yesterday I went to ssh into my web server like a normal day when it said my root password was invalid. I logged in with another account with no problem but still couldn't get root access. I checked the logs and saw a new account was created with root privileges and my root password was changed both from an IP based in Asia. I'm the only one with access to my dedicated server and I'm in the US.
I called my hosting company and had them reset the server and root password. I logged in deleted that new account, limited ssh access to only my one limited user account, changed passwords for that account and a different one for root, changed the port ssh runs on, setup iptables to block all connections except on port 80 (http), 443 (https) and the new port I set for ssh. I thought to myself that now it's completely secure. except today I login and find all my logs are deleted, a new account is created again with root access and my iptables rules have been cleared. I did everything again but no doubt the hacker will be back in soon.
what should I do? I'm at a loss. I'm in progress of copying all my valuable files off my server to do a fresh install and start over. my websites average over 150K pageviews per day so I don't want to go offline if possible. How can I find how he's getting in? please help. not sure what to do here.
I run Cent OS linux and apache.