And NO one knows how it's being done?
Pure insanity . . . how can this be going on for months and no one has a clue and all they can do is guess that maybe a password was guessed and used for logon?
If these boxes were Windows boxes - I'm pretty confident the world would know how it was being done by now . . . it would either be an exploit or a password and either way - our PSS IR guys would figure it out. :)
Edited: SecureWorks mentioned in the article above actually have a fairly decent write-up on the attacks here: http://www.secureworks.com/research/threats/linuxservers/?threat=linuxservers
Update - test