Random shutdown...security problem?

modest serving

macrumors member
Original poster
Feb 16, 2010
34
0
I usually leave my 27" iMac plugged in and on 24/7. It goes to sleep after 30 minutes of inactivity, but I rarely shut it down since I often connect to it remotely for VNC and torrents.

Lately I have noticed a few random times that when I have gotten home from work the iMac will be completely turned off and it will have to boot up. At first I thought maybe my power was going out during the day, so I ticked the box for restarting automatically after a power failure.

It happened again today. So, I checked the system.log in the console.
Here are the last entries before shutdown:
Aug 27 13:52:41 biggie WindowServer[151]: handle_will_sleep_auth_and_shield_windows: no lock state data
Aug 27 13:52:41 biggie loginwindow[39]: ERROR | -[LWScreenLock(Private) screenIsLockedTimeExpired:] | No lock state found, use built in check
Aug 27 13:52:41 biggie loginwindow[39]: resume called when there was already a timer
Aug 27 13:52:42 biggie screensharingd[6651]: Authentication: FAILED :: User Name: N/A :: Viewer Address: 207.237.187.100 :: Type: VNC DES
Aug 27 13:53:11 biggie WindowServer[151]: Created shield window 0xca for display 0x042735c0
Aug 27 13:53:11 biggie WindowServer[151]: device_generate_desktop_screenshot: authw 0x7fc0ba467810(2000), shield 0x7fc0ba4545e0(2001)
Aug 27 13:53:11 biggie WindowServer[151]: device_generate_lock_screen_screenshot: authw 0x7fc0ba467810(2000), shield 0x7fc0ba4545e0(2001)
The first thing I noticed was the failed VNC login. Turns out there have been LOTS of these all from shady ip addresses going back as far as I have logs. Luckily they all say failed. The only successful logins have been my own, so far as I can tell.

Does anyone see anything else from that log that would explain the shutdown behavior? Will repeated VNC login failures cause a shut down?

I changed my outward port for VNC from 5900 to something else, I've changed my screen sharing password and my login password, as well as my 1password mast password. I also changed the password to the web-GUI for my router. Running ClamXav now. Anything else I should do?
 

ratfink

macrumors member
Feb 11, 2012
49
0
I usually leave my 27" iMac plugged in and on 24/7. It goes to sleep after 30 minutes of inactivity, but I rarely shut it down since I often connect to it remotely for VNC and torrents.

Lately I have noticed a few random times that when I have gotten home from work the iMac will be completely turned off and it will have to boot up. At first I thought maybe my power was going out during the day, so I ticked the box for restarting automatically after a power failure.

It happened again today. So, I checked the system.log in the console.
Here are the last entries before shutdown:


The first thing I noticed was the failed VNC login. Turns out there have been LOTS of these all from shady ip addresses going back as far as I have logs. Luckily they all say failed. The only successful logins have been my own, so far as I can tell.

Does anyone see anything else from that log that would explain the shutdown behavior? Will repeated VNC login failures cause a shut down?

I changed my outward port for VNC from 5900 to something else, I've changed my screen sharing password and my login password, as well as my 1password mast password. I also changed the password to the web-GUI for my router. Running ClamXav now. Anything else I should do?
There have been several vulnerabilities in VNC services that allow attackers to bypass authentication completely. I'd check to make sure you're running the most recent version. There are automated scanners out there that just search the Internet for vulnerable VNC servers. Now, it's most likely not what's causing your problem, but you should make sure.
 

modest serving

macrumors member
Original poster
Feb 16, 2010
34
0
I'm just using the built screen sharing VNC server. I'm running Mountain Lion 10.8.1.

After some more googling I'm realizing that my random shutdown issue is probably unrelated to the attempted VNC breakins. I guess I should try setting the SMC?
 

Intell

macrumors P6
Jan 24, 2010
18,883
372
Inside
A SMC reset might help. And one rule that every person should abide by is never forward the default port to the outside. That is never make your external VNC port 5900 or your external SSH port 22. Always make them something higher than 5000. Otherwise you risk someone trying to brute force their way into your system.
 

ilgreatluigi

macrumors member
Jan 8, 2012
44
0
A SMC reset might help. And one rule that every person should abide by is never forward the default port to the outside. That is never make your external VNC port 5900 or your external SSH port 22. Always make them something higher than 5000. Otherwise you risk someone trying to brute force their way into your system.
This technique is kind of outdated now. While scrambling the port number could slow the attacker briefly, many automated scanners can detect what the port number is still. This method is only good against worms and very lazy attackers.
 

Intell

macrumors P6
Jan 24, 2010
18,883
372
Inside
This technique is kind of outdated now. While scrambling the port number could slow the attacker briefly, many automated scanners can detect what the port number is still. This method is only good against worms and very lazy attackers.
It still defeats the worms, basic scripts, lazy hackers, and automated scanners looking for default ports. All of which comprise about 80% of all port scanning.
 

modest serving

macrumors member
Original poster
Feb 16, 2010
34
0
A SMC reset might help. And one rule that every person should abide by is never forward the default port to the outside. That is never make your external VNC port 5900 or your external SSH port 22. Always make them something higher than 5000. Otherwise you risk someone trying to brute force their way into your system.
I just wanted to follow up by saying that I did what you suggested. I changed the incoming port for VNC, and since then I have not seen any unauthorized attempts to login in the system logs. Thanks for your help. Newb mistake :eek: