I found this one in a dir at root level and removed it

Found what one? A document? Can you clarify, henry0?

This is the script I found in a directory holding OOP DB conn calling for a config scrip which is set away from root (in www) as a matter of facts no harm was done!
As per sys admin (dedicated server) it could have only happened via file manager… I do not believe that!
I do not use it, and even my biz partner has no access to the server.
My FTP goes trough secured SSh.
My DB was not hacked, and is, I like to state well protected against injection.
It was a hacker test, which seems to be well known (look above at my search findings)
I pay quite a good price for that server hosted on one of the two most well known USA hosts

I am thinking going co-located but I need a sys admin.
I am not able by myself able to manage a full server security/maintenance/update etc...
Where do I go from there?

Are you saying that this file was at root or at the web root?
As if this file was below the web root then unless there is another file reading its output and displaying it on the browser it is pointless, as you would never be able to test if it works, as the test relies on a browser seeing the echo'd statements.

So you may need to look through your system to see what else has been put on there.

That file was in a db_conn dir
www/html/db_conn/
nothing else is there
the question remains as how was it done?

the question remains as how was it done?

Have you looked through the server logs to see how it got there?

As you could then rule out http.

If it wasnt from http then it could be ftp, or sftp, whatever you are using. Even with an encrypted connection most unix style passwords are very short and follow a certain pattern, so they are quite easy to brute force. That can be prevented with iptables or whatever other system you like. So you may want to check on that protection.

There is also the possibility that this file got onto your server from another site hosted on the same machine. As you may have good security, but if the server structure is flawed then it may be another who is letting your security down.
It is not difficult to find out who is also on the same machine, then you just break one of them that doesnt have the same security. Then you are on the machine and can do whatever the security on that machine will allow you to do.

I would guess that as you still have a site they dont have root control. As if someone has control of the machine then once the test confirmed it you would take what you wanted, shred everything, rm -f / then leave. No point in hanging around, admiring the architecture.

Has the security on your server and database server been checked by someone? As the machines themselves are often the weakest points.