We have just been notified that our server is apparently being used as part of a botnet. This is based on four login attempts on a particular website that originated from our server's ip address. Trouble is I don't know which website may be the culprit. I've run maldet on all public_html directories with a zero result. Are there any logs I can check that may enlighten me as to where they are coming from?
In the past, a couple of sites were compromised but were easy to pinpoint as they generated a lot of spam. This time the mail logs show nothing out of the ordinary so I don't know where to look now.
Thanks in advance.