Was I hacked?

Discussion in 'All Things Apple' started by GWestphal, Dec 16, 2011.

  1. GWestphal

    GWestphal Golden Member

    Jul 22, 2009
    Likes Received:
    I left my computer online last night and it was connected to a VPN. When I went to turn on the screen it wouldn't go, so I hard rebooted it.

    When it rebooted it opened the old previous opened screens and one was the browser.

    It had this address in it, which I had not entered. (Maybe it was just a resolve error since my wifi hadn't reconnected yet?) which was a cisco guest access page, but I don't run a cisco router.

    This was suspicious so I checked the Console logs.

    I see numerous attempts thought out the night to access screensharingd that failed, 15 attempts from each IP.

    From about 5am on I just see this

    12/16/11 5:46:40.000 AM kernel: nstat_lookup_entry failed: 2

    and one reference to sshd

    12/16/11 5:12:09.421 AM sshd: error: PAM: authentication error for root from r200-40-251-146.ae-static.anteldata.net.uy via

    I have since shut off ssh and screen sharing. Wondering if I should hose the system and start over.

    UPDATE: Looking at the security logs it looks like someone had been trying login via ssh for weeks, there are thousands of failed attempts with user names like "guest", "admin", "oracle", "postgres", "temp", and going through a dictionary search of names, "emma", "erica", etc etc.

    I have a very long and complicated password. I was thinking of CCCing this install to a new harddrive, but maybe I should just reinstall from scratch?
    #1 GWestphal, Dec 16, 2011
    Last edited: Dec 16, 2011
  2. Loading...

    Similar Threads - hacked Forum Date
    Applying updates to hacked Apple TV 2? All Things Apple Jul 31, 2012
    Apple TV 1 - Hacking and Updating All Things Apple Apr 9, 2012
    Possible to hack the imac core duo/mac mini duo/solo to run lion 64bit? All Things Apple Jun 25, 2011
    My sandy bridge hack All Things Apple Mar 25, 2011
    Plex - hacked for jailbroken AppleTV's All Things Apple Nov 3, 2010

  3. dawks

    dawks Diamond Member

    Oct 9, 1999
    Likes Received:
    The URL looks like your browser was trying to load google.com but was intercepted by a "captive portal"...? A router that makes you login before giving you access...if there's no Cisco router on your network, I'd check the network settings and figure out where that 192.168.33.x is going. Your VPN? What's your local subnet?

    Never a good idea to have ssh and screensharing fully exposed...
  4. MotionMan

    MotionMan Lifer

    Jan 11, 2006
    Likes Received:
    Isn't that basically what is being done to every device connected to the internet, 24/7/365?

    Bots are everywhere and they are attacking everything all the time.

  5. lokiju

    lokiju Lifer

    May 29, 2003
    Likes Received:
    You said you were connected to your VPN all night right? Was it a VPN connection to your companies work network? Does your companies work network have other Macs? Could be that some other Mac on that side has a virus and it's just looking for other Macs.

    Turn off your VPN and see if the logs continue over the night.
  6. Stuxnet

    Stuxnet Diamond Member

    Jun 16, 2005
    Likes Received:
  7. MayorOfAmerica

    MayorOfAmerica Senior member

    Apr 29, 2011
    Likes Received: