Urgently need someone to look at our Unix 1&1 server and remove code causing DDoS

General information for the website: Server has a script installed which needs removing.
Description of requirements/features: Your contract number: 27004817
Your customer ID: 24979229
Our reference: [Ticket AB82912904]
Note: Your personal 1&1 contract number and your name certify that this e-mail was sent by 1&1.

Dear Alexander James Mawson,

You receive an important notice regarding your 1&1 Server.

Your 1&1 Server was found to be part of a network of compromised machines
leading a Distributed Denial-of-Service Attack (DDoS Attack) against other servers.

*******************************************************************************
IMPORTANT: In order to prevent further criminal activity from your 1&1 Server,
we have suspended access pending an investigation and resolution.
*******************************************************************************

Please follow the indications below according to the category of your server to
reestablish the access of your 1&1 Server.

*******************************************************************************
1&1 Root Server
*******************************************************************************
Please log in through the Serial Console and take steps to secure your 1&1
Server.

You'll find instructions in your 1&1 Help Center:
- Linux Servers:
http://help.1and1.com/servers-c37684/linux-server-c37687/system-recovery-c37690/how-do-i-access-my-linux-server-via-the-serial-console-a709275.html

- Windows Servers:
http://help.1and1.com/servers-c37684/windows-server-c39510/system-recovery-c76208/how-do-i-use-the-serial-console-with-my-windows-server-a627376.html

1. Determine the source of the compromise and disable the script which
controlled the DoS attack.

2. Once you have secured your server, get back to us stating your measures and
we will be glad to reconnected your server at the switch.

Simply reply to this e-mail keeping our reference [Ticket AB82912904] in your message.

Note: We recommend you to back up your data in case a server re-image should be
required.

*******************************************************************************
1&1 Virtual Private Server
*******************************************************************************
Please back to us stating when you are ready to take steps to secure your
server. We will reconnect access at that point. Simply reply to this e-mail
keeping our reference [Ticket AB82912904] your message.

Once the server is unlocked, we urgently recommend you booting it in repair mode
and fixing the problem with the server off-line. This will avoid another attack.

For instructions see:
http://help.1and1.com/servers-c37684/virtual-private-server-c63343/how-do-i-use-the-linux-vps-rescue-system-a686091.html

*******************************************************************************
1&1 Dynamic Cloud Server
*******************************************************************************
Please back to us stating when you are ready to take steps to secure your
server. We will reconnect access at that point and stop the server.

You can then restart it from your 1&1 Control Panel when you are ready to secure it.

*******************************************************************************

Thank you in advance for your attention to this matter. We appreciate your
cooperation and look forward continuing to improve the security of your 1&1 account.

You will find details about the attack here:
1389426469.052035 IP 87.106.63.105.9357 > 9.115.101.56.80: Flags [S], seq 1272317479, win 65535, options [mss 1460,nop,nop,sackOK], length 0
1389426469.052039 IP 87.106.63.105.9357 > 9.115.101.57.80: Flags [S], seq 1643241588, win 65535, options [mss 1460,nop,nop,sackOK], length 0
1389426469.052095 IP 87.106.63.105.9357 > 9.115.101.58.80: Flags [S], seq 876077150, win 65535, options [mss 1460,nop,nop,sackOK], length 0

Best regards,

Abuse Team

--
Abuse Department
1&1 Internet Ltd.
Extra notes: