Go Back   AnandTech Forums > Software > All Things Apple

Forums
· Hardware and Technology
· CPUs and Overclocking
· Motherboards
· Video Cards and Graphics
· Memory and Storage
· Power Supplies
· Cases & Cooling
· SFF, Notebooks, Pre-Built/Barebones PCs
· Networking
· Peripherals
· General Hardware
· Highly Technical
· Computer Help
· Home Theater PCs
· Consumer Electronics
· Digital and Video Cameras
· Mobile Devices & Gadgets
· Audio/Video & Home Theater
· Software
· Software for Windows
· All Things Apple
· *nix Software
· Operating Systems
· Programming
· PC Gaming
· Console Gaming
· Distributed Computing
· Security
· Social
· Off Topic
· Politics and News
· Discussion Club
· Love and Relationships
· The Garage
· Health and Fitness
· Home and Garden
· Merchandise and Shopping
· For Sale/Trade
· Hot Deals with Free Stuff/Contests
· Black Friday 2014
· Forum Issues
· Technical Forum Issues
· Personal Forum Issues
· Suggestion Box
· Moderator Resources
· Moderator Discussions
   

Reply
 
Thread Tools
Old 12-16-2011, 11:41 AM   #1
GWestphal
Golden Member
 
Join Date: Jul 2009
Posts: 1,118
Default Was I hacked?

I left my computer online last night and it was connected to a VPN. When I went to turn on the screen it wouldn't go, so I hard rebooted it.

When it rebooted it opened the old previous opened screens and one was the browser.

It had this address in it, which I had not entered. (Maybe it was just a resolve error since my wifi hadn't reconnected yet?)

http://192.168.33.1/login.asp?www.google.com which was a cisco guest access page, but I don't run a cisco router.

This was suspicious so I checked the Console logs.

I see numerous attempts thought out the night to access screensharingd that failed, 15 attempts from each IP.

From about 5am on I just see this


12/16/11 5:46:40.000 AM kernel: nstat_lookup_entry failed: 2

and one reference to sshd

12/16/11 5:12:09.421 AM sshd: error: PAM: authentication error for root from r200-40-251-146.ae-static.anteldata.net.uy via 10.8.8.126


I have since shut off ssh and screen sharing. Wondering if I should hose the system and start over.


UPDATE: Looking at the security logs it looks like someone had been trying login via ssh for weeks, there are thousands of failed attempts with user names like "guest", "admin", "oracle", "postgres", "temp", and going through a dictionary search of names, "emma", "erica", etc etc.

I have a very long and complicated password. I was thinking of CCCing this install to a new harddrive, but maybe I should just reinstall from scratch?

Last edited by GWestphal; 12-16-2011 at 11:54 AM.
GWestphal is offline   Reply With Quote
Old 12-19-2011, 03:01 AM   #2
dawks
Diamond Member
 
Join Date: Oct 1999
Posts: 5,037
Default

The URL looks like your browser was trying to load google.com but was intercepted by a "captive portal"...? A router that makes you login before giving you access...if there's no Cisco router on your network, I'd check the network settings and figure out where that 192.168.33.x is going. Your VPN? What's your local subnet?

Never a good idea to have ssh and screensharing fully exposed...
dawks is offline   Reply With Quote
Old 12-19-2011, 09:38 AM   #3
MotionMan
Lifer
 
MotionMan's Avatar
 
Join Date: Jan 2006
Location: Los Angeles, CA, USA
Posts: 17,026
Default

Quote:
Originally Posted by GWestphal View Post
UPDATE: Looking at the security logs it looks like someone had been trying login via ssh for weeks, there are thousands of failed attempts with user names like "guest", "admin", "oracle", "postgres", "temp", and going through a dictionary search of names, "emma", "erica", etc etc.
Isn't that basically what is being done to every device connected to the internet, 24/7/365?

Bots are everywhere and they are attacking everything all the time.

MotionMan
MotionMan is offline   Reply With Quote
Old 12-19-2011, 10:11 AM   #4
lokiju
Lifer
 
lokiju's Avatar
 
Join Date: May 2003
Location: Atlanta, GA area
Posts: 18,537
Default

You said you were connected to your VPN all night right? Was it a VPN connection to your companies work network? Does your companies work network have other Macs? Could be that some other Mac on that side has a virus and it's just looking for other Macs.

Turn off your VPN and see if the logs continue over the night.
__________________
Quote:
The pig is an amazing animal. It can take an apple, which essentially is garbage, and turn it into bacon.
-Jim Gaffigan
PSN: l0k1ju
Come play some MW3! Just note ATOT in invite so I don't ignore.
lokiju is offline   Reply With Quote
Old 12-19-2011, 03:05 PM   #5
Stuxnet
Banned
 
Join Date: Jun 2005
Posts: 8,405
Default

Yes
Stuxnet is offline   Reply With Quote
Old 12-23-2011, 01:01 PM   #6
MayorOfAmerica
Senior Member
 
Join Date: Apr 2011
Posts: 470
Default

Any updates?
MayorOfAmerica is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 02:09 PM.


Powered by vBulletin® Version 3.8.8 Alpha 1
Copyright ©2000 - 2015, vBulletin Solutions, Inc.