Browsing the web for a bit, noticed the laptop fan come on. This is quite unusual on my new X1 Carbon, but maybe there’s some eyeball counting javascript gone wild? Close the tab, fans stay on. More unusual.

Run top. Mysteriously, the system is busy but all the processes seem idle. Watch it a bit more, pound the spacebar, and finally notice the occasional login_passwd flickering among the top processes. There’s probably a more scientific means to discover what’s up, but this worked well enough. I’m not logging in, so who is? Check /var/log/authlog.

Apr  5 08:08:10 carbolite sshd[15309]: Failed password for root from 43.255.190.148 port 50211 ssh2
Apr  5 08:08:10 carbolite sshd[15309]: Failed password for root from 43.255.190.148 port 50211 ssh2
Apr  5 08:08:10 carbolite sshd[30446]: Failed password for root from 43.255.190.154 port 49092 ssh2
Apr  5 08:08:11 carbolite sshd[15309]: Failed password for root from 43.255.190.148 port 50211 ssh2
Apr  5 08:08:11 carbolite sshd[30446]: Failed password for root from 43.255.190.154 port 49092 ssh2
Apr  5 08:08:11 carbolite sshd[30446]: Failed password for root from 43.255.190.154 port 49092 ssh2

Ah, yes, of course. That would make the fans go.

root:$2b$12$criWVll1Nov9AXQpDU2GyO/tczU87cNGYcWpcUyQx/zimHWA7HgjC:0:0:daemon:0:0:Charlie &:/root:/bin/ksh

At close to half a second per guess, 3 guesses per second will keep things busy.

carbolite:/var/log> grep "root from 43.255" authlog | wc  
    2056   28784  205001

And that will keep things warm.

Usually my laptop is safe and sound inside my network and not prone to remote thermal control, but it happened to be connected to a public net today. How else would anyone hunt for root’s Easter Eggs?