Go Back   AnandTech Forums > Software > All Things Apple

· Hardware and Technology
· CPUs and Overclocking
· Motherboards
· Video Cards and Graphics
· AMD Video Cards
· Nvidia
· Displays
· Memory and Storage
· Power Supplies
· Cases & Cooling
· SFF, Notebooks, Pre-Built/Barebones PCs
· Networking
· Peripherals
· General Hardware
· Highly Technical
· Computer Help
· Home Theater PCs
· Consumer Electronics
· Digital and Video Cameras
· Mobile Devices & Gadgets
· Audio/Video & Home Theater
· Software
· Software for Windows
· All Things Apple
· *nix Software
· Operating Systems
· Programming
· PC Gaming
· Console Gaming
· Distributed Computing
· Security
· Social
· Off Topic
· Politics and News
· Discussion Club
· Love and Relationships
· The Garage
· Health and Fitness
· Home and Garden
· Merchandise and Shopping
· For Sale/Trade
· Hot Deals with Free Stuff/Contests
· Black Friday 2015
· Forum Issues
· Technical Forum Issues
· Personal Forum Issues
· Suggestion Box
· Moderator Resources
· Moderator Discussions

Thread Tools
Old 12-16-2011, 11:41 AM   #1
Golden Member
Join Date: Jul 2009
Posts: 1,120
Default Was I hacked?

I left my computer online last night and it was connected to a VPN. When I went to turn on the screen it wouldn't go, so I hard rebooted it.

When it rebooted it opened the old previous opened screens and one was the browser.

It had this address in it, which I had not entered. (Maybe it was just a resolve error since my wifi hadn't reconnected yet?) which was a cisco guest access page, but I don't run a cisco router.

This was suspicious so I checked the Console logs.

I see numerous attempts thought out the night to access screensharingd that failed, 15 attempts from each IP.

From about 5am on I just see this

12/16/11 5:46:40.000 AM kernel: nstat_lookup_entry failed: 2

and one reference to sshd

12/16/11 5:12:09.421 AM sshd: error: PAM: authentication error for root from r200-40-251-146.ae-static.anteldata.net.uy via

I have since shut off ssh and screen sharing. Wondering if I should hose the system and start over.

UPDATE: Looking at the security logs it looks like someone had been trying login via ssh for weeks, there are thousands of failed attempts with user names like "guest", "admin", "oracle", "postgres", "temp", and going through a dictionary search of names, "emma", "erica", etc etc.

I have a very long and complicated password. I was thinking of CCCing this install to a new harddrive, but maybe I should just reinstall from scratch?

Last edited by GWestphal; 12-16-2011 at 11:54 AM.
GWestphal is offline   Reply With Quote
Old 12-19-2011, 03:01 AM   #2
Diamond Member
Join Date: Oct 1999
Posts: 5,054

The URL looks like your browser was trying to load google.com but was intercepted by a "captive portal"...? A router that makes you login before giving you access...if there's no Cisco router on your network, I'd check the network settings and figure out where that 192.168.33.x is going. Your VPN? What's your local subnet?

Never a good idea to have ssh and screensharing fully exposed...
dawks is offline   Reply With Quote
Old 12-19-2011, 09:38 AM   #3
MotionMan's Avatar
Join Date: Jan 2006
Location: Los Angeles, CA, USA
Posts: 17,203

Originally Posted by GWestphal View Post
UPDATE: Looking at the security logs it looks like someone had been trying login via ssh for weeks, there are thousands of failed attempts with user names like "guest", "admin", "oracle", "postgres", "temp", and going through a dictionary search of names, "emma", "erica", etc etc.
Isn't that basically what is being done to every device connected to the internet, 24/7/365?

Bots are everywhere and they are attacking everything all the time.

MotionMan is offline   Reply With Quote
Old 12-19-2011, 10:11 AM   #4
lokiju's Avatar
Join Date: May 2003
Location: Atlanta, GA area
Posts: 18,538

You said you were connected to your VPN all night right? Was it a VPN connection to your companies work network? Does your companies work network have other Macs? Could be that some other Mac on that side has a virus and it's just looking for other Macs.

Turn off your VPN and see if the logs continue over the night.
The pig is an amazing animal. It can take an apple, which essentially is garbage, and turn it into bacon.
-Jim Gaffigan
PSN: l0k1ju
Come play some MW3! Just note ATOT in invite so I don't ignore.
lokiju is offline   Reply With Quote
Old 12-19-2011, 03:05 PM   #5
Join Date: Jun 2005
Posts: 8,405

Stuxnet is offline   Reply With Quote
Old 12-23-2011, 01:01 PM   #6
Senior Member
Join Date: Apr 2011
Posts: 470

Any updates?
MayorOfAmerica is offline   Reply With Quote

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

All times are GMT -5. The time now is 11:03 AM.

Powered by vBulletin® Version 3.8.8 Alpha 1
Copyright ©2000 - 2016, vBulletin Solutions, Inc.