Well that's just it - I think we'd have heard about it if they had defaced all of the sites on your machine - and it seems kind of odd that they would root the machine and pick your site randomly to deface. As far as I know, it's not a particularly high profile site. You'd think they also would have uploaded more rox.php files... and all of this is the best case scenario... I'm looking right now, but so far I'm not seeing other files with this name on that machine.
I didn't notice before that you were running PHPNuke, but this seems like a much more likely point of entry. I believe there have been a number of XSS holes in it. Old versions of Gallery and other common PHP programs are the most common way that people manage to gain access to users' accounts on our machines.
I can't find the original file in any of our snapshots (not sure when you removed it) but the creation / modification time on this file would probably be helpful in that respect. The window where we would have been vulnerable to any of the OpenSSH holes should have been a very small period of time.
I notice that "attack method" was left blank on the site you listed.
Well about as much power as someone gaining access to your ftp or shell account....
To the best of my knowledge, this is not related to either of the DOS attacks of a few months ago (one inbound, one outbound).