?
Solved

There is a rogue mac address showing up on our network

Posted on 2011-10-05
12
Medium Priority
?
559 Views
Last Modified: 2013-11-29
There is a rogue "unknown" mac address showing up on one of our wireless  access points.  
mac address is 94-44-52-13-08-62 and is associated to LAN Ip address  10.10.12.5
..  This particular LAN ip address , when I use "NSlookup" ties to one of our hosts....but this particular host has a different IP address, namely 10.10.12.3.  In DNS, 10.10.12.3  is alligned with "goofy123" (the correct host name)   But when I use the NSLOOKUP" inquiry  tool both 10.10.12.5 and 10.10.12.3 are associated to "goofy123"    I'm using  fictitious names to hide our identity.  I also noticed that the mac address 94-44-52-13-08-62 (which I tried to locate using "MAC Locator", unknown device) had a dynamic DHCP  assigned to 10.10.12.5.
I have tried to scavenge old records out of DNS...I have also deleted the DHCP assignment from our Sonicwall  .  The  MAC address associated to 10.10.12.5 is still showing up on our wireless access point.  
Question---What specific tools can I use to determine if there is a threat to our system?  I knwo there are alot of them out there but I need good advice!!!
Thank you,
lamrski

0
Comment
Question by:Lamrski
  • 4
  • 3
  • 2
  • +2
11 Comments
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 36919932
The MAC address in DNS may be for a cabled NIC, rather than a wireless one.  Is it possible this host is connected to your network both physically and wirelessly?
0
 

Author Comment

by:Lamrski
ID: 36919990
The mac address was not showing up in DNS ......the mac address is showing up on a wireless access point and also on our sonicwall.  In DNS, the correct IP address is alligned with the correct host name......but when I use "nslookup" the  IP address that is on the wireless access point is alligning with the host machine.  
Does this make sense?
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 36920048
Yes.  I meant that the MAC address for the connection on the AP would be for the WiFi NIC.  It would be completely understandable for that to be different from what you'd see for the cabled NIC.  

The NSLOOKUP behavior is weird though.  Is your AP also a DHCP server?  Does it do DNS too?  Does it forward straight to your default gateway?
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 15

Expert Comment

by:mcp_jon
ID: 36920500
On the other hand, if you try to ping the specified address using the -a what host does it return ? The ggod or the bad ?

Weird enough is the DNS Lookup, like Paulomacd stated above.

I would check IF anyone has a virtual server or virtual box machine with the DHCP Role enabled.
This is usually caused by a Rogue DHCP.

Cheers.
0
 

Author Comment

by:Lamrski
ID: 36920618
Using the ping with -a gives me the host name for both the good ip address that should be assigned and for the bad.    I typed in ping -a 10.10.12.3  and it showed goofy 123 and the same for 10.10.12.5.  Both have goofy123 assigned to them?  

 What type of vritual server are we talking about...the access point in question is  out in our warehouse??  Could it be a Rogue DHCP on the perimeter of our building?  And doo you have ann idea of hos to get rid of them...I'm actually reading the the documetnation on the access point to see if I can clear it... There are no other mac/IP addresses using this AP.  
0
 
LVL 15

Expert Comment

by:mcp_jon
ID: 36920714
If the AP is assigning IP's, the you should be able to disable it.

The best way is to use Tracert and chek the hopes that packet goes by.

Cheers.
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 36920785
"Rogue DHCP server" is just a DHCP server someone set up without your knowledge/permission.  That's why I'd orgiinally asked about the AP doing DHCP.  In a Windows environment, the DHCP server will do a pretty good job of telling you if another Windows DHCP server is running on the network.
0
 

Accepted Solution

by:
Lamrski earned 0 total points
ID: 36920889
I think I figured out what it's all about!!!!  We have an outside vendor using the goofy123  machine to access a xerox machine in the building .......I think by using "ad hoc".

Thank you for all of your help!!
lamrski
0
 
LVL 11

Expert Comment

by:crouthamela
ID: 36920965
FYI that MAC is from Belkin.
0
 

Author Comment

by:Lamrski
ID: 36921015
Which MAC locator do you use to find the hardware source?  Thanks for the info, very much
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 37169429
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Experts Exchange expands question security options for members.
It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question