How to stop outgoing brute force attack
Solution 1:
As an IT Security expert, the proper response to any security risk of a compromised machine is: Disable the affected system(s) (shut them off entirely, or disconnect them from the network immediately and isolate them if you intend to dissect the system and the breach), and nuke it from orbit to clean it. Nuke it clean, restore important stuff from clean backups to a new reinstallation of the operating that is clean.
Once that's done, you need to make sure all your applications you have on this system need to be hardened and locked down. It's likely if you're running a web application like Wordpress or such, you need to keep that regularly patched all the time. Adding a fail2ban
solution to your system and enabling it for your various applications will help so that when things trigger they get blocked at the firewall for a time period due to ongoing attack attempts.
(Properly hardening your system and the applications is a very BROAD thing that is too large for this single post, and is always a case by case analysis/basis of risk/cost reward analysis, so we can't really give you the best way to properly harden everything.)
If you really want to dissect what's going on, install net-tools
on the machine that's affected, then disconnect it from the network.
sudo apt install net-tools
Once that's done, run sudo netstat -atupen
and look for any connections going outbound to port 22 on your system, and see what process is triggering the port 22 connections outbound. Keep an eye on that as well and run it many times too if you need to make sure it shows up, because with no network it'll probably try and instantly fail, so running this a few times may be needed.
However, you are better off deleting everything on the system and rebuilding from scratch and keep better backups of your information that is NOT going to be malware infested.
Also, unless you know what you're doing, you shouldn't host a server, etc. on your own network because of these kinds of problems - your own systems can get breached if even one system on your home network gets popped.
To put my last bit there into perspective:
Even with my experience, all the servers on my network running Internet facing are hardened against the other servers from reaching them, and my network being built as an Enterprise-grade type network complete with managed firewall, managed switches, etc. means that my Internet facing servers are isolated into respective DMZs, and cannot reach the rest of my network where more critical data is present. Network isolation and hardening of this magnitude requires way more than what you'll get at the 'residential' and 'consumer' grade levels of equipment you can get, it requires a lot of extra time, effort, and knowledge to really isolate internet facing systems to prevent larger breaches, as well as to get net flow logging for different network behaviors, as well as filtering on active intel lists to block the known evils. It's not for the faint of heart, and requires a LOT of effort to keep it operational as well.
Two of my servers that I run in my DMZs for clients got popped recently due to improperly patched Wordpress instances. FORTUNATELY I keep backups for them, so we nuked the breached instances, restored from clean backups, and then I promptly spent six hours on each machine patching them and rehardening them. One single unpatched Wordpress instance on each of those servers led to those servers being breached and attempting to distribute Malware, which my IDS/IPS detected - again this is an Enterprise grade network setup, so I have the time, infrastructure, and money to put into it all the protections. You won't have this on your average server or residential network setup.