I have been working with my developer for a while. He used to have access to the root folder a while ago. I have then seen some strange activity on the server 1 month ago. Therefore I have restricted access to a specific folder that he needs to work on, and changed the cpanel and WHM passwords so he won't access it.
Today I fired him, however right before I fired him I deleted all his user accounts, so he won't access the server. He then somehow accessed my server a few hours later and overwritten all my new files with some old files I previously has.
When I submitted a ticket regarding this, softlayer couldn't find a trace of him logging in to the specific directory . Then I spoke with softlayer again and they said that he might have opened a backdoor if he had access to my previous files.
How might this happen? Were can I find a service that patch up the open holes he got int through?