Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Router Logs Show an Extra/UNKNOWN WiFi MAC Address - Coming from a KNOWN Laptop


  • Please log in to reply
7 replies to this topic

#1 JAAG

JAAG

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:00 PM

Posted 05 November 2011 - 01:53 PM

Sony Vaio Laptop
Running Windows 7 Home Premium, 64 bit, Service Pack 1

First let me say that I LOVE Bleeping Computer and have researched many topics over the years, but have never needed to post because I always have been able to find my answers by reading. This is my first real shout out for help, and any that you guys can give will really be appreciated.

My Netgear router logs have been showing an unknown mac address connecting ever since I set it up a few months ago (when we moved in to a new home). I'm running WPA-PSK [TKIP] + WPA2-PSK [AES] security. I originally thought maybe one of my neighbors was sniffing/hacking, so I set up MAC filtering for the WiFi. The logs now constantly (every 4-15 minutes with long breaks occasionally) show the MAC being "denied access" to the router. I thought I was done, but have been annoyed that the connection attempts continue even after months of blocked access. Then the plot thickened...

I ended up changing my WiFi password just to beef up security a little. The router logs then showed my X-Box being "rejected" due to incorrect security (since it had not been changed to the new pw). It occurred to me that the router logs actually differentiated between incorrect security and denial of access... which meant that the attempting hack actually HAS the security password even though I'm running WPA2. To verify my problem, I changed the security password again and only allowed two laptops access to the router. Sure enough... the rogue mac address was immediately "denied access" and NOT "rejected" which I think means that the rogue is coming from/through one of the two laptops. After shutting each laptop down sequentially, I'm rather certain that it is my laptop that is somehow attempting to connect (or has some program that uses a mac passing through) to the router with a mac address OTHER than any of the ones that show up when I run ipconfig from the command prompt. I believe it is my laptop because the router logs only show the blocked access when my laptop is connecting to the router.

A few more things you should know:
1) I have Norton 360 installed and updated
2) I have Malwarebytes installed and updated
3) Neither of them have found anything other than tracking cookies during normal scans over the last few months
4) I noticed my laptop fan running heavy yesterday so, on a whim, I installed SUPERAntiSpyware and it found and removed Trojan.Agent/Gen-Buzus
5) I play Battle Pirates on Facebook (Flash game) and it is currently my most likely suspect as to how I may have obtained the trojan, but I really have no idea because my web surfing is generally very safe.
6) I have a linux box on my network running Mythbuntu 64 bit (a set top box that I built to be my DVR) -- no I'm not a programmer, but I know how to search/read websites and copy code really well, lol
7) I also have two HDHomerun tuner cards on my network that serve as TV tuners to the MythTV box. (They receive signal from the antenna and then stream to the box via the network -- technically, they could be accessed from any computer on the network to watch tv, if so desired.)
8) Everything else on my network is pretty standard for a home office... printers, scanners computers, etc.
9) The rogue MAC address is identified as a Lexmark Print Server if plugged into a website for a MAC identification/trace
10) I have a Lexmark laser printer (543dn), but it does not have wifi.
11) To make certain that it was not the culprit somehow, I uninstalled ALL of the Lexmark items from my computer and the same rogue MAC continues to connect to the router but is denied access because of my filtering on the router.


I'm at a loss... please help. Thank you in advance.
Jaag

BC AdBot (Login to Remove)

 


#2 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,568 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:06:00 PM

Posted 05 November 2011 - 03:44 PM

Re: "My Netgear router logs have been showing an unknown mac address connecting"
How do you know it is a WI-FI address (Thread title says it's Wi-Fi)?
Hey, how about quoting the exact message Netgear puts in the log.
Yes, I know Netgear's logs are dreadful. They don't show port nor protocol involved, still seeing an exact message might help.

There is such a thing as MAC address spoofing, but whether it plays a role here, I can't tell.

Is it only in the log or does it show up in the wired or wireless section of Active Device list?

I don't know why you suspect your laptop since you're saying these are inbound attempts.

Are those connection attempts occuring when the Lexmark printer is off or totally disconnected from the router?

If the data in the log matches your printer's MAC address, than my guess is normal activity of the printer announcing its presence on the network. And since it's not a wi-fi printer, your MAC filtering doesn't seem relevant.

