0

today I logged into my mac and opened zsh and had a big shock!

Normally my terminal prompt is something like:

sidharthghoshal@macbook-pro

But today I found it was :

sidharthghoshal@HaeLims-Air

I don't know what HaeLims-Air is and my first assumption is I had been hacked. Exploring a bit I came across this post: How do I stop my computer name from automatically, and incorrectly, changing? .

Inspired by it I went to the terminal and ran print -P '%m' and it printed out HaeLims-Air so it my hostname %m has legitimately changed.

enter image description here

Now when I check my system preferences and sharing the name of the macbook is still the same as it has ever been. It is Sidharth’s MacBook Pro which is what I thought it should be.

enter image description here

So now I want to ask. How can I find out

  1. which files actually contain the string HaeLims-Air that has changed.
  2. When did this file change?

I would like to understand exactly when that hostname in the zsh would have been modified. Since this is the first time in my entire life I have encountered this and still feel quite uneasy.

In a weak attempt I tried to run grep -iR "HaeLim" . from the \etc folder but nothing came up.

It is possible this is benign. I looked up my hostname history and indeed there I see that only MOST recently did the host name change:


sidharthghoshal@HaeLims-Air ~ % log show --style syslog --info --last 30d | grep 'setting hostname'

2024-01-28 16:34:51.391348-0500  localhost configd[82]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Sidharths-MacBook-Pro.local"
2024-01-28 16:34:54.493552-0500  localhost configd[82]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Sidharths-MBP.lan"
2024-01-28 17:39:07.272782-0500  localhost configd[82]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Sidharths-MacBook-Pro.local"
2024-01-28 17:39:09.392589-0500  localhost configd[82]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Sidharths-MBP.lan"
2024-01-31 11:10:27.564345-0500  localhost configd[82]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Sidharths-MacBook-Pro.local"
2024-01-31 11:10:37.515435-0500  localhost configd[82]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Sidharths-MBP.lan"
1969-12-31 19:06:20.379707-0500  localhost configd[82]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Sidharths-MacBook-Pro.local"
2024-02-02 19:00:06.481011-0800  localhost configd[82]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Sidharths-MBP.attlocal.net"
2024-02-02 19:06:23.604979-0800  localhost configd[82]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Sidharths-MacBook-Pro.local"
2024-02-02 19:06:27.296765-0800  localhost configd[82]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Sidharths-MBP.attlocal.net"
1969-12-31 20:03:50.582148-0800  localhost configd[82]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Sidharths-MacBook-Pro.local"
2024-02-06 15:50:00.336584-0800  localhost configd[82]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Sidharths-MBP.attlocal.net"
1969-12-31 16:08:31.806416-0800  localhost configd[82]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Sidharths-MacBook-Pro.local"
2024-02-06 22:00:14.072212-0800  localhost configd[82]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "HaeLims-Air"

I suspect that the February 06 entry given as

2024-02-06 22:00:14.072212-0800 localhost configd[82]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "HaeLims-Air"

Actually comes from my Macbook not being turned on since February 06. And thus when it turned on, before the Macbook KNEW what the correct date was it already was attempting to set the hostname. This makes a lot of sense because until the Macbook connects to WIFI I do not believe it has any way of being aware of what the time is. In order to connet to WIFI it will get a hostname assigned.

Sidharth Ghoshal
  • 111
  • 1
    The „why“ is explained in the other answers in the Q&A you linked to. As for your analysis: Macs have a hardware clock, they „always“ know what time it is. – nohillside Feb 27 '24 at 21:28
  • thanks for responding! If the hardware clock is always accurate even when machine is turned off, then why did the Mac believe its hostname was set on February 06? Am I incorrect in assuming the Hostname got set today when I turned it on for the first time in 25 days? Was the hostname really from back then and just carried over to the time I turned it on? – Sidharth Ghoshal Feb 27 '24 at 21:30
  • 3
    And so based on this question https://apple.stackexchange.com/questions/55416/my-mac-minis-computer-name-keeps-changing-when-it-resumes-from-sleep?rq=1 : the conclusion i come to is, 1. Mac connects to Wifi network that has some kind of cacheing enabled. Mac gets assigned a network address. The router/wifi says "oh that network address is HaeLims-Air, so assign that hostname as usual". Mac says "okay I have a hostname being suggested, this overrides my default settings as usual". Then I open up my terminal, see the changed hostname and freak out unnecessarily. – Sidharth Ghoshal Feb 27 '24 at 21:36
  • The hostname can be set via DHCP. There could be a static record tying your MAC (media access control) address to the incorrect hostname. I would start investigating your router first – Allan Feb 27 '24 at 22:40
  • Do any of your networks have a Windows DHCP server? When you change networks, can you check your hostname? – Allan Mar 11 '24 at 05:44
  • Also (I forgot to ask in my last comment), when you connect to a different network, can you capture the output of these two commands and post them to your question? They are ipconfig getoption en0 12 and ipconfig getpacket en0. Note: your WiFi interface may be en1 so try that interface if the second command comes back with nothing. – Allan Mar 11 '24 at 06:02
  • Hi @Allan ! unfortunately i left the coffee shop but I will try again next time I am there – Sidharth Ghoshal Mar 11 '24 at 17:40
  • No problem. One more thing, can you get the ip address from both the coffee shop and from your home? I’d like to compare the addressing scheme between the two. – Allan Mar 11 '24 at 17:48

