looking at the port list, as I'm sure you're aware you've got FTP, Telnet, SSH, HTTP and DNS open to the source of your scan. I'm assuming the scan was actioned from an external source not local, if you performed the scan from the loca network then there may be false positives for services that are protected by firewalls etc.
Major advice would be to disable any services that you do not need. As you state that you are an ISP, all the services seem reasonable although I would question running all services from a single IP/server, although I know that this can be forced via budget/resource restraints etc.
First service that I would look at would be Telnet, as you are also running SSH then it is likely this service isn't needed for general administrative purposes. (Telnet transmits login/session details in cleartext whilst SSH is encrypted).
As your remote communication services (telnet/ssh) require valid credentials to access the server (I hope) then it is possible that an account on the server has been compromised, possibly through social engineering, or dictionary/bruteforce attempts. Only good staff awareness, training and policy can protect against the first, for the latter there are many tools designed to protect against brute-force attemtps, for example try breakinguard.
Next step would be to ensure that all software and services are up to date. I know it's a chore but keeping patch levels up to date can save you some big headaches.
You also stated that a third party hotspot service was the source of the unidentified individual using your network. As from your response they appear to be fairly unhelpful, I would recommend if possible and within your authority finding a different service provider. If this is not possible then you could try to segregate the wireless connection from the core of your network, on a DMZ for example. What evidence do you have that has lead you to believe that this is the entry point being used to access your network?
Once your server is locked down then you need to attempt to determine how the unknown party has gained access to your network and what damage has been done. For this you need to be looking at logs and any information you can get. How were you alerted to the individual bypassing your systems in the first place?
If incident response is new to you then the SANs Intrusion Detection FAQ can be a good place to start, HERE
Hopefully this should set you on your way to both determining what has occured and improving your systems security. Knowing the industry I appreciate that some of this information you may not want it public view, this being the case feel free to PM me if necessary. Good luck...