My server was reported to hoster abuse to perform ddos attacks. What should I do?

Please do not write obvious comments (hire a professional person/company) - we'll consider that after this issue is resolved.

I'm sorry to say that you are not managing that security incident the right way then.

If there's a fire in your house, are you waiting for it to extinguish itself before calling the fire-fighters?

If you have nobody in staff that can handle that type of incident, then you should get help from external resources that can manage security breach.


Ask your ISP to produce logs showing your server's involvement in the incident (a suspicious traffic graph, for example, generated by data from your ISP's routers or switches). If they can produce such evidence, your system is suspect.

If your machine was in fact involved in a DoS attack and you didn't initiate such action yourself your machine is almost certainly compromised. If your system is compromised the best advice you will get is to blow it away, as in How do I deal with a compromised server? or any of the other questions similar to it.

For determining if your system was hacked, remember that you cannot rely on any tools installed on the system, and that a good attacker will leave no obvious trails (except possibly odd traffic, noted by an external system). If you have any suspicion that your system was compromised, it is still compromised until it is rebuilt with known clean media and software.