They don't show up when you're looking for user jobs, who's logged in, etc, but ssh traffic via tcpdump clearly shows that 123.125.127.204 pwned my CentOS 5.4 box. Googled the IP and its known bad and in a few firewall block rules published for helping n00bs avoid known bad hosts. Needed to rebuild that server anyhow .. just sharing.
PS I've been hooked on watching the Hak5 podcasts for about 4 months now whenever I'm on a plane.