When I shut down my Mac, it said 224 people were connected

It appeared as a pop-up box that warned me that 224 users were connected to my computer and would be disconnected when I shut it down. I rarely shut down that computer, so I have no idea how long it was like that (meaning, having that many users connected).

I was away for a few days. Last night, when I booted up my iMac again, I connected to it with my MacBook, and in the sharing pane in Sys Prefs, it said 1 user was connected. Later, I checked again and it said 2 users were connected, which was odd, since the MacBook is the only other Mac running in the house right now. (My wife's iBook gave up the ghost recently, so she's been using an iPad until we buy another laptop.)

This morning, I reviewed the processes running in Activity Monitor and checked them against a list of known OS X processes. None of the malware processes showed up, but there was an odd one called Monitor that wasn't on the list, so I terminated it, thinking it might be a keystroke logger or something of the sort.

I shut down file sharing on the iMac. Then I went into Sys Prefs and changed and my user password. Then I logged back into the iMac through my MacBook; since then, only one connected user has been shown.

I switched routers a while back and hadn't logged into the admin settings on my new 2WIRE from AT&T since then. I just now logged in and saw that I'm using WPA-PSK (TKIP) and WPA2-PSK (AES) (that's all one option). I also have the option to use just WPA2-PSK (AES), so I'll switch to that.

I'll also set up a new router password. I've been using the default one on the 2WIRE label (same with the admin key; I'll change that too).

BTW, while logged into the router, I saw something odd: 2 unknown devices are connected to it, along with Macintosh-2, 2 iPhones, and 2 iPads (the iPhones and iPads are ours). I assumed Macintosh-2 was my computer, but it has a different IP address assigned to it than the one I see in Sys Prefs. The IP address for my MacBook is listed under one of the devices labeled "unknown."

Do old devices show up in the list of devices connected to a router? Wondering if my wife's iBook is one of those unknown devices. Also, my son has been by with his MacBook Pro recently, so another might be him.

And, duh, I just realized that macintosh-2 is the iMac, since it's connected by Ethernet. Right now I have that, an unknown device that's my MacBook, and my iPhone and iPad showing up as active devices connected to the router. I'll get my wife's iPhone and iPad connected after she returns home.

I changed my admin and access passwords on the router. We'll see what happens from here.

I'm not running a VNC.

Oh, something else: I noticed that I had "Share files and folders using SMB" checked, so I unchecked that.

Thanks for all your help. It's much appreciated.

So, since I last posted, I've been monitoring the # of users connected in the Sharing preferences pane. I currently only have "using AFP" checked (FTP and SMB are not). That number has fluctuated around 2 or 3, which is still perplexing since only my MacBook has been connecting to the iMac via file sharing, but I just looked and it said 156 users connected ⚠. I did a restart and it said zero.

Then I logged in with the MacBook and it said 1. So it seems like it's correctly reporting the # of people connected. Again, I don't think these are people connecting to my router, so either the Sharing prefs pane is reporting the wrong number or people are logging into my iMac somehow, despite the firewall on my router.

And now I just looked at the firewall in Sys Prefs and, duh, it was off. Not sure when or why I turned it off, but I just turned it back on.

I will continue to monitor sharing in Sys Prefs and see if the # of connected users changes. Sure, it was dumb of me to turn the firewall off, but it's still bothersome that there were all those users connected. I hope they were only able to get into my guest folder and nothing else.

Any further thoughts and advice is much appreciated.

BTW, a search on "OS X file sharing + connected users" mostly pulled up people talking about OS X Server. I didn't see anything where someone experienced something similar to what I saw. But I'm sure most people aren't dumb like me and leave their firewall off for who knows how long.

I think I may have figured out what was doing this: I had an app installed called FingerPrint, which is supposed to let you print from iOS to a non-AirPrint-compatible printer, but it never worked well for me. I had it set as a log-in item.

In system.log, there are tons of entries that say:

Jun 14 23:59:13 macintosh-2 com.apple.launchd[1] (com.collobos.fingerprintd[77594]): Exited with exit code: 1

Jun 14 23:59:13 macintosh-2 com.apple.launchd[1] (com.collobos.fingerprintd): Throttling respawn: Will start in 10 seconds

That's just an example. There are tons of this from this morning too. After deleting FingerPrint, I'm now seeing these entries:

Jun 16 08:20:11 macintosh-2 com.apple.launchd[1] (com.collobos.fingerprintd): Throttling respawn: Will start in 10 seconds

Jun 16 08:20:12 macintosh-2 WDDriveManagerStatusMenu[269]: *** attempt to pop an unknown autorelease pool (0x81d600)

Jun 16 08:20:21 macintosh-2 com.apple.launchd[1] (com.collobos.fingerprintd[3805]): posix_spawn("/Applications/FingerPrint.app/Contents/MacOS/fingerprintd", ...): No such file or directory

Jun 16 08:20:21 macintosh-2 com.apple.launchd[1] (com.collobos.fingerprintd[3805]): Exited with exit code: 1

Jun 16 08:20:21 macintosh-2 com.apple.launchd[1] (com.collobos.fingerprintd): Throttling respawn: Will start in 10 seconds

Is it possible that all these instances of com.collobos.fingerprintd trying to respawn the app caused multiple user connections?

Before I deleted FingerPrint, Sys Prefs was saying that 2 users were connected. Now it's just saying one.

RE the "who" command in Terminal: It produces this:

[user name] console Jun 15 18:15

[user name] ttys000 Jun 16 07:59

Both user names are me. Not sure if "console" and "ttys000" are meaningful.

Also, both system.log and kernel.log have tons of entries in them. Not sure what I should be looking for. Filtering out anything that says "en0" produces nothing in system.log. In kernel.log, I get one entry per day that looks like this:

Jun 16 07:00:07 macintosh-2 kernel[0]: Ethernet [AppleYukon2]: Link up on en0, 100-Megabit, Full-duplex, No flow-control, Debug [796d,6d00,0de1,0200,41e1,4000]

I have the iMac set to wake up at 7 AM every day, so I assume that's from the wake-up process.

One last thing: I do use FaceBook and LinkedIn. I use FaceBook on both the iMac and MacBook and LinkedIn only on the MacBook. Could an unauthorized user gain access through one of those?

Thanks for all your help. It's much appreciated.

Many thanks for your response. Your info is greatly appreciated.

What do you mean by "all have been hacked into lately"? Have other Mac users experienced issues with being hacked into?