Checking the freshly-minted Logwatch output from the now resurrected ex-hacked server I saw three logins through SSH. One was from the office IP (which would be me), one from my home IP (uh... me again) and one from a Spanish IP with a number of password failures before one success. Oh noes! Spanish hax0rs!?

Well... there was the possibility it was our guy in Spain, so I IM'd him.

“Have you logged in at all in the past 24 hours”
“Well - I went in through POP to clear out some of the larger files that were clogging things up”
“Shit... that's a different machine altogether. I think someone from [this spanish IP] got in again”
“That's my ISP - but I'm not on that particular IP at the moment”
“Nuts. I think I'm going to make a few changes.”

So... I changed the ssh port, changed the passwords and told iptables to drop the entire range of IPs the one that got in was in.

some time later, an IM from Spain...

“Hey... my Contribute connection no longer works”

Contribute is Macromedia's web-editing-for-dummies system. You tell it the webpages (or parts of a webpage) a user can edit and where they reside as far as the server's FTP is concerned and it does the rest in a WYSIWYG interface. Naturally, we don't use FTP, but Contribute can use Secure FTP as well. And, well, that's why there was a bunch of unsuccesful SSH logins followed by a succesful one from Spain...