The debsums issue has appeared before. It’s down to a build decision of Sam’s. Corrupt Debian installation in official images
I noticed that the containerd service is still running, so best to disable that, as well, and reboot.
A few things I’ve noticed:
-
the size of the “foreign” sshd executable is 2938932 (2.9 MiB) while the official executable is only 609164 bytes. It might be that the foreign file isn’t stripped but that’s a big difference.
-
the log shows that a
kill -9was issued in order to zap the original process. Using minus nine is like a “kill with extreme prejudice” and, though it might be legitimate, raises a red flag with me.
I’m also tending towards this being something malicious, though, given the complexity of your installation, I can understand why you might be reluctant to go for a full reinstall. Either way, you certainly need to keep a copy of the bad file for further testing. Perhaps @sam_nazarko might consider enabling CONFIG_AUDIT in the next kernel build.
I’ll see if I can find anything else in the available data.