What to do when someone logged as root on my server

Ben asked:

I have a server running Debian 6.0 with logcheck installed.
Yesterday ago, I received this message:

Jan 19 19:15:10 hostname sshd[28397]: Authentication tried for root with correct key but not from a permitted host (host=4.red-2-140-77.dynamicip.rima-tde.net, ip=

I don’t know who this is and I doubt he was there by accident.

Now, what should I do?

First thing I did was to disable ssh password authentication and switched to public/private key. I also check the authorized_keys file and saw only my public key

What next?

How can I know what the other guy did on my machine?

My answer:

This might be a long-standing bug in OpenSSH which was only fixed in 6.0p1. In that case you can safely ignore it. However, if you want to be safe, the original answer (assuming you aren’t affected by this bug) is:

Your ssh private keys have likely been compromised, since someone had a valid private key for logging into your root account. The fact that someone didn’t log in from a permitted IP address saved you from further compromise. Nevertheless, this is a significant compromise; it suggests that your workstation (or other machine you typically work from) was compromised.

You should treat every workstation and server you touch as potentially compromised. Format and reinstall your workstation(s). Revoke/destroy all of your existing ssh keys and rekey everything. Change all passwords. Strongly consider wiping and reinstalling any servers on which you have access to log in with this key.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.