PDA

View Full Version : Was I hacked?


GWestphal
12-16-2011, 10:41 AM
I left my computer online last night and it was connected to a VPN. When I went to turn on the screen it wouldn't go, so I hard rebooted it.

When it rebooted it opened the old previous opened screens and one was the browser.

It had this address in it, which I had not entered. (Maybe it was just a resolve error since my wifi hadn't reconnected yet?)

http://192.168.33.1/login.asp?www.google.com which was a cisco guest access page, but I don't run a cisco router.

This was suspicious so I checked the Console logs.

I see numerous attempts thought out the night to access screensharingd that failed, 15 attempts from each IP.

From about 5am on I just see this


12/16/11 5:46:40.000 AM kernel: nstat_lookup_entry failed: 2

and one reference to sshd

12/16/11 5:12:09.421 AM sshd: error: PAM: authentication error for root from r200-40-251-146.ae-static.anteldata.net.uy via 10.8.8.126


I have since shut off ssh and screen sharing. Wondering if I should hose the system and start over.


UPDATE: Looking at the security logs it looks like someone had been trying login via ssh for weeks, there are thousands of failed attempts with user names like "guest", "admin", "oracle", "postgres", "temp", and going through a dictionary search of names, "emma", "erica", etc etc.

I have a very long and complicated password. I was thinking of CCCing this install to a new harddrive, but maybe I should just reinstall from scratch?

dawks
12-19-2011, 02:01 AM
The URL looks like your browser was trying to load google.com but was intercepted by a "captive portal"...? A router that makes you login before giving you access...if there's no Cisco router on your network, I'd check the network settings and figure out where that 192.168.33.x is going. Your VPN? What's your local subnet?

Never a good idea to have ssh and screensharing fully exposed...

MotionMan
12-19-2011, 08:38 AM
UPDATE: Looking at the security logs it looks like someone had been trying login via ssh for weeks, there are thousands of failed attempts with user names like "guest", "admin", "oracle", "postgres", "temp", and going through a dictionary search of names, "emma", "erica", etc etc.

Isn't that basically what is being done to every device connected to the internet, 24/7/365?

Bots are everywhere and they are attacking everything all the time.

MotionMan

lokiju
12-19-2011, 09:11 AM
You said you were connected to your VPN all night right? Was it a VPN connection to your companies work network? Does your companies work network have other Macs? Could be that some other Mac on that side has a virus and it's just looking for other Macs.

Turn off your VPN and see if the logs continue over the night.

Stuxnet
12-19-2011, 02:05 PM
Yes

MayorOfAmerica
12-23-2011, 12:01 PM
Any updates?