I have a Yunohost server, and some days ago, I lost the connection. The computer was off and I restart it and try to connect with SSH, but received below message :
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:[REDACTED].
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending ED25519 key in /home/user/.ssh/known_hosts:3
remove with:
ssh-keygen -f "/home/user/.ssh/known_hosts" -R "serv.org"
ED25519 host key for serv.org has changed and you have requested strict checking.
Host key verification failed.
I solved the problem, connected to it, and tried to understand what happened.
The fact is I don't really have knowledge about crash investigation but on syslog I have some knowledge.
postfix/smtpd[11920]: connect from unknown[XXX.XXX.XXX.XXX]
with different IP (German and Chinese IP, associated with .torservers.net)
and a lot of other line related to tor
postfix/submission/smtpd[11938]: warning: hostname XXX.XXX.XXX.XXX.torservers.net does not resolve to address 185.220.102.244: Name or service not known
I didn't run any tor nodes.
Some idea of what could happen? Where to investigate? Is my server compromised ?
