The other thing to point out is that if an attacker somehow got root access, they could install a so called “rootkit” and what it does it replacing some of the basic commands like top, ps, … with altered ones in order to hide the malware activities
few years ago I was contacted by digital ocean because they got reports about myserver being involved in ssh attack or something like that. Turns out my old drupal website had unpatched vulnersbilities that allowed attacker to access my system and use it for attacking others.
am not saying that to defend your provider they should have at least give you a warning. I an saying that to check yiur server as it may have been compromised
I’d check https://transparencyreport.google.com/safe-browsing/search because most browsers including mozilla firefox rely on google safe browsing.
The other thing to point out is that if an attacker somehow got root access, they could install a so called “rootkit” and what it does it replacing some of the basic commands like top, ps, … with altered ones in order to hide the malware activities