There is a rogue mac address showing up on our network

There is a rogue "unknown" mac address showing up on one of our wireless  access points.  
mac address is 94-44-52-13-08-62 and is associated to LAN Ip address  10.10.12.5
..  This particular LAN ip address , when I use "NSlookup" ties to one of our hosts....but this particular host has a different IP address, namely 10.10.12.3.  In DNS, 10.10.12.3  is alligned with "goofy123" (the correct host name)   But when I use the NSLOOKUP" inquiry  tool both 10.10.12.5 and 10.10.12.3 are associated to "goofy123"    I'm using  fictitious names to hide our identity.  I also noticed that the mac address 94-44-52-13-08-62 (which I tried to locate using "MAC Locator", unknown device) had a dynamic DHCP  assigned to 10.10.12.5.
I have tried to scavenge old records out of DNS...I have also deleted the DHCP assignment from our Sonicwall  .  The  MAC address associated to 10.10.12.5 is still showing up on our wireless access point.  
Question---What specific tools can I use to determine if there is a threat to our system?  I knwo there are alot of them out there but I need good advice!!!
Thank you,
lamrski

LamrskiAsked:
Who is Participating?
 
LamrskiAuthor Commented:
I think I figured out what it's all about!!!!  We have an outside vendor using the goofy123  machine to access a xerox machine in the building .......I think by using "ad hoc".

Thank you for all of your help!!
lamrski
0
 
Paul MacDonaldDirector, Information SystemsCommented:
The MAC address in DNS may be for a cabled NIC, rather than a wireless one.  Is it possible this host is connected to your network both physically and wirelessly?
0
 
LamrskiAuthor Commented:
The mac address was not showing up in DNS ......the mac address is showing up on a wireless access point and also on our sonicwall.  In DNS, the correct IP address is alligned with the correct host name......but when I use "nslookup" the  IP address that is on the wireless access point is alligning with the host machine.  
Does this make sense?
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
Paul MacDonaldDirector, Information SystemsCommented:
Yes.  I meant that the MAC address for the connection on the AP would be for the WiFi NIC.  It would be completely understandable for that to be different from what you'd see for the cabled NIC.  

The NSLOOKUP behavior is weird though.  Is your AP also a DHCP server?  Does it do DNS too?  Does it forward straight to your default gateway?
0
 
mcp_jonCommented:
On the other hand, if you try to ping the specified address using the -a what host does it return ? The ggod or the bad ?

Weird enough is the DNS Lookup, like Paulomacd stated above.

I would check IF anyone has a virtual server or virtual box machine with the DHCP Role enabled.
This is usually caused by a Rogue DHCP.

Cheers.
0
 
LamrskiAuthor Commented:
Using the ping with -a gives me the host name for both the good ip address that should be assigned and for the bad.    I typed in ping -a 10.10.12.3  and it showed goofy 123 and the same for 10.10.12.5.  Both have goofy123 assigned to them?  

 What type of vritual server are we talking about...the access point in question is  out in our warehouse??  Could it be a Rogue DHCP on the perimeter of our building?  And doo you have ann idea of hos to get rid of them...I'm actually reading the the documetnation on the access point to see if I can clear it... There are no other mac/IP addresses using this AP.  
0
 
mcp_jonCommented:
If the AP is assigning IP's, the you should be able to disable it.

The best way is to use Tracert and chek the hopes that packet goes by.

Cheers.
0
 
Paul MacDonaldDirector, Information SystemsCommented:
"Rogue DHCP server" is just a DHCP server someone set up without your knowledge/permission.  That's why I'd orgiinally asked about the AP doing DHCP.  In a Windows environment, the DHCP server will do a pretty good job of telling you if another Windows DHCP server is running on the network.
0
 
crouthamelaCommented:
FYI that MAC is from Belkin.
0
 
LamrskiAuthor Commented:
Which MAC locator do you use to find the hardware source?  Thanks for the info, very much
0
 
TolomirAdministratorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.