Hi we have a small company with some freebsd boxed running apache 1.3.
Lately we have been targeted by many crackers/script kiddies and proff people. And we have removed several .php files from our servers that were deployed by them and they contained scripts for searching and maybe dumping our mysql db. Last time when we files like these we searched the logs and saw a russian IP who was loggin in with my account name via SSH! So now my host has turned off all access to the server and we're trying to figure out what is going on, the SSH password was very strong so the theory is that the evil person got it from my local PC or something like that. But I have scanned my PC for spyware and i think it's unlikely they got it that way because if they did they would have ALL passwords and we have only seen this IP on 1 of the boxes.
How do we proceed from here? I do not expect my host to really be able to fix this and i would like someone to try and see if they can find the weak points.
But if we hired a security company, would we be able to trust them??
And Can you tell me if there's any way that it's possible to gather the SSh passwords from a server like mine with bad security or can we conclude that they got it from my email account or something like that - I hope not!
the SSH password was as strong as this: "5W)rjKQ;V$hxEvz,A?" but it was also used for FTP access and I think it was also used for checking the mail account on the server, via outlook.