Should I be concerned that my shell prompt changed to "EvilJesusthe2nd"
December 7, 2017 3:02 AM Subscribe
My Mac bash shell prompt changed, have I been hacked and what should I do?
It might be a coincidence, but after failing to connect to the misconfigured wifi router of a pub, I look at my Mac terminal and the prompt reads "EvilJesusThe2nd" instead of my username.
Maybe it's not the router, maybe it's just some script I've managed to run while doing programmer stuff on my command line. But I'm now wondering what could have changed my prompt, how I could find out more about this change in my system logs, and what security checks I should be running.
When I tried to connect to the pub wifi, it put up a Rails-esque message about how it couldn't set up a SSL connection at some particular HTTPS route. I feel like it can't be the pub that did this to my computer, but who knows?
Any help much appreciated.
It might be a coincidence, but after failing to connect to the misconfigured wifi router of a pub, I look at my Mac terminal and the prompt reads "EvilJesusThe2nd" instead of my username.
Maybe it's not the router, maybe it's just some script I've managed to run while doing programmer stuff on my command line. But I'm now wondering what could have changed my prompt, how I could find out more about this change in my system logs, and what security checks I should be running.
When I tried to connect to the pub wifi, it put up a Rails-esque message about how it couldn't set up a SSL connection at some particular HTTPS route. I feel like it can't be the pub that did this to my computer, but who knows?
Any help much appreciated.
First thing that comes to my mind: are you sure that your hostname hasn't changed? A DHCP server can provide a hostname to a client, along with an IP address, and the system hostname will be changed to whatever the DHCP server sends. Otherwise, it's set based on the name configured in the Sharing panel of System Preferences.
For instance, on my iMac, if I start up disconnected from the network and open a Terminal window, the prompt will be:
McCoys-Retina-Imac:~ mccoy$
However, if I connect it to my home network, where my DHCP server assigns a hostname of "coolname.myprivatedomain.com", then the Terminal prompt will be:
coolname:~ mccoy$
That seems like the likeliest explanation for the change. No security breach on your machine, just a DHCP server (at the pub or elsewhere) which provided a hostname of "EvilJesusThe2nd", which your Mac automatically accepted and set as the system name. If you run the "hostname" command at the Terminal, I'm guessing it will show "EvilJesusThe2nd.some.domain". It should go away with a reboot, or you can change it again with "sudo hostname NewHostname".
posted by McCoy Pauley at 4:10 AM on December 7, 2017 [7 favorites]
For instance, on my iMac, if I start up disconnected from the network and open a Terminal window, the prompt will be:
McCoys-Retina-Imac:~ mccoy$
However, if I connect it to my home network, where my DHCP server assigns a hostname of "coolname.myprivatedomain.com", then the Terminal prompt will be:
coolname:~ mccoy$
That seems like the likeliest explanation for the change. No security breach on your machine, just a DHCP server (at the pub or elsewhere) which provided a hostname of "EvilJesusThe2nd", which your Mac automatically accepted and set as the system name. If you run the "hostname" command at the Terminal, I'm guessing it will show "EvilJesusThe2nd.some.domain". It should go away with a reboot, or you can change it again with "sudo hostname NewHostname".
posted by McCoy Pauley at 4:10 AM on December 7, 2017 [7 favorites]
There was a 0 day exploit on OSX that was released recently. I think it requires physical access to the machine though so you should be OK.
McCoy Pauley is on to something. You can disable this DHCP feature in OSX following these instructions here
posted by teabag at 7:42 AM on December 7, 2017 [1 favorite]
McCoy Pauley is on to something. You can disable this DHCP feature in OSX following these instructions here
posted by teabag at 7:42 AM on December 7, 2017 [1 favorite]
No, the recent exploit did not require physical access. What version of the operating system are you running?
posted by the agents of KAOS at 8:59 AM on December 7, 2017
posted by the agents of KAOS at 8:59 AM on December 7, 2017
High Sierra. But I guess McCoy's answer seems the most likely? Much appreciated.
posted by johngoren at 9:50 AM on December 7, 2017
posted by johngoren at 9:50 AM on December 7, 2017
This thread is closed to new comments.
What programmer stuff? Piping output of curl/wget directly into shells or scripts and running them?
posted by TheAdamist at 3:12 AM on December 7, 2017 [2 favorites]