1

I have faced a problem with my VPS. It seems that someone has added his public key to my authorized_keys file and logged in to my VPS.

Postponed publickey for xxx from 223.255.145.158 port 52240 ssh2 [preauth]
debug1: userauth-request for user root service ssh-connection method publickey [preauth]
debug1: attempt 2 failures 0 [preauth]
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file /xxx/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug1: read_keyfile_line: /xxx/.ssh/authorized_keys line 1 exceeds size limit
debug1: matching key found: file /xxx/.ssh/authorized_keys, line 6 RSA 63:26:51:7d:bb:fb:a7:6b:7a:a8:93:a9:25:91:c4:06
debug1: restore_uid: 0/0
debug1: ssh_rsa_verify: signature correct
debug1: do_pam_account: called
Accepted publickey for xxx from 223.255.145.158 port 52240 ssh2: RSA 63:26:51:7d:bb:fb:a7:6b:7a:a8:93:a9:25:91:c4:06
debug1: monitor_child_preauth: xxx has been authenticated by privileged process
debug1: monitor_read_log: child log fd closed
debug1: PAM: establishing credentials

Further information - I am enabling ssh authentication using both keys and passwords.

Any idea why this kind of issue happened in my VPS?

MiaoHatola
  • 2,284
  • 1
  • 14
  • 22
H. SLF
  • 11
  • 1
  • IF you say someone logged in, then you answered your Question. Call the Service Provider, take it off from the Internet or put it in a Recovery mode. Then backup all Important Data (not the entire OS!!!) and reinstall. But one thing: the way to use keyfile is the best way to do the auth. Further more seems it like the SSH Client tries to connect from itself with a Keyfile, make sure you don't have a keyfile which he uses to authenticate. – Serverfrog Mar 29 '17 at 08:50
  • If you haven't disabled password login the intruder probably just bruted your password (because after failing to verify a key ssh falls back to password prompt). Next time make sure that only key authentication is enabled. – ddnomad Mar 29 '17 at 13:14
  • What information is leading you to believe this was someone else? Is the key on line 6 not yours? – Xiong Chiamiov Mar 29 '17 at 14:46
  • @XiongChiamiov Yes it's not mine – H. SLF Mar 30 '17 at 06:18
  • Verify the source IP, it might even be your service provider just running a monitoring script to ensure they can reset your password if needed. – Trey Blalock Mar 30 '17 at 07:30
  • Can you post the results of running log and lastlog commands? Also, the command may be "history" on certain distros. I'm using the commands from debian/ubuntu. I would also disable password auth if you haven't already and move his ssh key out of the directory, but keep it for now to preserve evidence if that's what you want. – David Kamer Mar 04 '18 at 18:46

0 Answers0