How to detect malicious script in my CentOS server?

Question

I am warned from my VPS provider that my server sends a lot of SSH SYN Attack to other servers, but I have no idea how to deal with it.

Here's the detail my provider sent me:

1. Where can I find the logs that record all of these attack in my server?
2. How do I deal with this (find the script that send these request) step by step ?

Answer 1

Finally I find the script.

1. ps -ef I found 10 processes named ./u2000 &, I thought it was wired.
2. ls -l /prod/PID/exe I find it links to Tomcat/bin/u2000.
3. I never know such a thing in Tomcat, so I just remove it and stop all its processes.
4. Disable tomcat's web console and users.
5. Change tomcat dir to a standalone user which has limited permission.