0

While running a network scan I found open tcp ports reported for a linux machine (port 22-Openssh debian; ports 5124/5127/7582/8282 - Tunnel is OpenSSL) but we only have one linux box and this was not it. When I traced the mac address back to the physical box it comes back to a Server 2012 r2 box. However, the mac address does not physically exist on this server!? It has two physical adapters with mac addresses of 00.1E.67.19.B5.34 and 00.1E.67.19.B5.35 but the machine which is reported to be linux is at 00.1E.67.19.B5.36 which does not physically exist. DHCP issued the address to the mystery machine. I can ping this machine from anywhere on the network except from the console of this 2012r2 machine. So I am really puzzled and slightly alarmed.

I can find nothing that looks wrong when I inspect and scan this server, but at the same time I can't find this hidden machine. I'm guessing there is somehow a virtual machine running hidden somehow.

Is this possibly some rooted box now or does anyone know of other software that would have this effect?

Any tips on finding and removing this machine?

Regards, Bryce.

user1840734
  • 111
  • 3
  • 1
    Don't obfuscate your MAC addresses. Knowing the vendor side of it would have been very helpful, as it sounds like you're describing a virtual machine, possibly within hyper-v or virtualbox. – Spooler May 01 '17 at 03:58
  • Yes, you should definitely post first 3 sections of those macs. It will help a lot... – Anubioz May 01 '17 at 04:01
  • Sorry, physically present mac's are: 00-1E-67-19-B5-34; 00-1E-67-19-B5-35; the other one is 00-1E-67-19-B5-36. – user1840734 May 01 '17 at 04:49
  • 1
    00-1E-67 belongs to Intel. Could this be an integrated management card? iLO, iDRAC, etc? The fact that it appears to be Linux based and is accessible via SSH certainly leads me to believe so. – joeqwerty May 01 '17 at 05:10

1 Answers1

1

Thanks to 'joeqwerty' for the hint in comments above.

I dug out the manual for this motherboard and see under its 'mac address definition' that it does assign an extra mac for management:

  • NIC 1 MAC address
  • NIC 2 MAC address - Assigned the NIC 1 MAC address + 1
  • Integrated BMC LAN Channel MAC address - Assigned the NIC 1 MAC address + 2

I didn't realize one physical network port could support multiple MAC addresses, and we have never made use of the management features. Now that I know I'll look to see if this can be disabled.

Thanks everyone, Bryce.

user1840734
  • 111
  • 3