That's what i thought at first as well but it's not so - The server was locked down quite well by ConfigServer people before and i had RK hunter running on it plus reports of all sorts.
All the latest software has been installed and i would have received notifications via email of major file changes in the important directories - I had directory watching on system directories and i have SSH logins for all users notifications...
Also no funny accounts found - Root password was the same
I strongly suspect it's something else but what it is i have no idea,
