Re: Machine != Hacker
well, if you do things properly on YOUR end, researching the hack/crack, it becomes obvious when a web site is being used as a "pure re-director". A little research may lead you to the REAL web site (or person doing the shell access cracking, whichever), especially for things _LIKE_ when the POST transactions in a fake web page reveal exactly where that is [for getting your credit card info, for example]. If your server is the re-director, then you study the logs to see where everything is going, and go from there. That kind of thing. Or if it's someone else, you can often determine where it REALLY came from through various means.
From that point, the lazy coder's or incompetent script-kiddie's ass is YOURS. Just "follow the money" (or in this case, the IP address of the server doing the credit card stuff or intrusions). Notifying the credit card companies along the way is an extra added 'bonus'.
(I would normally expect crack attempts to come in via web site requests as a vector, unless you allow ssh access for more than 1 or two obscure user names with either proper pass-PHRASES or cert-only, or both)