Question

Locked

Cant Identify devices attached to route

By 2BlueUK ·
Hi,

We have a small ntwork in our office, (something like 15 clients, my server (for ftp),a IIS server and 2 network printers....so not big at all, should be dead easy to identify anything on it and know where they are.
Past couple of days we had a few security issues, so I've been reviewing logs from the router (BT Business 2Wire).
Since a few days ago I have come across 3 devices that I have no idea what or where they are but they are (according to the router)there and even have been assigned public IP's, the very same ones that are assigned to servers, (due to security reasons I keep servers IP's locally since I only need them to communicate with PC's on the same network) and give them a secondary public IP's I use for remote connection from my house. Anyhoo I come across these three devices;
Name: DETECTIVE
IP:0.0.0.0
they all have their individual MAC addresses which does not match anything I have in the office, and does not come up on arp, you can see they have been assigned public IP when you go in to NAT and Address Allocation.

Any feedback is apprciated,
Cheers fellars and hi.

This conversation is currently closed to new comments.

8 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Got wireless LAN?

by robo_dev In reply to Cant Identify devices att ...

the mac address is assigned by the manufacturer, so you can tell what company made the device by the first six digits of the mac address...that's called the oui:

http://standards.ieee.org/regauth/oui/oui.txt

Can you ping these mystery devices?

Something with an ip of 0.0.0.0 is not a valid device.

Collapse -

Ancient mac addresses

by 2BlueUK In reply to Got wireless LAN?

Thanks for the link, but these ones dont seem to exist, there are three of these and all started around the same time I was off sick so had to remotely connect to my servers from home, wonder if that has something to do with it. Mac's are:

e9:eb:b3:a6:db:3c
4d:c8:43:bb:8b:a6
45:3b:13:0d:89:0a

Ip's are 0.0.0.0 on LAN statistics page but when you view individual addresses they come up with random DHCP pool addresses....but here is the catch, although the router sais they are DHCP assigned, they are identical addresses I assigned for my servers...they're like cloned and showing up as individal devices with the weirdest mac address.
No you cant ping them, they appear to be inactive....
Got to get my self a better router then that BT crap.

Collapse -

Same thing

by Wizard-09 In reply to Cant Identify devices att ...

Happened to my network today, we also run on BT, we do have a wireless network but it's mac filtered, would you like to share the mac addresses with me I have one mac address that see the log below.

The system detected an address conflict for IP address 192.168.**.*** with the system having network hardware address 00:0C:F6:48:CC:73. Network operations on this system may be disrupted as a result.

This happened to alot of PC's on my network, then it seemed to hit the phone's also.

Collapse -

What is this, mac attack????

by 2BlueUK In reply to Same thing

Sure the mac addresses are:

e9:eb:b3:a6:db:3c
4d:c8:43:bb:8b:a6
45:3b:13:0d:89:0a

I suspected it might have something to do with wireless, then I disabled the wireless signal from broadcasting, since we only have cable connection. but they are still there.

Have you done any remote connection to a few of your computers lately using windows RDP?

Collapse -

Well....

by Wizard-09 In reply to What is this, mac attack? ...

Not the same mac's I had in my event log, but I did find out who it was. My have someone over from India he was working on setting up wireless and thought he would test it on are network, I went nut's.

The reason you can't seem to find any information on the mac addresses is because they may have been spoofed mac's.

If I was you I would use mac filtering on your wireless network.

Collapse -

Thats the thing..

by 2BlueUK In reply to Well....

I dont have a wireless network....
dont know if you can do mac filtering on a wired network either.

Will look in to it.

Collapse -

Do you run any virtual machines?

by seanferd In reply to Thats the thing..

They have virtual MACs for their virtual adapters.

Collapse -

Only windows remote desktop

by 2BlueUK In reply to Do you run any virtual ma ...

I was thinking the same thing, but should they not come up under the same device just as secondary mac addresses instead of independent devices...suppose it depends on the router you are using too.
But they dont come up on ARP, not even at the same time when Im running a virtual machine?

Back to Networks Forum
8 total posts (Page 1 of 1)  

Related Discussions

Related Forums