Detected a hack from this morning on a Bluehost server Wordpress installation. Someone used credentials from a Wordpress user account with admin rights, I'm dealing with the aftermath now. I know, I failed restricting other peoples rights in time. Sigh.
Restored right away a clean Wordpress backup (via phpmyadmin database import) and removed the affected admin account right after. Removed all ftp accounts I didn't setup. Looking pretty clean again now at least from the cpanel view from Bluehost. I'm the only admin.
I haven't done a SSH session yet. Because the SSH fingerprint key is not matching anymore. My ssh client had previously stored the public key in .ssh/known_hosts. DNS spoof excluded (I control domain and have same problem with SSH calling the IP address).
server: ssh-keygen -l -f id_rsa 2048 SHA256:F6Q/VrkvaIM4e/2Z49c5VLzbI43eMa3POwENPnQVSuA id_rsa.pub (RSA)
client: ssh (after removing previous public key from .ssh/known_hosts) ED25519 key fingerprint is SHA256:VPqWe8U9SxpgSvw/dlhsrfMuGf6EVwsnPzTOrdqSJso.
servers .ssh/id_rsa.pub file date since is from when generated those keys years back. However it doesn't match exactly the key stored in clients .ssh/known_hosts Interesting is that the first 28 characters do match, rest is different.
Why is there a fingerprint mismatch?
Could something else be altered which I haven't found yet?
Concerned of accessing the server via ssh with new keys (?) and entering my admin password in a ssh.
Any help greatly appreciated.
Thanks! Dirk
