Hi, I'm having an issue where, in my Mac terminal, the space where the computer name is shown is instead replaced with the word "virus".
virus:~<username>$
Additionally, my internet connection either works terribly or not at all, and this only seems to happen at night. I have no idea what's going on, but maybe somebody can shed some light on this?
It sounds like someone may have broken into your wireless router and/or broadband modem.
You are pwned/owned etc, they have you.
Only thing you can do is either call in a security specialist or if your really experienced, wipe everything and rebuild, from your router to your machines without allowing anything to "hop" via rewriteable media.
All software removed and replaced, all firmware replaced, IP changed and only non-code bearing files retained.
Heck even your printer might have to be flushed.
Quite a intensive task and if you leave something overlooked, they are back in again like flynn.
Good Luck, we can't help you. 😟
Look for any of the files ~/.bash_profile, ~/.bash_login, ~/.profile, and ~/.bashrc and a definition of PS1. Also look for anything else that may be "fishy" in these files. Indeed if you have any of these files, and you didn't create them, that in itself is "fishy".
Hrm, if it was something in the bash files, then why would it not do this all the time? Cause I do have cases where it's just the computer name there instead.
You never said that in your original post (or I misinterpreted "only happens at night").
Still, when you launch terminal echo $PS1 and when you see the "virus" echo $PS1 again. I am not sure how something could redefine the prompt behind your back.
Note, there are two bash startup files that are not in you account that could be targeted. /etc/profile and /etc/bashrc. Maybe you should check them too. I could conceive of these scripts being written as varying PS1 as a function of bash launch time. Or something changing these scripts at a particular time.
By default your prompt contains \h which says use your hostname. Bash will get your hostname by doing a reverse DNS lookup on your IP address. The DNS server will then provide the name. If the DNS server does not find the name via the regular DNS lookup avenues, you get your System Preferences -> Sharing -> Computer name.
Since DNS information is generally stored external to the computer it can change over time. The typical DNS lookup route is your /etc/hosts file, then your primary DNS server. Often times your primary DNS server is your home router, and your home router then forwards DNS lookup requests to the DNS servers your ISP has given to the home router when it got its ISP provided DHCP assigned IP address.
So the 'virus' computer name could be coming from cached information in the home router, or it could be coming from the ISP DNS servers. Personally I would vote for the home router, as it should be just translating the 192.168.x.x (or 10.0.0.x) addresses and not forwarding those addressed off the local LAN.
I would start with power cycling the home router. Also are there other devices on the home LAN that night have previously used that local LAN IP address, and it was telling the home router its name was 'virus'
The most plausible explanation is that someone with access to your computer is messing with you. There's a number of ways of changing the computer's name shown at the command prompt (at least one doesn't involve touching your computer at all):
1. If your computer is given a name by the DHCP server (your Internet gateway, or whatever you are using), an individual can modify the name that the DHCP service gives your computer and your computer will simply adopt that name when receives its IP address assignment. (Doesn't require access to your computer.)
2. If your computer didn't get assigned a host name by DHCP, then the system will do a reverse DNS lookup on the IP address it gets. If the DNS server (or /etc/hosts) returns 'virus' as the host name for that IP address, then your system will use that name. (Doesn't require access to your computer.)
3. If neither of the first two things happened, the system will use the name you set in the Sharing pane of System Preferences. (Someone can set this by simply walking up to your computer and setting it, or by logging in with an admin account and editing /Library/Preference/SystemConfiguration/preferences.plist).
4. Someone could also edit the default prompt used by bash. The environment variable PS1 contains the prompt template string, the default being PS1='\h:\W \u\$ ' -- the '\h' means host name. You can do
'echo $PS1' to see if it's set this way. PS1 can be set in /etc/profile, /etc/bashrc, ~/.profile, and ~/.bashrc
There's a couple of other possibilities if you are integrating with Active Directory or Open Directory
Okay, I can see how something like this is from somebody messing with me, mostly because of the computer name changes. I mean, if it was some attacker, I somewhat doubt they'd actually change the hostname, so as to avoid detection.
On the other hand though, it doesn't really explain how my connection cuts out at the same time, especially intermittently like it does. That's what leads me to think that there is something going on under the hood.
At any rate, I'll check for the bash config files, the $PS1, the router (if I can remember how to get into the configuration). I just think that nothing really adds up to a definitive answer just by looking at the symptoms.
Alright, so something I found out poking around my computer's settings.
It turns out that "virus" was the computer's hostname, and that one of my siblings changed it there a while back. I went ahead and changed both the computer name and the hostname, and this behavior still occurs, but using these new names. They've also not changed in the past couple days, so that's good news.
So the computer is alternating between using the computer name during the day and the hostname at night (with the addition of a shoddy network connection). So I'm rather convinced that the network hasn't been compromised, save for the inconsistent network connection. Any ideas?
AvataroftheSun wrote:
Any ideas?
Use scutil to get (--get) or set (--set) these names. From the manpage:
Supported preferences include:
ComputerName The user-friendly name for the system.
LocalHostName The local (Bonjour) host name.
HostName The name associated with hostname(1) and gethostname(3).
[…] The --set option requires super-user access.
Your machine has likely been turned into a peer-to-peer server for illegal files. I suggest reinstalling the OS as it has obviously been compromised. Reinstall only the applications you want and use better security to keep people off and/or restricted.
Mac Terminal: computer name replaced with "virus"
