Solved

tracing a mac address on the internet

Posted on 2011-09-07
5
228 Views
Last Modified: 2012-05-12
my client has been hit with a virus which is changing the mac address on their machine and the traffic is being redirected to a site in china.

Is there a way to track the location of the mac address.
0
Comment
Question by:HalCHub
5 Comments
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 250 total points
ID: 36498043
The MAC address is only known by the first (or, from your perspective, the last) router in the chain, so I can't see a real chance here.

wmp
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 36498139
By changing the MAC address of the local machine you cannot achieve redirection over Internet. There is some other malicious software running, doing a browser redirect, or faking the DNS entries (e.g. by changing the HOSTS file in %WinDiR%\system32\drivers\etc).
0
 
LVL 9

Expert Comment

by:AriMc
ID: 36499120
It can also be a case of ARP-poisoning, where an infected computer tries to take over the LAN's default gateway by responding to other non-infected computers' ARP-requests with its own MAC-address and then redirecting the traffic to a malicious site. A detailed description and some defences can be found here:

http://en.wikipedia.org/wiki/ARP_spoofing

You could try finding the infected machine by running "arp -a" (works at least on Linux and Windows) on several computers in your LAN  and searching for MAC-addresses matching both your default gateway's IP-address and that of any other computer. The other computer will be a probable suspect.



0
 

Expert Comment

by:Jujucocoabean
ID: 36502367
If you mean IP address and the traffic is being redirected using either an altered HOSTS file as Qlemo says or some local proxy malware running on the PC then you can use IP Whois (there are quite a number with a quick search) to look up who owns the IP address, but tracing it to a specific location is not accurate.

It does sound more like one or more of the computers is infected with a virus or malware and cleaning that, though in my experience that can either fairly easy (kill the right process and delete the right executable) or can be very tricky. Easy ones tend to be running from the browser cache directory.

You would need to use tools for finding malware like Hijack This and any of SpywareBot Search and Destroy, Ad-Aware or tools from Microsoft (presuming you are using Windows).
0
 
LVL 62

Expert Comment

by:btan
ID: 36515968
Arpwatch detect changes in MAC addresses on network. It generates a log of observed pairing of IP addresses with MAC addresses along with a timestamp when the pairing appeared on the network. It also has the option of sending an email to an administrator when a pairing changes or is added.

@ http://www.planetmy.com/blog/use-arpwatch-to-capture-all-the-mac-address/

Unless it is doing arp poisoning as AriMc mentioned, you cannot really detect it if it is not broadcasting its MAC. If there is a gateway or proxy before the traffic exit, identify the blacklisted source IP of all infected machine (or even router) calling the destination (china) especially if it is anomalous in behaviour. Some forensic will be done on the source to find out the tools used to make those change.

This useful article also talks about detecting arp poisoning. The manual approach is messy and it makes the assumption that the malware responds to ARP requests rather than just spamming the hosts on the subnet with gratuitous ARPs.    

@ http://blogs.technet.com/b/neilcar/archive/2007/07/05/detecting-arp-spoofing-attacks.aspx

Another article records where are the MAC changes in various OS. Actually MAC can be restore or reset back to true original hardware burned-in MAC address, remove the NetworkAddress registry key that is been added. If changes is done,  more or less it confirmed the machine is infected.

@ http://www.mydigitallife.info/how-to-change-or-spoof-mac-address-in-windows-xp-vista-server-20032008-mac-os-x-unix-and-linux/
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
VPN 101 - how and which protocol? 9 109
Running Dumpcap on a remote machine 3 51
hp laptop wireless issue 19 69
How analyse your IT Outsourcing provider 3 31
Article by: rfc1180
The Maximum Segment size (MSS) is an important consideration when troubleshooting connectivity via the Internet/Intranet. As the packets are routed via the Internet/Intranet, the packets must traverse through multiple routers in the path between two…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question