As John mentioned in his mail, some were up to date RH7.3 boxes, some weren’t. He doesn’t know how the boxes were infected, although the Phrack article mentions a vulnerability in PHP. Another weblog bemoaned Red Hat for not updating their PHP rpms so that could be related..