5

A few days ago, I noticed an unknown MAC address in the statistics page of my home router. The OUI lookup yields Cisco as manufacturer. However, I don't have such a device in my network -- actually, I wrote down every MAC address, I know.

This device uses the address 10.137.63.254 in an 10.1.0.1/8 network, where the DHCP area is 10.0.3.1/24. The traffic of this IP is very small, my router reports packets of ~74 bytes every ~5 minutes (approximately, I think the interval is random). nmap reports the host as down, but after excessive scanning the IP changed and then returned to the first one.

I figured out that the traffic only appears, when my Win7 laptop is connected to the network. However, I couldn't find any sign of a Cisco NIC. The WLAN and LAN adapters are Intel and MSI NICs. Wireshark doesn't record relevant traffic when listening on the active NIC.

Is there any way to figure out what is going on?

EDIT: The MAC is 00-05-31-F8-C0-65.

EDIT: While playing with the firewall, I couldn't figure out which program was causing this. I have some suspicion, but since the program was really ''shy'', I gave up at some point and reinstalled Windows from a clean backup. Any idea, how to diagnose such problems, is still greatly appreciated.

Stefan
  • 151
  • 1
  • 4
  • 1
    that IP looks like a broadcast IP - when I Google it, I get results like eSight from Huawei. Is this a home or corporate network? – schroeder Apr 28 '16 at 17:13
  • 1
    It's a home network. – Stefan Apr 28 '16 at 17:15
  • And eSight and Huawei don't make sense in your network? No VPNs into work, no other connected networks? – schroeder Apr 28 '16 at 17:40
  • What's the other IP this MAC is associated with? Is the laptop in question a work machine? One guess is that your laptop is infected with something that changes your MAC and IP assuming that it's part of a corporate network. It tries pings out on a semi-random schedule, trying to connect to it's control server. – schroeder Apr 28 '16 at 17:43
  • No, this doesn't make sense. I have 1 desktop PC, 2 laptops, 3 mobile phones, 1 printer and 1 bluray player, but the activity correlates with the Win7 laptop. VPN and Virtualbox (and similar stuff) is not installed. The "bad" IP is `10.137.63.254`, while the laptop is at `10.0.3.1` (with Intel NIC). This machine is mostly a gaming machine with a linux partition for work. – Stefan Apr 28 '16 at 17:51
  • Is this WiFi or wired? Can you try a firewall or a sniffer to sniff the packets and see where they are headed and their contents? Maybe the Windows firewall can catch them? – Law29 Apr 28 '16 at 18:40
  • Neither Comodo's firewall nor wireshark show any relevant connections/packages. I didn't try to block the traffic with the firewall. Trying it now. – Stefan Apr 28 '16 at 18:52
  • @Stefan Set a filter to show only packets ftom/to that MAC address. – ott-- May 18 '16 at 16:13
  • @ott-- I did, but then the output of wireshark was empty, although my router registered several packets. Anyway, as I have written above, I reinstalled Win7 and this strange traffic disappeared. – Stefan May 19 '16 at 03:56
  • For what its worth, I noticed the same thing on my WAN interface, it ended up being the MAC address of the cable modem. – dcom-launch Jan 28 '22 at 20:35

2 Answers2

0

Perhaps try this. Isolate the network to only the laptop and the router producing the statistics in question are connected. If the traffic onf concern is across WIFI, disconnect all network cables. If across wire, shut down WIFI on both devices and watch to see it is not re-enabled.

Run Wireshark with a filter that logs only items that match NEITHER normally expected MAC. Let it run for the duration needed to see the pattern. If you can't figure it out from that, try replacing the NIC and different routers.

Douglas Daseeco
  • 614
  • 3
  • 17
  • 1
    If you have an ethernet router (as opposed to DSL) your router will have a MAC for the ISPs router - and it might have an internal / non-routable address. Any chance that Cisco box is actually your routers next hop? – A J Rossington Jan 26 '17 at 11:18
  • @TeunVink, you are correct in your wondering. I've removed the paragraph. Thank you for your gracious and helpful critique. ... I've used hardware where the MAC was on a chip, but that was for banking where hardware encryption was also employed. ... The cards we get in laptops and computer stores have firmware that allow alteration. In LINUX, it can be changed with "ifconfig eth0 hw ether xx:xx:xx:xx:xx:xx" and there is a key in the registry for Windoze. – Douglas Daseeco Jan 26 '17 at 15:16
0

It can be a network backdoor inside the NIC. I never saw a Wifi chip of this kind but it definitely exists on ethernet NICs, allowing to sniff traffic (duplicate traffic), send packets, or even hide (route) traffic placing a filter inside the NIC's chip so that the host doesn't even see the incoming/outgoing traffic filtered. This kind of backdoor is generally limited to a few KB / sec in download / upload. But it's enough to receive orders from a hacker and send small amounts of data back.

T. Rode
  • 91
  • 5