Ok.  After looking at my previous post it might be easy to piece together what this is going to be about.  The bad news is that (like 100% of everyone that has a internet connection) someone tried to pwn me.  My saving grace is that the attempt left lots of footprints that I could see.  This really made me pay attention to security on the web and how vulnerable I really was.  Do I run super secret clandestine ops on my computer?  Nope, I just have an IP address and a fairly common ISP.

 The Steps

Now I don't know for sure exactly how it all unfolded for the first steps but I've got a good idea about it.

1. Someone was running nmap on a large block of IP addresses doled out from my ISP (total speculation here)  and found that I had some odd ports open.  Nmap is a network analysis tool that will tell you what ports are open for traffic on a computer.  It can also make a best guess as to what OS the machine is running.  Of course you are not supposed to use Nmap for anything nefarious.  It has gotten a bit of a bad rep for the sneaky stuff it can do despite of how great it is as a diagnostic tool.
2. A brute force attack was launched against the operating system to see if any security vulnerabilities could be found.  My previous post is a dead giveaway to what happened.  For example (once again speculation) a tool from the metasploit package could have been run to test for an unsecured VNC connection.
3. Having found a running unsecured VNC session it was trivial to get a connection to the desktop.  Here are some obfuscated command line logs (this is not speculation but what I found) DL the files if you like:
   I'll leave it up to the reader to step through this, but basic Unix skills will tell you that this was fairly straight forward stuff exploratory stuff.
4. I returned to the computer to find that a terminal was open to one of the scanning scripts running trying to find vulnerabilities.  At this point I was a bit peeved but not too worried. For a few reasons specifically:
   1. All my passwords are strong and different for everything. (And Keepassed)
   2. Nothing secure was unencrypted
   3. My network topology is separated properly
   4. System Log file showed that nothing was accessed besides what I described
   5. I changed all my passwords just for good measure and moved IP addresses around and buttoned up the firewall even more. 

The End Result

I am more disappointed with myself for letting something like this happen then the actual attack.  It was bad security on my part.  As more proof of how the human factor can compromise the best of intentions have a read about how Twitter was hacked with guessed passwords.  However the incident did prompt me to take a look at computer security more closely and to discover there are sets of tools out there that will let you do a security 'audit' on your network (more on this later).  It might be interested to research how an ILS handles against a brute force security sweep concerning that it has lots of personal information about people and their reading habits locked inside of it.