Security Question

Yesterday I connected my iMac (OSX 10.9.5) directly to my cable modem as part of a debugging exercise. It seems I had left the SSH port open (but all IDs have a strong password, guest and root are disabled) . I was interrupted, and upon my return it appeared from the system log the iMac had been subjected to an attack from 103.41.124.30 in Kowloon, Hong Kong.

From details below it looks like an amateur tried a brute force attack against the root ID but was unsuccessful. I suppose I should consider the possibility that another attack at the same time was successful.

My Question: What other logs or information should I be checking? Can anyone recommend a SW tool to check for a keylogger or other Trojan?

Details

After an absence of 3 hours, I found 9000 of these records in the system log (all identical)

2014-11-29 8:03:24.076 PM sshd[1141]: error: PAM: authentication error for root from 103.41.124.30 via 23.233.25.220

to

2014-11-29 9:04:46.648 PM sshd[12559]: error: PAM: authentication error for root from 103.41.124.30 via 23.233.25.220

They had appeared over the course of the last hour anywhere from 200ms to 2 seconds apart, and were still appearing as I disconnected the Mac from the net. I powered down the Mac, it is now back behind the firewall, and firewall has been configured to prevent inbound or outbound traffic from this box while I figure out what to do with it.

The 103.41.124.30 address is from Kowloon, Hong Kong, and the 23.233.25.220 address belongs to my ISP.

It looks to me that something or somebody (bot?) in Kowloon was trying to bruteforce root access, but wasn't successful - it seems a bit amateurish since any experienced hacker should have seen that this was a Mac by scanning a few ports, and most Macs have root disabled.

I also see TCP connections happening in the appfirewall log but these are continuous before, during and after the direct connection to modem, and don't seem to be synchronized with the UDP connection attempts

Nov 29 21:08:14 Mainlobe.local socketfilterfw[138] <Info>: hasplmd: Deny UDP CONNECT (in:2 out:0)

Nov 29 21:08:14 Mainlobe.local socketfilterfw[138] <Info>: sshd-keygen-wrapper: Allow TCP CONNECT (in:22 out:0)

Nov 29 21:08:44 Mainlobe.local socketfilterfw[138] <Info>: sshd-keygen-wrapper: Allow TCP CONNECT (in:21 out:0)

Nov 29 21:09:14 Mainlobe.local socketfilterfw[138] <Info>: hasplmd: Deny UDP CONNECT (in:2 out:0)

Nov 29 21:09:14 Mainlobe.local socketfilterfw[138] <Info>: sshd-keygen-wrapper: Allow TCP CONNECT (in:11 out:0)

Nov 29 21:09:14 Mainlobe.local socketfilterfw[138] <Info>: hasplmd: Deny UDP CONNECT (in:2 out:0)

Nov 29 21:09:14 Mainlobe.local socketfilterfw[138] <Info>: sshd-keygen-wrapper: Allow TCP CONNECT (in:11 out:0)

Nov 29 21:10:44 Mainlobe.local socketfilterfw[138] <Info>: hasplmd: Deny UDP CONNECT (in:2 out:0)

Nov 29 21:11:14 Mainlobe.local socketfilterfw[138] <Info>: hasplmd: Deny UDP CONNECT (in:2 out:0)

Nov 29 21:11:44 Mainlobe.local socketfilterfw[138] <Info>: hasplmd: Deny UDP CONNECT (in:2 out:0)