Check SSH keys on your VPS
Today, during a routine check of a new server, a co-worker found an
authorized_keys file that isn't ours. The keys in the file (two of them) were of the VPS company that provided the server. One of them is of a specific user there and the other is a generic one.
This grants them password-less access to our server. We have no idea if the private keys are shared between people and whether they are even password protected or not. If they aren't password protected and shared between users (which is likely), it means that we have a completely unknown number of people who can seamlessly access our server and if the key is stolen or ill-gotten somehow, it's much much worse.
In case the server wasn't also checked for changes to the security access log (which most servers aren't checked for because sysadmins go in and out) and the ssh
authorized_keys weren't being automatically tested (which some people don't do, unfortunately) we would have no possible way of knowing if anyone accessed our servers using their keys.
This is the most irresponsible behavior I've seen in a hosting company, ever.
Please, check your SSH
authorized_keys as soon as you have access to your new server and after every "check up" the company does, if it does them.
Also, put up monitoring and check (using a checksum like SHA1) the
authorized_keys file (and the still-deprecated-but-used