I have just shrunk a basic Linode disk image to 2048Mb that has been recently compromised, specifically for security audit purposes.
It is a Debian 10 Buster installation, with nothing on it. In May I had just sarted looking at doing what Wendell recently did with the HAProxy video. I got to the stage of realising I could use a docker image, but nothing was ever added.
At some point in June or July the user login was compromised (not the root) , and the node had network restrictions placed on it from the 23/24 of July due to BotNet and SSH Brute Force activity.
There was no trail cleanup, so there is a lot of data available. From what I can tell they try known usernames on ssh, when they gain access they start connecting to a specific web server and 3 main mail servers, then others come and try different usernames, while the compromised user then starts more ssh searches (enough to be flagged by network support)
I am offering the disk image here because the only other security alert website I have used in the past only delt with emails and email addresses, and I cant remember its name atm (but they are well known).
I can allow image download from cli via secured Finnix Rescue Mode for anyone that wants to download it and/or mirror it
I cant rebuild the linode (and start the HAProxy install) without destroying all images (as far as I can tell)