Hello.
Long time no speak here - no need to... SME has been such a reliable system.
Running a SME server 7 as dedicated server and gateway with modem in bridge mode to server...
I have installed some batches of updates in the past but to be honest I haven't installed any for ages...

Last Monday, I noticed my monthly bandwidth, 100GB, had all but vanished, in 4 days...
Having a look at my web providers usage page, it seemed to be using approx 1GB per hour, every hour.
I assumed one of the windows systems was hacked, however, after leaving ONLY the SME server connected to router, with its internal LAN cable disconnected, the usage continued.
I ran IPTraf, and it appeared that their was a lot of repeated traffic between my external IP address, on port 80, and another domain interstate...
I ran a whois on the domain, and it appears to be a large accounting software firm.
The traffic seems to consist of approx 4 MB lots, which then restart, repeatedly, so therefore approx 1GB is being used, every hour. The 4MB size varies, but is always approx just over 4MB.
In case it was a glitch, I rebooted the server, but soon after restart it commenced again.
I am guessing that the server has been hacked, and is performing a denial of service attack on this software firm.
To be honest, while I've spent years maintaining and fixing win pcs for work, I have little experience in unix...
Could someone suggest a course to take... and also confirm that this is indeed what it looks like.
and perhaps suggest which logs I should examine, etc.
Furthermore, would it just be the apache server that has been compromised, or would you assume the whole server is compromised?
I suspect that the best course of action is to wipe the server, and failing any response to the contrary, that is what I will do. I have begun backing up all files, and the few modified conf, etc files that I can remember modifying, in preparation to installing SME 8.
However, I had a few configuring issues last time, such as getting a second SME server to authenticate with the primary server domain... the main issue, and others, such as caching of windows updates, that could cause a few headaches...
Any advice greatly appreciated.
Thank you.