Or creates network/pid namespaces and puts you in them, while leaving the mitm server in the original one?
If so, the mitm could be on the same host, and wouldn't need the cooperation of the hosting provider.
I'm not sure how to check for either of these without restarting (which the admin does not seem to want to do, as it is a live service).
https://en.wikipedia.org/wiki/Blue_Pill_(software)
Whereas this attack generated new keys (and was detected!), suggesting the attacker didn't compromise the server itself.
In that case, where the redirection happened is no longer something you would be able to tell, right?
Or creates network/pid namespaces and puts you in them, while leaving the mitm server in the original one?
If so, the mitm could be on the same host, and wouldn't need the cooperation of the hosting provider.
I'm not sure how to check for either of these without restarting (which the admin does not seem to want to do, as it is a live service).
https://en.wikipedia.org/wiki/Blue_Pill_(software)