While running a network scan I found open tcp ports reported for a linux machine (port 22-Openssh debian; ports 5124/5127/7582/8282 - Tunnel is OpenSSL) but we only have one linux box and this was not it. When I traced the mac address back to the physical box it comes back to a Server 2012 r2 box. However, the mac address does not physically exist on this server!? It has two physical adapters with mac addresses of 00.1E.67.19.B5.34 and 00.1E.67.19.B5.35 but the machine which is reported to be linux is at 00.1E.67.19.B5.36 which does not physically exist. DHCP issued the address to the mystery machine. I can ping this machine from anywhere on the network except from the console of this 2012r2 machine. So I am really puzzled and slightly alarmed.
I can find nothing that looks wrong when I inspect and scan this server, but at the same time I can't find this hidden machine. I'm guessing there is somehow a virtual machine running hidden somehow.
Is this possibly some rooted box now or does anyone know of other software that would have this effect?
Any tips on finding and removing this machine?
Regards, Bryce.