Weird Roaming Device Name on the Lan

This is a weird urgent issue.  It appears that a mystery device name is attaching itself to a set of computers at a site of mine.  The site kept complaining about slowness, so I went into my network monitoring system and saw a named device - mssd10109.ccps.local listed as the culprit.  The only problem, this is not a device listed on our Lan and this is also not our domain.  I mistakenly assumed that it was someone's personal device being used on our network.  When that didn't pan out, I used an application called Advanced IP scanner, saw the device and got the IP.  The software allowed me to see the users profile on the computer and was able to find the culprit computer, the only problem was the IP's were the same, but the device name was correct on the computer.  The mysterious name was no where to be found on the laptop.  I had the user shut the computer down and I took it off my domain in case that is a virus.  I re-ran the IP scanner and now that device name shows up under another IP address at that site.  Has anyone ever heard of anything like this?  This is serious because it is maxing out our bandwidth at that site.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
I used ….  Advanced IP scanner,..... The mysterious name was no where to be found on the laptop.

I use that to find IP addresses.

Look for a rouge DHCP server - someone brought in a small router and attached it.

Then as you are doing, fully check each computer you are touching for viruses and/or malware.

I assume your main router is secure (very difficult password to access) and that you have not opened server or like ports to the outside world. You need VPN for access in.
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
The big thing now is crypto-mining instead of encrypting the data on the network.

Block the MAC at the edge unless that too is rotating?

It sounds like either a crypto-mining setup floating about (SMBv1 is disabled at all Windows endpoints and everything is up to date patch wise right?) or someone is running some sort of P2P or server setup.

The edge able to filter bandwidth per endpoint? That would be one way to stem the bandwidth problem.

Managed switch? See what port the rogue's MAC is associated with and pull the plug to dig in.
SalongeAuthor Commented:
@John Thank you for your reply.  I will look for a rouge DHCP device.  @Phillip.  This P2P / server setup, how can I tell if that is the case?  Because this user name shows up on several IP's, I can't pinpoint a MAC.  I tried to shut down the device associated to that name and it tells me that the network path is not available.  It seems like a phantom of some sort.
Price Your IT Services for Profit

Managed service contracts are great - when they're making you money. Yes, you’re getting paid monthly, but is it actually profitable? Learn to calculate your hourly overhead burden so you can master your IT services pricing strategy.

SalongeAuthor Commented:
I did another scan through Solar Winds IPam Module and it shows up as a Hostname to several devices.
JohnBusiness Consultant (Owner)Commented:
Are you running Solar Winds?   It may be producing these results. That does not mean there isn't a rogue device though.
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Time for some digging with WireShark.
JohnBusiness Consultant (Owner)Commented:
Good idea. I use Comm View myself (Tamosoft)
SalongeAuthor Commented:
I am using SolarWinds to monitor my entire network.  I have 17 different sites.  This is the only one having this issue.
JohnBusiness Consultant (Owner)Commented:
So not a Solar Winds source. Packet Sniffing is a good idea . Comm View shows you source and destination of packets
Dr. KlahnPrincipal Software EngineerCommented:
Sounds like there is a device impersonating one of your computers.  Pure speculation:  Somebody has attached a rogue WiFi access point to your network, and the device is getting in through that.  Do a WiFi survey of the neighborhood and see what is present, then sniff the WiFi traffic to each network and do a temporal traffic correlation between that and the rogue device on your network.  It doesn't matter if the WiFi is encrypted; all you want to see is if there is traffic to a WiFi network at the same time there is traffic to the rogue device.  If you can correlate the traffic then go on an access point hunt, find out who attached it, and fire them on the spot.

It's also possible that the entire LAN in question has been subverted, every computer (or at least quite a lot of them) have been infected, and it is in fact your computers that are doing this under control of a botnet.
SalongeAuthor Commented:
I don't have a solution as yet.  I have been out so that is why I have responded.  I am doing some additional research on site.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.