I left my computer online last night and it was connected to a VPN. When I went to turn on the screen it wouldn't go, so I hard rebooted it.
When it rebooted it opened the old previous opened screens and one was the browser.
It had this address in it, which I had not entered. (Maybe it was just a resolve error since my wifi hadn't reconnected yet?)
http://192.168.33.1/login.asp?www.google.com which was a cisco guest access page, but I don't run a cisco router.
This was suspicious so I checked the Console logs.
I see numerous attempts thought out the night to access screensharingd that failed, 15 attempts from each IP.
From about 5am on I just see this
12/16/11 5:46:40.000 AM kernel: nstat_lookup_entry failed: 2
and one reference to sshd
12/16/11 5:12:09.421 AM sshd: error: PAM: authentication error for root from r200-40-251-146.ae-static.anteldata.net.uy via 10.8.8.126
I have since shut off ssh and screen sharing. Wondering if I should hose the system and start over.
UPDATE: Looking at the security logs it looks like someone had been trying login via ssh for weeks, there are thousands of failed attempts with user names like "guest", "admin", "oracle", "postgres", "temp", and going through a dictionary search of names, "emma", "erica", etc etc.
I have a very long and complicated password. I was thinking of CCCing this install to a new harddrive, but maybe I should just reinstall from scratch?
When it rebooted it opened the old previous opened screens and one was the browser.
It had this address in it, which I had not entered. (Maybe it was just a resolve error since my wifi hadn't reconnected yet?)
http://192.168.33.1/login.asp?www.google.com which was a cisco guest access page, but I don't run a cisco router.
This was suspicious so I checked the Console logs.
I see numerous attempts thought out the night to access screensharingd that failed, 15 attempts from each IP.
From about 5am on I just see this
12/16/11 5:46:40.000 AM kernel: nstat_lookup_entry failed: 2
and one reference to sshd
12/16/11 5:12:09.421 AM sshd: error: PAM: authentication error for root from r200-40-251-146.ae-static.anteldata.net.uy via 10.8.8.126
I have since shut off ssh and screen sharing. Wondering if I should hose the system and start over.
UPDATE: Looking at the security logs it looks like someone had been trying login via ssh for weeks, there are thousands of failed attempts with user names like "guest", "admin", "oracle", "postgres", "temp", and going through a dictionary search of names, "emma", "erica", etc etc.
I have a very long and complicated password. I was thinking of CCCing this install to a new harddrive, but maybe I should just reinstall from scratch?
Last edited:
