I believe they came in through an incomplete frontpage server extension installation. (One that I had aborted earlier in the year for what is now a non-customer).
I did find two root-kits and have booby-trapped them. (Along with castrating FPSE). The obvious one is /tmp/localroot, and the other (buried one) was /usr/local/apache/lib/suexec. The lesson this time is: One *must* keep up with housekeeping, or pay dearly later on. Sorry for the interruption - back to our regularly scheduled programming...
signature.asc
Description: This is a digitally signed message part
