we've tried changing root passwords, changing ssh's listening port, removing all ftp access temporarily, etc. hasn't stopped it.

I am completely at a loss as to how to track down how this is being done.