You are welcome. It’s really hard to “guess” what the best approach would be. Obviously it would be nice if you could tell what was done during those logins, but that may not be so trivial, especially if the perpetrator “touched” the files he manipulated (obfuscating time stamps).
If your user (the one that was logged in from the suspect IP addresses) had shell access, you may be able to tell what was done by scrolling through the bash history (to see what commands the perpetrator executed).
He may also have just uploaded stuff (possibly overwriting existing files), which is harder to tell without full access to the FTP logs (and I don’t believe you have access to them - that may require DH support’s help).
The approach I would take is to assume the worst, and accept that you may not be able to (quickly or conveniently) tell exactly what was done, and proceed as follows:
Change Password (which I assume you have done)
Disable FTP access to the server for your user (enable SFTP/SSH only)
Reload directories from known good backups
Update all scripts you are running to their latest versions.
I don’t know if you can rely on DH “.snapshot” backups to be “known good” (depends upon when the perpetrator found his way into your account), so I would use only stuff I had stored “off-site” for the reload.
That process should get you “back in business” as soon as possible, but still leaves the possibility that one of your scripts was exploited. You can investigate this a little further with a careful review of your access logs to see what, if any, “strange stuff” was passed via http requests, and a thorough Google search for exploits related to any software you are running.