Thank, I don't think I will be able to start from scratch. I have file backups but they are likely compromised, I discovered the unauthorized SSH key today but I don't know how long it's been there. Plus I sorta have Shrödinger's backups, there's no way to know if there are recent backups until I look for them and I'm afraid the cat's already dead.

I should block the identified hard-coded IP in iptables but again I'm an amateur with no idea about what he's doing.