MY FIRST 5 MINUTES WITH weservit.nl :) (what follows is the ticket i opened to their helpdesk) $ ssh -l root **.***.***.*** The authenticity of host '**.***.***.*** (**.***.***.***)' can't be established. RSA key fingerprint is 66:43:53:e8:32:f3:5c:56:46:bc:b5:f8:ff:01:bf:6c. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '**.***.***.***' (RSA) to the list of known hosts. root@**.***.***.***'s password: Linux client577.alp.nl.weservit.nl 2.6.18-194.17.1.el5xen #1 SMP Wed Sep 29 13:30:21 EDT 2010 x86_64 login successful, after some time i get a broken pipe $ ssh -l root **.***.***.*** @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is b3:ea:d2:23:85:8c:53:9b:0a:**********. Please contact your system administrator. Add correct host key in /.ssh/known_hosts to get rid of this message. Offending key in /.ssh/known_hosts:109 RSA host key for **.***.***.*** has changed and you have requested strict checking. Host key verification failed. key has changed! and i'm unable to login using the randomly generated password generated another random password and forced using the vps control panel but still getting wrong passord scanning **.***.***.***, and.. surprise: Interesting ports on customer.weservit.nl (**.***.***.***): Not shown: 984 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 110/tcp open pop3 143/tcp open imap 443/tcp open https 465/tcp open smtps 646/tcp filtered ldp 993/tcp open imaps 995/tcp open pop3s 1720/tcp filtered H.323/Q.931 1863/tcp open msnp 3306/tcp open mysql 5190/tcp open aol it's definitely not my vps as i had [root@client577 ~]#netstat -anpt Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 960/sshd tcp 0 288 **.***.***.***:22 **.**.**.**:40459 ESTABLISHED 6708/0 tcp6 0 0 :::22 :::* LISTEN 960/sshd imho something strange is happening like somebody stealing somebody else ip's or doing arp poisoning trying to identify the impersonator $ nc **.***.***.*** 25 -vvv Connection to **.***.***.*** 25 port [tcp/smtp] succeeded! 220-client262.alp.nl.weservit.nl ESMTP Exim 4.69 #1 Mon, 22 Nov 2010 18:49:32 +0100 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. client262 has my ip can you justify this behavior? it's not a good start! bye, Francesco Ongaro