• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 247
  • Last Modified:

tracing a mac address on the internet

my client has been hit with a virus which is changing the mac address on their machine and the traffic is being redirected to a site in china.

Is there a way to track the location of the mac address.
1 Solution
The MAC address is only known by the first (or, from your perspective, the last) router in the chain, so I can't see a real chance here.

QlemoBatchelor and DeveloperCommented:
By changing the MAC address of the local machine you cannot achieve redirection over Internet. There is some other malicious software running, doing a browser redirect, or faking the DNS entries (e.g. by changing the HOSTS file in %WinDiR%\system32\drivers\etc).
It can also be a case of ARP-poisoning, where an infected computer tries to take over the LAN's default gateway by responding to other non-infected computers' ARP-requests with its own MAC-address and then redirecting the traffic to a malicious site. A detailed description and some defences can be found here:


You could try finding the infected machine by running "arp -a" (works at least on Linux and Windows) on several computers in your LAN  and searching for MAC-addresses matching both your default gateway's IP-address and that of any other computer. The other computer will be a probable suspect.

If you mean IP address and the traffic is being redirected using either an altered HOSTS file as Qlemo says or some local proxy malware running on the PC then you can use IP Whois (there are quite a number with a quick search) to look up who owns the IP address, but tracing it to a specific location is not accurate.

It does sound more like one or more of the computers is infected with a virus or malware and cleaning that, though in my experience that can either fairly easy (kill the right process and delete the right executable) or can be very tricky. Easy ones tend to be running from the browser cache directory.

You would need to use tools for finding malware like Hijack This and any of SpywareBot Search and Destroy, Ad-Aware or tools from Microsoft (presuming you are using Windows).
btanExec ConsultantCommented:
Arpwatch detect changes in MAC addresses on network. It generates a log of observed pairing of IP addresses with MAC addresses along with a timestamp when the pairing appeared on the network. It also has the option of sending an email to an administrator when a pairing changes or is added.

@ http://www.planetmy.com/blog/use-arpwatch-to-capture-all-the-mac-address/

Unless it is doing arp poisoning as AriMc mentioned, you cannot really detect it if it is not broadcasting its MAC. If there is a gateway or proxy before the traffic exit, identify the blacklisted source IP of all infected machine (or even router) calling the destination (china) especially if it is anomalous in behaviour. Some forensic will be done on the source to find out the tools used to make those change.

This useful article also talks about detecting arp poisoning. The manual approach is messy and it makes the assumption that the malware responds to ARP requests rather than just spamming the hosts on the subnet with gratuitous ARPs.    

@ http://blogs.technet.com/b/neilcar/archive/2007/07/05/detecting-arp-spoofing-attacks.aspx

Another article records where are the MAC changes in various OS. Actually MAC can be restore or reset back to true original hardware burned-in MAC address, remove the NetworkAddress registry key that is been added. If changes is done,  more or less it confirmed the machine is infected.

@ http://www.mydigitallife.info/how-to-change-or-spoof-mac-address-in-windows-xp-vista-server-20032008-mac-os-x-unix-and-linux/
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now