Solved

tracing a mac address on the internet

Posted on 2011-09-07
5
227 Views
Last Modified: 2012-05-12
my client has been hit with a virus which is changing the mac address on their machine and the traffic is being redirected to a site in china.

Is there a way to track the location of the mac address.
0
Comment
Question by:HalCHub
5 Comments
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 250 total points
ID: 36498043
The MAC address is only known by the first (or, from your perspective, the last) router in the chain, so I can't see a real chance here.

wmp
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 36498139
By changing the MAC address of the local machine you cannot achieve redirection over Internet. There is some other malicious software running, doing a browser redirect, or faking the DNS entries (e.g. by changing the HOSTS file in %WinDiR%\system32\drivers\etc).
0
 
LVL 9

Expert Comment

by:AriMc
ID: 36499120
It can also be a case of ARP-poisoning, where an infected computer tries to take over the LAN's default gateway by responding to other non-infected computers' ARP-requests with its own MAC-address and then redirecting the traffic to a malicious site. A detailed description and some defences can be found here:

http://en.wikipedia.org/wiki/ARP_spoofing

You could try finding the infected machine by running "arp -a" (works at least on Linux and Windows) on several computers in your LAN  and searching for MAC-addresses matching both your default gateway's IP-address and that of any other computer. The other computer will be a probable suspect.



0
 

Expert Comment

by:Jujucocoabean
ID: 36502367
If you mean IP address and the traffic is being redirected using either an altered HOSTS file as Qlemo says or some local proxy malware running on the PC then you can use IP Whois (there are quite a number with a quick search) to look up who owns the IP address, but tracing it to a specific location is not accurate.

It does sound more like one or more of the computers is infected with a virus or malware and cleaning that, though in my experience that can either fairly easy (kill the right process and delete the right executable) or can be very tricky. Easy ones tend to be running from the browser cache directory.

You would need to use tools for finding malware like Hijack This and any of SpywareBot Search and Destroy, Ad-Aware or tools from Microsoft (presuming you are using Windows).
0
 
LVL 62

Expert Comment

by:btan
ID: 36515968
Arpwatch detect changes in MAC addresses on network. It generates a log of observed pairing of IP addresses with MAC addresses along with a timestamp when the pairing appeared on the network. It also has the option of sending an email to an administrator when a pairing changes or is added.

@ http://www.planetmy.com/blog/use-arpwatch-to-capture-all-the-mac-address/

Unless it is doing arp poisoning as AriMc mentioned, you cannot really detect it if it is not broadcasting its MAC. If there is a gateway or proxy before the traffic exit, identify the blacklisted source IP of all infected machine (or even router) calling the destination (china) especially if it is anomalous in behaviour. Some forensic will be done on the source to find out the tools used to make those change.

This useful article also talks about detecting arp poisoning. The manual approach is messy and it makes the assumption that the malware responds to ARP requests rather than just spamming the hosts on the subnet with gratuitous ARPs.    

@ http://blogs.technet.com/b/neilcar/archive/2007/07/05/detecting-arp-spoofing-attacks.aspx

Another article records where are the MAC changes in various OS. Actually MAC can be restore or reset back to true original hardware burned-in MAC address, remove the NetworkAddress registry key that is been added. If changes is done,  more or less it confirmed the machine is infected.

@ http://www.mydigitallife.info/how-to-change-or-spoof-mac-address-in-windows-xp-vista-server-20032008-mac-os-x-unix-and-linux/
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Losing network connectivity 8 73
VPN 101 - how and which protocol? 9 95
New Aruba 2930f switches in lab.  Do they need to be configured to work? 21 102
Monitor bandwidth 3 83
In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Load balancing is the method of dividing the total amount of work performed by one computer between two or more computers. Its aim is to get more work done in the same amount of time, ensuring that all the users get served faster.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now