The default configuration on the SSG5 would not allow any connections from the internet to your server login.
The configuration to look for that would allow this is destination nat and a policy that allows the traffic. Both must be in place for the connection to go through the firewall.
Check the policy at
Policy > Policies
Look for the untrust to trust (default zone) or whatever zone you created for the server.
If this is not in place also confirm there are no untrust to untrust allow policies.
If the policy exists it will give a clue as to which destination nat method was used. Directly in the advanced tab is one version. If this is not there then there may be a setup on the untrust interface itself under
Network > Interfaces > list
edit your untrust interface and look for setups in the MIP, DIP, VIP tabs
If these are not configured then the attacker was internal. This is actually pretty common. The attacker has used a malicious link or other method to compromise another computer on your network. This computer is then used to move laterally to servers and other targets.