On Fri, 6 Dec 2019 at 15:14, Martijn Koster mak-alug@greenhills.co.uk wrote:
https://www.digitalocean.com/community/questions/why-my-droples-s-ssh-key-ch... Seems to suggest this can happen, though it doesn’t go into great detail why.
Interesting, thanks. Never thought to narrow my Google search down to a specific host.
Which reminds me — you haven’t just restored your .ssh directory from backup or something I assume?
No. But it is possible that it's been longer than I think since I last connected from my office PC; I tend to do the updates out of hours and that means I'm usually at home. (I can't think of any good reason why they'd have changed since first install, but the longer it's been the more likely there was a decent reason.)
Most recent compromises I’ve seen have been miners, which show up on “top” and “ps".
Cool, checked those. Nothing obvious, CPU not being pushed hard. Also disk space not looking any more utilised than I'd expect.
But I kinda doubt that a compromise is behind it.
Ditto (it was a curiosity unless someone gave me reason to panic), but it's been an interesting investigation.
Blindly ignoring a warning wasn't a great plan, but I think I've done enough now to be happy it's nothing untoward (and it's not a critical server, it has no confidential info on it).
Thank you for your help. It really is appreciated.
Mark