Tracking Down Outbound FTP Abuse

My data center is alerting me about complaints that bruteforce FTP attacks are coming from my server. I don’t get a lot of info to go on, but for the life of meI’m not finding anything and I’m hoping someone can give advice on how to proceed.

Here a sample of the attack records:

Note: Local timezone is +0200 (CEST)
2017-06-02 18:58:42,636 proftpd[7306] ([]): FTP session opened.
2017-06-02 18:58:42,849 proftpd[7306] ([]): USER spacebass: no such user found from [] to

Any suggestion on how to track this down?

I discovered a malicious Python script had been installed that was causing the outbound attack. I was able to stop it and now for the cleanup.