Should I be concerned that my shell prompt changed to "EvilJesusthe2nd"
December 7, 2017 3:02 AM   Subscribe

My Mac bash shell prompt changed, have I been hacked and what should I do?

It might be a coincidence, but after failing to connect to the misconfigured wifi router of a pub, I look at my Mac terminal and the prompt reads "EvilJesusThe2nd" instead of my username.

Maybe it's not the router, maybe it's just some script I've managed to run while doing programmer stuff on my command line. But I'm now wondering what could have changed my prompt, how I could find out more about this change in my system logs, and what security checks I should be running.

When I tried to connect to the pub wifi, it put up a Rails-esque message about how it couldn't set up a SSL connection at some particular HTTPS route. I feel like it can't be the pub that did this to my computer, but who knows?

Any help much appreciated.
posted by johngoren to Computers & Internet (5 answers total)
I'd start by looking at what's causing your prompt change. Did your username get changed? Did your shells RC files get changed to redefine the prompt string, and are there other changes in the files?

What programmer stuff? Piping output of curl/wget directly into shells or scripts and running them?
posted by TheAdamist at 3:12 AM on December 7, 2017 [2 favorites]

Best answer: First thing that comes to my mind: are you sure that your hostname hasn't changed? A DHCP server can provide a hostname to a client, along with an IP address, and the system hostname will be changed to whatever the DHCP server sends. Otherwise, it's set based on the name configured in the Sharing panel of System Preferences.

For instance, on my iMac, if I start up disconnected from the network and open a Terminal window, the prompt will be:

McCoys-Retina-Imac:~ mccoy$

However, if I connect it to my home network, where my DHCP server assigns a hostname of "", then the Terminal prompt will be:

coolname:~ mccoy$

That seems like the likeliest explanation for the change. No security breach on your machine, just a DHCP server (at the pub or elsewhere) which provided a hostname of "EvilJesusThe2nd", which your Mac automatically accepted and set as the system name. If you run the "hostname" command at the Terminal, I'm guessing it will show "EvilJesusThe2nd.some.domain". It should go away with a reboot, or you can change it again with "sudo hostname NewHostname".
posted by McCoy Pauley at 4:10 AM on December 7, 2017 [7 favorites]

There was a 0 day exploit on OSX that was released recently. I think it requires physical access to the machine though so you should be OK.

McCoy Pauley is on to something. You can disable this DHCP feature in OSX following these instructions here
posted by teabag at 7:42 AM on December 7, 2017 [1 favorite]

No, the recent exploit did not require physical access. What version of the operating system are you running?
posted by the agents of KAOS at 8:59 AM on December 7, 2017

Response by poster: High Sierra. But I guess McCoy's answer seems the most likely? Much appreciated.
posted by johngoren at 9:50 AM on December 7, 2017

« Older Can anyone recommend a good online automotive...   |   Can we have fish for dessert? Newer »
This thread is closed to new comments.