I host my personal website on digitalocean. Nowadays, I received many abuse complaints which finally make them shutdown my machine. I feel really sad and angry.
Someone complaints that my machine is used to attack his machine via ssh. I check my machine, and find two suspects:
root@eva:~# lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 566 root 3r IPv6 7494 0t0 TCP *:ssh (LISTEN)
sshd 566 root 4u IPv4 7518 0t0 TCP *:ssh (LISTEN)
php5-fpm 671 root 6u IPv4 7849 0t0 TCP localhost:9000 (LISTEN)
php5-fpm 672 www-data 0u IPv4 7849 0t0 TCP localhost:9000 (LISTEN)
php5-fpm 673 www-data 0u IPv4 7849 0t0 TCP localhost:9000 (LISTEN)
php5-fpm 674 www-data 0u IPv4 7849 0t0 TCP localhost:9000 (LISTEN)
php5-fpm 675 www-data 0u IPv4 7849 0t0 TCP localhost:9000 (LISTEN)
mysqld 759 mysql 10u IPv4 8233 0t0 TCP localhost:mysql (LISTEN)
bash 1018 root 3u IPv4 8700 0t0 TCP *:3245 (LISTEN)
bash 1018 root 8u IPv4 8783 0t0 TCP mysitename.com:57728->91.236.182.1:ircd (ESTABLISHED)
bash 1018 root 9u IPv4 8714 0t0 TCP mysitename.com->ircu.atw.hu:ircd (ESTABLISHED)
apache2 30915 root 3u IPv4 4216829 0t0 TCP *:http (LISTEN)
apache2 30920 www-data 3u IPv4 4216829 0t0 TCP *:http (LISTEN)
apache2 30921 www-data 3u IPv4 4216829 0t0 TCP *:http (LISTEN)
apache2 30922 www-data 3u IPv4 4216829 0t0 TCP *:http (LISTEN)
apache2 30923 www-data 3u IPv4 4216829 0t0 TCP *:http (LISTEN)
apache2 30924 www-data 3u IPv4 4216829 0t0 TCP *:http (LISTEN)
sshd 30948 root 3r IPv4 4217444 0t0 TCP mysitename.com:ssh->210006025170.ctinets.com:64144 (ESTABLISHED)
what is the IRC things? they come out again after I kill them. How can I fix this and fight back? Can anybody explain the theory how I got attacked? and generally, how to react after been attacked.
ps. I did really a small amount of operations on my machine, just host my website there. Basically, I just changed the things under /etc/apache2 and /var/www