Hetzner

Suspicious activity on the hetzner server. How to discover?

Yesterday I rented a server from hetzner.de
Installed an ISPlite5 panel. In less than a day, I received a letter from them about suspicious activity, and after another 4 hours, that ddos ​​was being conducted from my server.
Not strong in administration. More precisely, zero in administration.
How to detect this activity?
ddos-abuse

An IP address (xxxxxxxxxx) under your control appears to have attacked=
one of our customers as part of a coordinated DDoS botnet. We manually rev=
iewed the captures from this attack and do not believe that your IP address=
was spoofed, based on the limited number of distinct hosts attacking us, t=
he identicality of many attacking IP addresses to ones we've seen in the pa=
st, and the non-random distribution of IP addresses

network abuse

We have received information that there was an attack from your server.
Direction OUT
Internal xxxxxxxxx
Threshold Packets 100.000 packets/s
Sum 75.987.000 packets/300s (253.290 packets/s), 4 flows/300s (0 flows/s), 2.052 GByte/300s (56 MBit/s)
External 104.85.165.1, 75.987.000 packets/300s (253.290 packets/s), 4 flows/300s (0 flows/s), 2.052 GByte/300s (56 MBit/s)

UPD:
The issue with network-abuse was resolved by disabling backup in the ISPManager control panel.
But it's not a matter of living without copies. Copies were made to Yandex disk. How to explain to hetzner that this is not a threat?