Where I work we have about 90 sites on a Fedora Core 1 server that probably doesn't have many updates on it. The company hosting the server told us our server was flooding their network with UDP packets. Our host shut down our server (and it turns out the same thing happened to 5 other servers running FC 1), then later gave us 2 hours to fix it before they shut it down for good. I looked around, and didn't see anything suspicious, but I set up iptables to drop all out going UDP packets (it was the only thing i could think of to do at the time). This later caused DNS problems, so a few hours later we disabled the iptables entry. Now we aren't flooding the network, but I'm worried a backdoor or some other threat may still be there (and i'm sure the vulnerability is still there). Our server guy looked at it, as did I, but neither of us is very security oriented. What sorts of things should we be looking at to determine if the threat is still there? /var/logs/secure lists a ton of attempted ssh entries just before the server was shut down, but our network guy says that's common. eta: the company which hosts our server, just said it may have been a switch on their end. is this possible?