linux

How to remove malicious activity from your server?

I have VDS. The hoster reported that complaints were being received on my server. Allegedly outgoing malicious activity from my server to someone else's. Here is the log:

AUZUG AUS SERVERLOGDATEI | EXCERPT FROM SERVER LOGFILE
-----------------------------------------------------------------------------------------
Jan 8 01:45:25 host171 sshd[6249]: Connection from 185.178.46.249 port 37178 on 195.201.199.2 port 22
Jan 8 01:45:25 host171 sshd[6249]: Invalid user sll from 185.178.46.249 port 37178
Jan 8 01:45:25 host171 sshd[6249]: debug1: PAM: setting PAM_RHOST to "185.178.46.249"
Jan 8 01:45:25 host171 sshd[6249]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=185.178.46.249
Jan 8 01:45:27 host171 sshd[6249]: Failed password for invalid user sll from 185.178.46.249 port 37178 ssh2
Jan 8 01:45:27 host171 sshd[6249]: Received disconnect from 185.178.46.249 port 37178:11: Bye Bye [preauth]
Jan 8 01:45:27 host171 sshd[6249]: Disconnected from 185.178.46.249 port 37178 [preauth]
Jan 8 01:26:18 host40 sshd[25975]: Connection from 185.178.46.249 port 39484 on 188.40.74.247 port 22
Jan 8 01:26:18 host40 sshd[25975]: reverse mapping checking getaddrinfo for vds-alexgaz.timeweb.ru [185.178.46.249] failed - POSSIBLE BREAK-IN ATTEMPT!
Jan 8 01:26:18 host40 sshd[25975]: Invalid user www from 185.178.46.249
Jan 8 01:26:18 host40 sshd[25975]: debug1: PAM: setting PAM_RHOST to "185.178.46.249"
Jan 8 01:26:18 host40 sshd[25975]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=185.178.46.249
Jan 8 01:26:20 host40 sshd[25975]: Failed password for invalid user www from 185.178.46.249 port 39484 ssh2
Jan 8 01:26:20 host40 sshd[25975]: Received disconnect from 185.178.46.249: 11: Bye Bye [preauth]
Jan 8 01:31:18 host40 sshd[12561]: Connection from 185.178.46.249 port 44184 on 188.40.74.247 port 22
Jan 8 01:31:18 host40 sshd[12561]: reverse mapping checking getaddrinfo for vds-alexgaz.timeweb.ru [185.178.46.249] failed - POSSIBLE BREAK-IN ATTEMPT!
Jan 8 01:31:18 host40 sshd[12561]: Invalid user test from 185.178.46.249
Jan 8 01:31:18 host40 sshd[12561]: debug1: PAM: setting PAM_RHOST to "185.178.46.249"
Jan 8 01:31:18 host40 sshd[12561]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=185.178.46.249
Jan 8 01:31:20 host40 sshd[12561]: Failed password for invalid user test from 185.178.46.249 port 44184 ssh2
Jan 8 01:31:20 host40 sshd[12561]: Received disconnect from 185.178.46.249: 11: Bye Bye [preauth]
Jan 8 01:34:18 host40 sshd[21792]: Connection from 185.178.46.249 port 36632 on 188.40.74.247 port 22
Jan 8 01:34:18 host40 sshd[21792]: reverse mapping checking getaddrinfo for vds-alexgaz.timeweb.ru [185.178.46.249] failed - POSSIBLE BREAK-IN ATTEMPT!
Jan 8 01:34:18 host40 sshd[21792]: Invalid user webprog from 185.178.46.249
Jan 8 01:34:18 host40 sshd[21792]: debug1: PAM: setting PAM_RHOST to "185.178.46.249"
Jan 8 01:34:18 host40 sshd[21792]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=185.178.46.249
Jan 8 01:34:20 host40 sshd[21792]: Failed password for invalid user webprog from 185.178.46.249 port 36632 ssh2
Jan 8 01:34:20 host40 sshd[21792]: Received disconnect from 185.178.46.249: 11: Bye Bye [preauth]

Tell me where to dig? And where to look for a solution to the problem? Where to look for this malicious code.
I didn't find it in CMS.
Executed top. The crond64 process clogs the CPU by 200%.
Killed the process with kill. But now where to look for it?