Well, the server was hacked [1], but it looks to be a customer account was compromised, since the executables where owned by a customer account, the processes were running on unpriviledged ports, and the server was being used as part of denial of service attacks, with executables hidden under a hidden directory in /var/tmp.
Fortunately, the system hacked is running Linux without module support, so patching system calls [2] to hide activity is impossible without a reboot (which would be noticed).
And as always, it could have been worse [3].