1 Answers1

0

I have the same (or similar) problem. I noticed that my terminal prompt changed from:

Andrijas-MacBook-Pro.local

to

Galaxy-S8.localdomain

I checked the hostname and indeed it changed:

andrijagramatikovski@Galaxy-S8 ~ % hostname
Galaxy-S8.localdomain
andrijagramatikovski@Galaxy-S8 ~ %

Here is my hostname history:

andrijagramatikovski@Galaxy-S8 ~ % log show --style syslog --info --last 30d | grep 'setting hostname'               
2024-03-09 21:28:46.928507+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Andrijas-MacBook-Pro.local"
2024-03-09 21:28:52.214116+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Galaxy-S8.localdomain"
2024-03-09 22:29:55.021889+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Andrijas-MacBook-Pro.local"
2024-03-09 22:30:00.588298+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Galaxy-S8.localdomain"
2024-03-09 23:31:03.402560+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Andrijas-MacBook-Pro.local"
2024-03-09 23:31:09.710872+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Galaxy-S8.localdomain"
2024-03-10 00:32:11.803162+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Andrijas-MacBook-Pro.local"
2024-03-10 00:32:17.842454+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Galaxy-S8.localdomain"
2024-03-10 02:26:30.950346+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Andrijas-MacBook-Pro.local"
2024-03-10 02:26:36.196669+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Galaxy-S8.localdomain"
2024-03-10 04:28:00.454885+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Andrijas-MacBook-Pro.local"
2024-03-10 04:28:05.692456+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Galaxy-S8.localdomain"
2024-03-10 06:29:06.811316+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Andrijas-MacBook-Pro.local"
2024-03-10 06:29:12.473094+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Galaxy-S8.localdomain"
2024-03-10 07:30:15.146988+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Andrijas-MacBook-Pro.local"
2024-03-10 07:30:20.180073+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Galaxy-S8.localdomain"
2024-03-10 08:31:24.023507+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Andrijas-MacBook-Pro.local"
2024-03-10 08:31:28.671116+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Galaxy-S8.localdomain"
2024-03-10 09:00:08.465134+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Andrijas-MacBook-Pro.local"
2024-03-10 09:00:14.085429+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Galaxy-S8.localdomain"
2024-03-10 09:32:30.915658+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Andrijas-MacBook-Pro.local"
2024-03-10 09:32:37.063786+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Galaxy-S8.localdomain"
2024-03-10 10:33:39.275093+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Andrijas-MacBook-Pro.local"
2024-03-10 10:33:44.557636+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Galaxy-S8.localdomain"
2024-03-10 10:39:38.795341+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Andrijas-MacBook-Pro.local"
2024-03-10 10:39:44.636394+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Galaxy-S8.localdomain"
2024-03-10 11:34:47.773257+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Andrijas-MacBook-Pro.local"
2024-03-10 11:34:53.760352+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Galaxy-S8.localdomain"
2024-03-10 12:35:54.511411+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Andrijas-MacBook-Pro.local"
2024-03-10 12:36:00.932406+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Galaxy-S8.localdomain"
2024-03-10 13:37:04.156267+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Andrijas-MacBook-Pro.local"
2024-03-10 13:37:09.978881+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Galaxy-S8.localdomain"
2024-03-10 14:38:13.047226+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Andrijas-MacBook-Pro.local"
2024-03-10 14:38:18.768295+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Galaxy-S8.localdomain"
2024-03-10 15:39:21.054753+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Andrijas-MacBook-Pro.local"
2024-03-10 15:39:26.607155+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Galaxy-S8.localdomain"
2024-03-10 16:40:28.077649+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Andrijas-MacBook-Pro.local"
2024-03-10 16:40:34.180690+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Galaxy-S8.localdomain"
2024-03-10 17:41:35.856480+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Andrijas-MacBook-Pro.local"
2024-03-10 17:41:41.798925+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Galaxy-S8.localdomain"
2024-03-10 18:42:44.439857+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Andrijas-MacBook-Pro.local"
2024-03-10 18:42:49.557009+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Galaxy-S8.localdomain"
2024-03-10 18:52:47.453250+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Andrijas-MacBook-Pro.local"
2024-03-10 18:52:52.837561+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Galaxy-S8.localdomain"
2024-03-10 19:43:52.247683+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Andrijas-MacBook-Pro.local"
2024-03-10 19:43:58.136044+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Galaxy-S8.localdomain"
2024-03-10 20:34:08.267856+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Andrijas-MacBook-Pro.local"
2024-03-10 20:34:15.431142+0100  localhost configd[110]: [com.apple.SystemConfiguration:IPMonitor] setting hostname to "Galaxy-S8.localdomain"

