I have been sent a support ticket to inform me that something on my Linode has attempted to find vulnerabilities on an external server.

I have just inherited this server, so I am not familiar with all the sites hosted on it or with Linode in general.

How should I find the source of this activity? Where do I start?

Does the support ticket give any details of what the activity is?

You can check the output of ps aux to see if there's anything odd looking running, as for the sites that really depends on what they are, if they're open source i.e. wordpress etc make sure they're up to date if they're not that could be the cause.

Either way you're going to have to replace the server if it is doing something malicious, once compromised the only safe way to fix the problem is to start fresh (and of course patch whatever allowed the server to be compromised in the first place).

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

I use the following script, it's a somewhat messed up version of a script I had a grander vision for but this one works:

#!/bin/sh

A="/var/log"

test -f $A/messages && (grep --text ssh $A/messages|grep --text -i invalid)
test -f $A/messages && (grep --text ssh $A/messages|grep --text -i fail)
test -f $A/messages && (grep --text ssh $A/messages|grep --text -i error)
test -f "$A/auth.log" && (grep --text -i fail $A/auth.log*)
test -f "$A/auth.log" && (grep --text -i "Did not receive identification string from" $A/auth.log*)
test -f $A/secure && (grep --text -i fail $A/secure | grep --text -v /home/diltonm)

I'd thought one day I might clean up that output and merge it with a git approach to detect differences and email to them to me automatically, might still do that.