Well I have recently fired a Server Admin for a few issues. First he firewalled ssh shut so that no one could access it. Then he installed a key so he can enter the servers without need the password to get in. After we discovered this, I immediately called the datacenter to have all of the passwords changed (not knowing he had the key) so that we could get him out. We thought everything was clear, had the servers scanned for backdoors and vulnerabilites and such. The datacenter then monitored his activities, seeing that he was still active in the servers (this is after we fired him) and he changed all of the configurations, (dns etc etc) causing pretty much everything to go offline. He then admitted to how he was doing everything. Now everything is fixed and back online, keys removed, ports changed, firewalls installed, the whole deal. Now this is illegal in many ways, illegally cracking into a server, changing configs, etc etc. What actions would you take against this?
