Investigate DDoS attack

That means your Linode is attacking other systems. The rough steps for fixing this are as follows:

1. Shut down your Linode

2. Boot into Rescue Mode ( https://library.linode.com/rescue-and-r … escue-mode">https://library.linode.com/rescue-and-rebuild#sph_booting-into-rescue-mode )

3. Figure out how somebody compromised your Linode

4. Redeploy from fresh disk images

5. When you configure the new system, fix whatever issue let them compromise you this time

• Les

Thats what Linode seems to think.

I am not sure how to go about step 3:

3. Figure out how somebody compromised your Linode

Our server makes outgoing requests to other servers every couple of hours to get status updates on a large number of orders (in the hundreds). Could this be the cause of the issue? is it possible that the traffic is legit but Linode is just being cautious and labelling this as a "compromise".

Please advise how I can go about "Figure out how somebody compromised your Linode"

Linode doesn't track your outbound traffic. If they are telling you that your VPS is participating in a DDoS then Linode has received a report from the target that traffic is coming from your VPS's IP.

This is a recent occurrence, so you should look for any PHP files that were uploaded or modified within the last 48 - 72 hours. Depending on what type of website(s) you are running your vulnerability could be different things.

You can check your logs to see what type of inbound FTP activity you may have had within the last few days. And make sure your FTP service is configured not to allow anonymous FTP users (I've seen it before other servers).