Solved

MAC Spoofing Question

Posted on 2008-10-13
6
4,296 Views
Last Modified: 2013-11-16
nbtstat - a 10.0.1.82

Local Area Connection:
Node IpAddress: [10.0.1.76] Scope Id: []

           NetBIOS Remote Machine Name Table

       Name               Type         Status
    ---------------------------------------------
    MARIA-PC       <00>  UNIQUE      Registered
    MARIA-PC       <20>  UNIQUE      Registered
    ARC            <00>  GROUP       Registered
    ARC            <1E>  GROUP       Registered

    MAC Address = 00-1D-09-87-2B-71


Right away the address in request changes to 76. Why is that?


Symantec Endpoint Protection gives this:



Event Description: Unsolicited incoming ARP reply detected, this is a kind of MAC spoofing that may consequently do harm to your computer. Packet data is shown in the right window.
Attack Type: MAC Spoofing
Event Time: 10/13/2008 10:43:10
Remote Host IP: 10.0.1.100
Occurrence: 1
Alert: 1
Begin Time: 10/12/2008 22:42:58
End Time: 10/12/2008 22:42:58
Domain Name: Default
Site Name: Site server2
Server Name: server2
Group Name: My Company\team ARC
Computer Name  
Current: maria-pc
When event occurred: maria-pc
 
IP Address  
Current: 10.0.1.82

 
Operating system name: Windows XP Professional
Location Name: Default
User Name: maria
Severity: Minor
Local MAC: 001D09872B71
Remote MAC: 001D092868F4
Hardware Key: F99127C11A4FC6F9A870D8029F5CD7E7
Network Protocol: Other
Traffic Direction: Inbound
Send SNMP trap: 1
Remote Host Name:  
Hack Type: 0
Application Name:


About 20 of those messages came up before the PC got disconnected from the network by the firewall.


There is a thread on symantec forums here:
https://forums.symantec.com/syment/board/message?board.id=endpoint_protection11&message.id=17717&query.id=324180#M17717

But what I really need is way to get down to the bottom of this and see what's causing it in on my network.

Being new to dealing with MAC address I tried things like lookin both of them up in the vendor DB which came up as Dell for both addresses.

I only have 1 network adapter on that PC.

Points are 250.

0
Comment
Question by:Anti-Mhz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 27

Expert Comment

by:Rainer Meller
ID: 22704137
Could you post an

arp -a

result here too please.

And what is your setup. Are you on a bigger network, or connected to the Internet by cable /DSL / modem ?
0
 
LVL 1

Author Comment

by:Anti-Mhz
ID: 22705038
Interface: 10.0.1.82 --- 0x2
  Internet Address      Physical Address      Type
  10.0.1.1              00-0c-86-3d-4a-b0     dynamic
  10.0.1.100            00-1d-09-28-68-f4     dynamic
  10.0.1.129            00-0f-1f-f8-78-ec     dynamic
  10.0.1.150            00-0d-56-6f-b7-b3     dynamic


.1 - gateway
 .100, .129, .150 - 3 servers

all of these connections should be allowed.

im on a network with 3 servers all running windows 2003 flavors (2 standard and 1 sbs) with 15 workstations.

0
 
LVL 27

Expert Comment

by:Rainer Meller
ID: 22705346
OK so basically symantec found a computer using IP 10.0.1.76 and you wonder how did it get into your network, right?

Is there anything WLAN related around?

How big is the network (in physical terms) ? Is it permanently installed with wall plugs or are all computers connected on a single switch?




0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 1

Author Comment

by:Anti-Mhz
ID: 22705758
actually i mislead u. 76 is the pc im running nbtstat -a from. My mistake. What doesn't change is that

there is a workstation on the network under class D IP of 82 which has SED screaming that there is MAC spoofing going in.  u can see the log in my first post.

this is a small network with 1 switch, 3 servers ( 1 dc), about 15 workstations


0
 
LVL 27

Accepted Solution

by:
Rainer Meller earned 250 total points
ID: 22705828
OK could be the case that there is a server with 2 network cards for load balancing with one IP.

Thus having 2 networks card with different MACS and one "shared" IP, could result in Symantec shouting crime and murder.

Tolomir


0
 
LVL 27

Expert Comment

by:Rainer Meller
ID: 22705844
Attack Type: MAC Spoofing
Event Time: 10/13/2008 10:43:10
Remote Host IP: 10.0.1.100

---

.100, .129, .150 - 3 servers

Please check if server .100 is connected with 2 network cards to the switch.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Suggested Courses

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question