How to Investigate Reported Abuse-Related Portscan/Malware/Intrusion Attempts(?)

Good morning,

We have just received the below from AWS regarding one of our Amazon Linux-based webservers. Upon connecting to the host we can't find and evidence of GET command to the Netherlands (.nl) hosts shown in the log from AWS below.

• How can we best check for evidence that this specific activity was outgoing from this server?

• How can we validate whether this host has been rooted or if it was accessed via webshell or injection?

• Thank you in advance to any willing to help!

AWS Notice below:

---

Source IP / Targeted host / Issue processed @ / Log entry

• [AWS SERVER IP-REDACTED] tpc-043.mach3builders.nl 2024-02-25T17:45:11+01:00 [AWS SERVER IP-REDACTED] - - [25/Feb/2024:17:45:02 +0100] "GET /wp-admin/includes/plugins.php HTTP/1.1" 301 539 "modice.nl" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" [VirtualHost: www[.]modice[.]nl]

• Comments: <<< Date: 2024-02-25T17:45:11+01:00 Source: [AWS SERVER IP-REDACTED] Type of Abuse: Portscan/Malware/Intrusion Attempts Logs: [AWS SERVER IP-REDACTED] - - [25/Feb/2024:17:45:02 +0100] "GET /wp-admin/includes/plugins.php HTTP/1.1" 301 539 "modice.nl" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" [VirtualHost: www[.]modice[.]nl]

---

To whom it may concern, ** [AWS SERVER IP-REDACTED] is reported to you for performing unwanted activities toward our server(s).**