I powered up some old hardware that was running Ubuntu 10.04 and plugged it in and forgot about it for a few months, got busy doing other things, then one day it started sending out a bunch of DoS attacks, so many that it ate all my bandwidth and I couldn't get to the internet.
Internet is back now that I shut the server down. ^phew^
But how can I see what was going on with it?
When I boot it up without a network connection I can't login, it must be constantly running a process that makes it too busy to respond to my login request. So I signed on in single user mode and got access to the system.
I checked sshd_config and root logins were permitted, but root should never have had a password configured for it, and root hadn't logged in according to /var/log/auth.log.
I'd like to know what it was running, and what account was compromised, and if it was out of date on security patches or not.