And NO one knows how it's being done?

http://www.linux.com/feature/125548

Pure insanity . . . how can this be going on for months and no one has a clue and all they can do is guess that maybe a password was guessed and used for logon? 

If these boxes were Windows boxes - I'm pretty confident the world would know how it was being done by now . . . it would either be an exploit or a password and either way - our PSS IR guys would figure it out. :)

Edited:  SecureWorks mentioned in the article above actually have a fairly decent write-up on the attacks here: http://www.secureworks.com/research/threats/linuxservers/?threat=linuxservers

Update - test