0

My server is compromised, and when I ssh to it, i get " WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!", I know it is because the SHA256 fingerprint is changed, and you can see the new one by an openssl command but I don't know from where I can check when it has changed? and Also I don't know how you(or the hacker) can change it?or what has happened that it is changed.

Please do not recommend me to unplug it from the network and etc, as I've already did that , and I just want to know when and how it has happened.

Alex
  • 159
  • 2
  • 9

1 Answers1

2

but I don't know from where I can check when it has changed?

Well, for a first take, I'd look at the file timestamps (/etc/ssh/ssh_host*), though those are not a reliable means of knowing when a file was changed. It can give you some place to start, though. In order to know definitively, you'll need to look at your backups and see when the file changed.

and Also I don't know how you(or the hacker) can change it?

Simply by deleting and re-creating the ssh host keys. On debian-based systems, keys can be regenerated by deleting them and then running dpkg-reconfigure openssh-server.

Please do not recommend me to unplug it from the network and etc, as I've already did that , and I just want to know when and how it has happened.

Well, you've SSH'ed to it, so it's still on the network, eh?

EEAA
  • 109,363
  • 18
  • 175
  • 245
  • so the /etc/ssh/ssh_host* contains the private key and public key of the openssh server, right? – Alex May 02 '17 at 15:29