Solved

tracing a mac address on the internet

Posted on 2011-09-07
5
226 Views
Last Modified: 2012-05-12
my client has been hit with a virus which is changing the mac address on their machine and the traffic is being redirected to a site in china.

Is there a way to track the location of the mac address.
0
Comment
Question by:HalCHub
5 Comments
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 250 total points
Comment Utility
The MAC address is only known by the first (or, from your perspective, the last) router in the chain, so I can't see a real chance here.

wmp
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
By changing the MAC address of the local machine you cannot achieve redirection over Internet. There is some other malicious software running, doing a browser redirect, or faking the DNS entries (e.g. by changing the HOSTS file in %WinDiR%\system32\drivers\etc).
0
 
LVL 9

Expert Comment

by:AriMc
Comment Utility
It can also be a case of ARP-poisoning, where an infected computer tries to take over the LAN's default gateway by responding to other non-infected computers' ARP-requests with its own MAC-address and then redirecting the traffic to a malicious site. A detailed description and some defences can be found here:

http://en.wikipedia.org/wiki/ARP_spoofing

You could try finding the infected machine by running "arp -a" (works at least on Linux and Windows) on several computers in your LAN  and searching for MAC-addresses matching both your default gateway's IP-address and that of any other computer. The other computer will be a probable suspect.



0
 

Expert Comment

by:Jujucocoabean
Comment Utility
If you mean IP address and the traffic is being redirected using either an altered HOSTS file as Qlemo says or some local proxy malware running on the PC then you can use IP Whois (there are quite a number with a quick search) to look up who owns the IP address, but tracing it to a specific location is not accurate.

It does sound more like one or more of the computers is infected with a virus or malware and cleaning that, though in my experience that can either fairly easy (kill the right process and delete the right executable) or can be very tricky. Easy ones tend to be running from the browser cache directory.

You would need to use tools for finding malware like Hijack This and any of SpywareBot Search and Destroy, Ad-Aware or tools from Microsoft (presuming you are using Windows).
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
Arpwatch detect changes in MAC addresses on network. It generates a log of observed pairing of IP addresses with MAC addresses along with a timestamp when the pairing appeared on the network. It also has the option of sending an email to an administrator when a pairing changes or is added.

@ http://www.planetmy.com/blog/use-arpwatch-to-capture-all-the-mac-address/

Unless it is doing arp poisoning as AriMc mentioned, you cannot really detect it if it is not broadcasting its MAC. If there is a gateway or proxy before the traffic exit, identify the blacklisted source IP of all infected machine (or even router) calling the destination (china) especially if it is anomalous in behaviour. Some forensic will be done on the source to find out the tools used to make those change.

This useful article also talks about detecting arp poisoning. The manual approach is messy and it makes the assumption that the malware responds to ARP requests rather than just spamming the hosts on the subnet with gratuitous ARPs.    

@ http://blogs.technet.com/b/neilcar/archive/2007/07/05/detecting-arp-spoofing-attacks.aspx

Another article records where are the MAC changes in various OS. Actually MAC can be restore or reset back to true original hardware burned-in MAC address, remove the NetworkAddress registry key that is been added. If changes is done,  more or less it confirmed the machine is infected.

@ http://www.mydigitallife.info/how-to-change-or-spoof-mac-address-in-windows-xp-vista-server-20032008-mac-os-x-unix-and-linux/
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Article by: rfc1180
The Maximum Segment size (MSS) is an important consideration when troubleshooting connectivity via the Internet/Intranet. As the packets are routed via the Internet/Intranet, the packets must traverse through multiple routers in the path between two…
Many network operators, engineers, and administrators do not take several factors into consideration when troubleshooting network throughput and latency issues.  They often  measure the throughput by performing a measurement  by transferring a large…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now