Someone brute-forced their way into the server last week, my fault for not disabling all logins to the server.
Normally, this isn’t a problem, as the default firewall setup I always use prevents any remote logins except from known-good hosts. However, this server was accidentally provided with partially missing firewall code by the hosting company, and so I couldn’t run my firewall without first upgrading the kernel. And I’d been “too busy to get around to” doing that…