Have you tried to see if your server is infected on with rkhunter or similar tools for rootkits or worms etc ?
Else this attacks could happen remotely exploiting some user account that has easy passwords that can be brute forces .. or dictionary attacks ..