If MAC is all you see in the log, and no IP, perhaps it's trying to get an IP from the router - do you have a LAN range of IPs setup that might be too narrow for all your gear?

Are you able to print?

Sorry for no help, but I thought I'd ask for some clarifications to this confusing story.

Edited by tos226, 05 November 2011 - 03:48 PM.


#3 JAAG

JAAG
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:00 PM

Posted 05 November 2011 - 04:57 PM

Thank you, thank you, thank you for your help.

OK... I have a REAL PROBLEM... I was attempting to post my reply and my router will no longer give me access to the bleeping computer site. (Though other sites come up without a problem… no site blocking rule has been put in place on the router at this time. I'm on a different network now and able to access the site again.)

I will answer your questions in order:

How do you know it is a WI-FI address (Thread title says it's Wi-Fi)?
My router (Netgear WND3700 v2 with international firmware running) differentiates between devices connected via the LAN and WiFi when viewing the attached devices list of the browser interface.

Hey, how about quoting the exact message Netgear puts in the log.
"[WLAN access denied] from MAC: 00:20:00:8c:29:0d, Saturday, November 05,2011 14:42:19"
As opposed to the X-Box:
[WLAN access rejected: incorrect security] from MAC address 7c:ed:8d:0e:XX:XX, Saturday, November 05,2011 12:16:26" (Last four X's are just me blanking out the address)

There is such a thing as MAC address spoofing, but whether it plays a role here, I can't tell.
Yes… I know that MAC spoofing is possible, which is why this whole thing is SO crazy. I have both MAC filtering AND IP address reservations running for my equipment. If the person is good enough to hack my security key, wouldn't they just spoof a MAC address and thus cause an IP conflict on my network?!?

Is it only in the log or does it show up in the wired or wireless section of Active Device list?
It used to show up in the "Attached Devices" list, but since I started the MAC filtering, it is only in the log. I gave the rogue MAC permission again to confirm this. Once I saw it attach, I filtered its MAC address again.

I don't know why you suspect your laptop since you're saying these are inbound attempts.
The ONLY time the rogue MAC attempts to connect is when my laptop is ALSO on the network.

Are those connection attempts occuring when the Lexmark printer is off or totally disconnected from the router?
Yes… printer is off and completely unplugged from the network and the rogue MAC is still attempting to gain access.

If the data in the log matches your printer's MAC address, than my guess is normal activity of the printer announcing its presence on the network. And since it's not a wi-fi printer, your MAC filtering doesn't seem relevant.
Rogue MAC is different than my printer's MAC. Additionally, the printer is not capable of Wifi and the access attempts are definitely via the wireless.

If MAC is all you see in the log, and no IP, perhaps it's trying to get an IP from the router - do you have a LAN range of IPs setup that might be too narrow for all your gear?
All of my gear is present and accounted for when the various devices are turned on. Believe me… I've run through every piece of equipment at least 20 times. Plus, the WiFi is the hinge pin of all this… only a handful of devices are connecting via the WiFi.

Are you able to print?
No… my printing ability stopped a few days ago when I turned off UPnP. I'll tackle that next, but for now it's rather obvious I'm on the right track since my access to bleepingcomputer.com is being blocked.


Please continue to help. Thank you!

#4 JAAG

JAAG
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:00 PM

Posted 05 November 2011 - 05:26 PM

Additional tidbits:

1) It appears that the rogue MAC now has attempted to connect even when my laptop was offline.

2) My main reason for thinking that it is somehow coming through my laptop is due to the fact that immediately following my security key change, the rogue MAC did NOT get any kind of rejection in the log. In other words, it didn't need to figure it out again... it somehow knew the change had happened and it had the correct key.

#5 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,568 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:06:00 PM

Posted 05 November 2011 - 08:24 PM

Well,
1. Thank you for comprehensive answers.
It's clear that it's not coming out of the printer.
It's clear your laptop is not in the picture.
It's clear it's really Wi-Fi since you looked in that part of the router (my router is similar)
2. I have NO IDEA what's going on or how to help at this point. I just wanted to get few things clarified so as this is visited by experts (let's hope), they'll see what happened perhaps more clearly.
3. Perish the thought - router got hacked. It happens. What if you do a factory reload and start over with your MAC lists and all that setup from scratch while disconnected from the wall. I know it's a bit of a pain. But if you do so, change your LAN IP to something non-standard. By standard I mean 192.168.1.1, the usual common thing.
4. Do you have one router? two? A DSL or cable modem between you and the web? What is your DHCP server - the Netgear router or some other box?
5. Crazy idea, but perhaps you could ignore the whole thing. The router is blocking it. Though it would bother me to no end :)

Don't forget that MAC address reservation is not a filter, it's just a very handy thing to know who is who.

