0

Sorry for the generic title but really don't know how to call this. I've just upgraded my MacBook Air to macOS Mojave 10.14.3. Usually, when opening the terminal it would show something like myusername at myMacBookAir in ~.

After this upgrade, but actually, I can't tell for sure if it was happening even before, it started showing myusername at DESKTOP-GD4U33R in ~. I tried to google DESKTOP-GD4U33R but got no results, so I tried to open a browser tab at http://desktop-gd4u33r/ and magically a webpage showed up (the one below). webpage

Another curious thing is that if I turn WiFi off and reopen the terminal it goes back to normal, myusername at myMacBookAir in ~ is shown. When I turn it back on this DESKTOP-GD4U33R appears again. To me (being a web developer) seems that I have a webserver running, but I don't even have this Bitnami WAPP installed, so I'm seriously thinking there's something malicious on my machine. Any help is much appreciated.

schroeder
  • 123,438
  • 55
  • 284
  • 319
leota
  • 101
  • 2
  • What happens if you browse to localhost in your browser? Do you have a Windows machine on your network? – xvk3 Feb 18 '19 at 21:35
  • on localhost it says "This site can’t be reached", so nothing running there. There were 2 windows machines on my network but I disabled their internet connections and situation is still the same – leota Feb 18 '19 at 21:40
  • I'd suggest finding out the IP address of this `DESKTOP-GD4U33R` host (`ping DESKTOP-GD4U33R`) and your own host IP address `ifconfig`. Also check your computer name under System Preferences > Sharing. – Alexander O'Mara Feb 18 '19 at 21:47
  • @AlexanderO'Mara PING desktop-gd4u33r.station (192.168.1.2): 56 data bytes Request timeout for icmp_seq 0 ping: sendto: Host is down – leota Feb 18 '19 at 21:53
  • @AlexanderO'Mara my IP seems to be 192.168.1.8 – leota Feb 18 '19 at 21:58
  • 192.168.1.2 is on your local network. I would try to identify what machine it is. Perhaps it's your router? – Alexander O'Mara Feb 18 '19 at 22:23
  • @AlexanderO'Mara I've restarted my router and the problem seems disappeared. In any case, I see a device, which I'm not able to identify, connected to my local network as "new-host" with IP 192.168.1.3. Still strange. I can put MAC filter on my router but still not able to understand if this device comes from outside or it is a service run by my machine – leota Feb 18 '19 at 22:50
  • 192.168.1.2 is *supposed* to be on the local network. However, ISPs can allow private IP networks to route between their customers. I think it's very ill-advised, but I know I had an ISP a couple decades ago that did. I had some words with them, they refused to change it, I changed ISPs, and then read in the news a few years later some of their customers were hacked in part due to that policy, and they finally changed it. But that's one ISP. – Ed Grimm Feb 19 '19 at 01:41
  • A custom DHCP server could recognize a Mac by its MAC (pun unavoidable) and tell it's `YouHaveBeenHacked`. – Esa Jokinen Feb 19 '19 at 09:55

1 Answers1

1

If you were unaware you can do local DNS resolution by modifying /etc/hosts this file looks something like:

127.0.0.1 localhost

192.168.1.2 DESKTOP-GD4U33R

So, this can be done for many legitimate reasons, as a local DNS lookup may be more favourable. Do realise that the localhost (127.0.0.1) is a loopback address; it is accessible via your machine only. A localhost lookup could be favourable if you were doing web server testing locally before deployment and hence needed privacy.

Mentioning your hostname changed from user@MacBookAir ~ to user@DESKTOP-GD4U33R ~ implies an application with root privileges made this change (I speak more about this below). Issue cat /etc/hostname will allow you to view your hostname. You can change your hostname either by editing /etc/hostname or in Settings > Network Utility. By default modern, Microsoft Windows machines use the hostname @DESKTOP-XXXXXXX where X is a random base-36 string of upper case letters and numeric characters. Just a suggestion for the possible naming convention, as it's quite specific, but as for your hostname becoming DESKTOP-GD4U33R and having a DNS resolution to DESKTOP-GD4U33R via 192.168.1.2 does seem quite unusual.

This is good news as the IP address resolves to your local network. Consequently, this potential threat is isolated. As mentioned identify who 192.168.1.2 is before proceeding further. But, I would suggest, presuming you are the network administrator or are authorised, using NMap to identify open ports on this machine; nmap -Pn -A 192.168.1.2 will suffice. This device can absolutely be an egress port on your machine, from terminal use ifconfig | grep 192.168.1.2 you can identify if this IP address is one of the machine's network interfaces.

ClamAV offers a macOS antivirus, but locally this looks more like an application modified /etc/hostname and /etc/hosts. It could also be worthwhile ensuring both files are read-only ls -l /etc/hostname; ls -l /etc/hosts should return something like:

-rw-r--r-- root root  /etc/hosts
-rw-r--r-- root root  /etc/hostname

Notice that only the root user (not group) should have write access.

Community
  • 1
safesploit
  • 1,827
  • 8
  • 18