I was hacked last week ,and now i have recently re-imaged my server but i still have a folder/script trying to brute force another server via my own server. so as you can see this was due to a installed website backup.

My problem is i dont have a clue how to trace the source of the attack. I have installed splunk succesfully to try and make my life easier but i dont know were to start to search and query.

For your information the server that my server is trying to hack is[port]: SIP if this helps

my operating sys is centos 5.5 and i have plesk 9.5 running on my server.

help is needed as soon as possable as my hosting company have given me until tomorrow to sort it or they will block and shut my server.

thanks in advance