Thanks, Nick. I just didn't see your follow up. Replaced the first box yesterday with new hardware.

We serve out the built in sites like Webconfig, Zarafa Webapp, and Z-Push. No other websites hosted. Root password was 14 characters. Found the external port was also shared as IMPI port on Supermicro box. Looking at that angle as well. SSH was blocked by firewall when not in use. Shell access component was installed for OpenLDAP and several users had it enabled after the fact but I'm unable to confirm it they did before on one of the boxes. The other box didn't have the component installed. It is not our practice to give shell access until needed and then custom rules to allow specific IP addresses to connect. No users needed it a either location.

I'm comparing the files that were left behind. Unfortunately, it covered its tracks pretty well. Most of the log files were removed along with bash history. Will be happy to share what I find.