I checked the system preferences and the sharing name of the mac is still 'Andrijas-MacBook-Pro.local' as it should be:

System preferences>Sharing>Local Hostname

Here are my findings:

  1. From the above log you can see that the first change happened at 2024-03-09 21:28:46. From 2024-03-07 until now 2024-03-10 my Mac has only been connected to my home network, so no network changes.
  2. I tried searching through the Mac logs but didn't find anything useful.
  3. I checked all the devices on my network (active and inactive) but no device named "Galaxy-S8". I have a UniFi network setup.
  4. I started checking the Network settings on the Mac and then I found that under the Wi-Fi network WINS settings the NetBIOS name was set to "Galaxy-S8". So it looks as though the NetBIOS name is being used as the hostname, i.e. 'something' keeps changing the hostname between the Local Hostname and the NetBIOS name. I don't know if that same 'something' also changed the NetBIOS name or if it was changed from before and now it only switches between the hostname between the Local Hostname and the NetBIOS name.

Mac Wi-Fi WINS settings

Until this point I haven't been able to figure out what is the cause of the issue, but I felt that you might find this useful if you're still researching. I will post an update if I figure it out.

Andrija Gramatikovski
  • 1
  • 1
    See my comments under the question about the ipconfig command. Please post the output to those commands. – Allan Mar 11 '24 at 06:06
  • @Allan When connected to a different network the host name is the correct one. I executed the suggested commands and ipconfig getoption en0 12 and ipconfig getoption en1 12 don't return any results. ipconfig getpacket en0 returend the following: – Andrija Gramatikovski Mar 11 '24 at 19:12
  • andrijagramatikovski@Andrijas-MacBook-Pro ~ % ipconfig getpacket en0
    op = BOOTREPLY
    htype = 1
    flags = 0
    hlen = 6
    hops = 0
    xid = 0x2ef70562
    secs = 0
    ciaddr = 0.0.0.0
    yiaddr = 172.20.10.2
    siaddr = 172.20.10.1
    giaddr = 0.0.0.0
    chaddr = 3c:22:fb:9:c:8d
    sname = iPhone
    file =
    options:
    Options count is 7
    dhcp_message_type (uint8): ACK 0x5
    server_identifier (ip): 172.20.10.1
    lease_time (uint32): 0x15180
    subnet_mask (ip): 255.255.255.240
    router (ip_mult): {172.20.10.1}
    domain_name_server (ip_mult): {172.20.10.1}
    end (none):     – Andrija Gramatikovski Mar 11 '24 at 19:14
  • No Windows DHCP servers on the networks I connect to. On the network that changes my hostname a UniFi Security Gateway acts as a DHCP server. – Andrija Gramatikovski Mar 11 '24 at 19:16
  • That one is probably mis-configured, but before I answer, I want to avoid putting my foot in my mouth. Do you have control over that Ubiquiti router/gateway? – Allan Mar 11 '24 at 20:07
  • Yes, this is my home network and I have control over every aspect of it. – Andrija Gramatikovski Mar 12 '24 at 12:23
  • The network with the Ubiquiti firewall/gateway is yours? Do you know what the coffee shop uses? Which network is reassigning your hostname? Does anyone in your family or circle of friends have a Galaxy phone? – Allan Mar 12 '24 at 14:40
  • Yes, the network with Ubiquity is my home network and it's the only network that changes my hostname. On any other networks I connected these days the hostname goes back to what it should be. I checked all the clients that have ever been connected on my home network (the one that causes the issue) and there has never been a "Galaxy-S8" connected to the network. I absolutely have no idea where this specific name comes from. – Andrija Gramatikovski Mar 13 '24 at 00:01