==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.1 MARIADB edition
- Deployed with iRedMail Easy or the downloadable installer? Github download, manual install
- Linux/BSD distribution name and version: Ubuntu 18.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): Mysql
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I setup a brand new Ubuntu 18.04 server about a month ago. The first thing I did was upgrade packages, and proceed to install and configure iRedMail and setup an account. This went perfectly fine. I have used it a little bit to send a few emails and received a couple too from legitimate sources/businesses.

About 2 hours ago I got an abuse report from my server host stating that my IP has been attacking sshd instances on other servers, and I have 48 hours to resolve the issue. I looked for more info on my IP and was able to find that there's been a number of attacks logged from my server starting April 15th.

I have investigated my server for files which were modified in the last 30 days, in folders /tmp /bin /sbin /var /opt /home and /usr, and nothing can be found. I checked the entire log of /var/log/auth.log and found nothing, no brute force successful logins. I have a brief look at syslog for anything suspicious too and found nothing. A full clamav scan shows 0 results. I checked every Logwatch email for anything else suspicious too.

I am at a loss at how this happened. What can I do to find how how this happened and stop it happening again?