Two mistakes he made 1- the file name is easy to guess 2- he allowed file listening in his server
The file name was not guessed, it was a shell command injection on the website, doing a ls listed an interestingly named file "allinfo.txt". Looking at this, it had the ssh username/password...
Advice to mike, read up on a little project called Gnu Privacy Guard.
I wonder what I should do? Oh yeah, it's called logging on with them.