If you do leave SSH up, change it to a random high numbered port. I have tons of generic blanket attacks in my logfiles of people trying to SSH in as things like 'root' 'admin' 'administrator' etc on port 21.
That's advisable, yes, but a port sniffer will find the higher port number easily, so it's easily circumvented and definitely not foolproof.
Use RSA keys instead of password for SSH, and always use SSH2.
Heres one idea, if you do everything correct, and follow the previous suggestions, and it still happens again, you might try to check you pc for any tojans, keyloggers, etc. that is assuming that you havent already.. You never know it could be something as simple as your PC being compromised, wouldn't be the first time that has happened to someone.
Augh! you beat me to it, i read thru the entire topic and thaught, why has noone mentioned keyloggers. then i get to the last post >_< yes, i would reccommend either Adaware or Spybot search and destroy. also have Avast scanner running in the background at all times.
If you are on shared hosting, check if safe mode is on. If not then it is possible to go from one website to another on the same server. i.e. access to your site from another shared hosting account.