It's not clear why just this MAC address. If you (we) had a better router logs it might tell more :)
WLAN does imply from the WAN side of the router which is why I asked what might be before it. Might that MAC match your DSL or CBL box? If it does - that other box might be sending logs to you which then are properly blocked by Netgear (though I have never seen this type of a message here, so it's unlikely, but I'm just throwing all possiblities at you).

One other thing - access here blocked. That's on the laptop, right? Take a look at the HOSTS file and see if bleepingcomputer is there. Hosts file, at least on XP, is in Windows\system32\drivers\etc. Read with Notepad. If the HOSTS file is corrupted, that would indicate your laptop has issues and needs even more EXPERT help than your WAN block.

Edited: Correction - WLAN does not imply out of network. It is Wireless section of LAN. Sorry.

Edited by tos226, 05 November 2011 - 08:47 PM.


#6 JAAG

JAAG
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:00 PM

Posted 05 November 2011 - 09:17 PM

Setup is wall to cable modem to Netgear router. The Netgear router controls DHCP. The cable modem and router have different MAC addresses than the rogue... I checked that when it all first started happening.

As for being blocked from bleepingcomputer.com I think that was a fluke which was the result of an outage that my carrier had just as I was attempting to answer your original post... weird timing, but a call to the provider acknowledged an outage in my area. Stranger still was that it only blocked this site at first and then after a few minutes I lost access completely. The REALLY weird thing is that I logged onto my network with another computer and it could access bleepingcomputer when my laptop could not, which is why I thought I was being blocked.

I don't think that the router is being properly hacked... at least not any longer because there would be more evidence of this... i.e. NAT rules set/changed, ports opened, UPnP enabled, etc. and of course, why wouldn't they enable ACTUAL access for themselves rather than just being content to be continually denied by the router? (there was evidence of an official hack a couple of weeks ago, but that was through a different- teenage owned- machine that was doing a lot of chat and music sharing which is why I turned off UPnP).

I've checked the hosts file, but it is apparently different than XP because the file you referenced is just a sample file on Win 7. I'll wait for the experts on that one...

I've thought about ignoring the whole thing, but I just can't let it go. Especially because of the rogue MAC not being rejected due to an incorrect security key. How, on God's green Earth, could it have instant denial of access with no rejection unless I have some kind of key logger infiltration? Could they have sniffed it that fast and changed the key on their machine before even attempting to hit the router again? There is NO WAY that they are that good, without more evidence/problems having occurred. That is the part that I'm worried about the most. I could just wipe my entire laptop and start over, I could just wipe the router and start over with that... I could do both... but at this point I kind of want answers more than just a solution, lol.

Thanks for the help... I'll wait for somebody else to assist.

Jaag

#7 PT_Aaron

PT_Aaron

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 17 July 2012 - 02:46 PM

I know this is a bit dated, but I just found this thread. I have a similar story, though I have not done nearly as much testing as the OP. Nice work btw.

The thing that caught my eye is the part: "9) The rogue MAC address is identified as a Lexmark Print Server if plugged into a website for a MAC identification/trace."

I have the same issue. The MAC address for my Rogue LEXMARK MAC is 00:20:00:A8:A7:17.

It never gets an IP assigned, and just sits there in the Attached Devices | Wireless Devices table; no name, no IP. My router is a "Netgear Genie" WNDR3400v2 that I just bought (new) and set up a few days ago.

I figure it's a wireless ptr in my neighbor's house. How odd it would show up as a similar MAC OEM unless that's a common spoof technique.

Don't know if this adds anything or if anyone is even watching this thread anymore....

Cheers,

PT_Aaron

#8 JAAG

JAAG
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:00 PM

Posted 17 July 2012 - 03:12 PM

Thanks for posting... nobody ever responded and I never figured out why it was happening, but the attempts to access my router eventually stopped. No clue as to why. I haven't checked in a few months, so maybe they have started up again. I decided not to care because there was nothing I could do about it and it didn't seem to be properly hacking my network or computers.

Cheers!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users