0

Detected a hack from this morning on a Bluehost server Wordpress installation. Someone used credentials from a Wordpress user account with admin rights, I'm dealing with the aftermath now. I know, I failed restricting other peoples rights in time. Sigh.

Restored right away a clean Wordpress backup (via phpmyadmin database import) and removed the affected admin account right after. Removed all ftp accounts I didn't setup. Looking pretty clean again now at least from the cpanel view from Bluehost. I'm the only admin.

I haven't done a SSH session yet. Because the SSH fingerprint key is not matching anymore. My ssh client had previously stored the public key in .ssh/known_hosts. DNS spoof excluded (I control domain and have same problem with SSH calling the IP address).

server: ssh-keygen -l -f id_rsa 2048 SHA256:F6Q/VrkvaIM4e/2Z49c5VLzbI43eMa3POwENPnQVSuA id_rsa.pub (RSA)

client: ssh (after removing previous public key from .ssh/known_hosts) ED25519 key fingerprint is SHA256:VPqWe8U9SxpgSvw/dlhsrfMuGf6EVwsnPzTOrdqSJso.

servers .ssh/id_rsa.pub file date since is from when generated those keys years back. However it doesn't match exactly the key stored in clients .ssh/known_hosts Interesting is that the first 28 characters do match, rest is different.

Why is there a fingerprint mismatch?

Could something else be altered which I haven't found yet?

Concerned of accessing the server via ssh with new keys (?) and entering my admin password in a ssh.

Any help greatly appreciated.

Thanks! Dirk

Dirk W
  • 9
  • 1
  • I am not sure that is the current status or situation, but i dont worry to much regarding the fingerprint, I would suggest clear all keys on your server and sure when you connect the first time you will see the fingerprint, but at least you are sure you have a clear keys in place and no one can access on your server using those keys – Roid Jan 16 '24 at 03:41
  • Additionally, questions involving web management panels like cpanel are off topic. – Gerald Schneider Jan 16 '24 at 06:02

1 Answers1

0

In .ssh/known_hosts you keep a fingerprint key of your server, not a public part of ssh key.

Most probably you have a rootkit on your server. It means that restoring data from the backup will not have effect. You need a full re-installation the server(order a brand new server) or run a script which locally checks for signs of rootkit.

Ilja
  • 462
  • I wouldn't suggest a rootkit check script as an equal option to full re-installation of the server. There is still relatively high chance that the rootkit detection doesn't detect the particular rootkit that there is. Full re-installation is the only reasonable option. – Tero Kilkanen Jan 16 '24 at 07:30