note the odd timestamps? 15:00:00 hasn't even happened here yet!

Where should I go from here? What should I check? I want to change everyone's pbuttwords, but I'm afraid just taking it off the network to do it wouldn't do any good if someone's set up some root keystroke or activity tracer or something. Or a packet sniffer that stores the data locally for later retrieval. How do I check for such things?!

Thanks for any help!! Liam