Via httpd abuse, probably a sql inject a folder /tmp/.nt was installed on the server. There was a zip file and several others owned by apache. That is how processes were started on the server.
I've added mod_security and mod_evasive, hardened php and am hoping the Joomla upgrade proceeds.
The problem is solved. I'm looking for more agile intrusion detection to prevent this from happening again.
isn aka SEP from ITRC forums