I assume most people know this, but for the benefit of those who get paged at 4am and are maybe not at their mental prime, here it goes:
If you see “sshd: root@notty” in your process list and find yourself wondering what box “notty” is and assuming you’ve been hacked and it’s some malicious connection to some mysterious box named “notty”… Relax. “notty” isn’t a mysterious hostname. In keeping with all the other “sshd: root@pts/1” sort of entries you might see, it’s the TTY the connection is on, not the hostname. Or, in this case, it’s no TTY, because it’s something like scp, not an interactive session.