Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown node on my LAN


  • Please log in to reply
47 replies to this topic

#1 mikewebb99

mikewebb99

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:S.F. Bay Area, Northern California
  • Local time:05:05 AM

Posted 24 November 2014 - 03:30 PM

Greetings;

 

We recently changed from ATT DSL in AUG-Sep to Comcast 50 MB.All has been going along fine untill about the first of November.  Our LAN became unresponsive, and I could not log onto the Comcast Router (A Cisco DPC3939). I disconnected everything from the Gateway, and did a Hard reset. After this I was able to login to the router and re-configure it to meet my needs, which mainly meant inserting my own SSID's and changing the address over to a 192.168.1.1 vs 10.0.0.1.

 

Being curious about what had happened; I started checking the "Stuff" in my LAN... We have 2 HP Touch smart computers, a Synology NAS,Cannon 8220 Printer, and several other things. The LAN contains both Static and Dynamic addresses. While inspecting the LAN side of our network, I noticed a node at 192.168.1.254. I can Ping it without problem, but scanning it with a network scanner, looking for open ports, etc, I don't seem to be able to contact this node in any way other than Ping.

 

This unknown node has a suspicious MAC address of : 00:05:04:03:02:01. The first 3 hex groups point to Naray Information and Communication Enterprise, which is a actual electronics mfgr in Taiwan. I suspect the MAC address is being spoofed by the DPC3939 Gateway. Several days after I noted this node, I had occasion to visit my Son-In-Law, who also has Comcast service. The exact same Node exists on his LAN, and has the same suspicious MAC address.

 

Can anyone explain where this is coming from?  Is this, perhaps part of the VOIP capabilities (which we do not use)?? Is this part of the XfinityWIFI hot spot service I have seen so much about?? Is it part of the Comcast Home Security service (which we also do not use)??       I am a little uneasy with some unknown node on my network, in light of the meltdown we had at the beginning of the month.

 

Thanks for your time, and any help you can lend

 

Mike Webb 

 

 

Make and model of computer: Hewlett-Packard 520-1030 1.04 (TouchSmart-Desktop)
 
How the computer is connected : wired (GB)
 
Make and model of Router: Comcast (cisco) DPC3939
 
What type of internet you have : Cable
 

Attached File  Result.txt   77.5KB   17 downloads


Edited by mikewebb99, 24 November 2014 - 04:25 PM.


BC AdBot (Login to Remove)

 


#2 CaveDweller2

CaveDweller2

  • Members
  • 2,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:05 AM

Posted 24 November 2014 - 03:45 PM

Is there a way to see if that address is wired or wireless? If you can't tell, I'd block the MAC address and/or the IP address and see if anything stops working. 


Hope this helps thumbup.gif

Associate in Applied Science - Network Systems Management - Trident Technical College


#3 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 24 November 2014 - 05:57 PM

And btw did you notice you didn't change your ip subnet to 10.0.0.1?

It would be interesting to see if the devices ip subnet also changed when you change the subnet.



#4 mikewebb99

mikewebb99
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:S.F. Bay Area, Northern California
  • Local time:05:05 AM

Posted 24 November 2014 - 06:38 PM

CaveDweller;

 

I'm pretty sure it is the Comcast Gateway. I disconnected the 2 segments that have the majority of my network on it, so that only my IPAD and a security camera, were connected. When I used an IOS App called "Fing" to scan the network I saw my IPAD, the camera, and the router...plus this 'rouge' node...

 

Wand3r3r;

 

Yes. That was intentional. Most of the Comcast Hardware comes provisioned at 10.0.0.1, but since my network has several static addresses in the 192.168.1.xxx space, I changed the address to suit my existing Network...10.0.0.1, it is not the only private address range available to use. Below are the ranges designated as private and non-routable by roc 1918

10.0.0.0 through 10.255.255.255
172.16.0.0 through 172.31.255.255
192.168.0.0 through 192.168.255.255

 

It seems that ATT's routers are set to 192.198.0.1, where Comcast set theirs at 10.0.0.1...when given to a client/customer....

 

 

Mike



#5 CaveDweller2

CaveDweller2

  • Members
  • 2,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:05 AM

Posted 25 November 2014 - 01:18 AM

Ok but that didn't really clear anything up. Can you do MAC filtering?


Hope this helps thumbup.gif

Associate in Applied Science - Network Systems Management - Trident Technical College


#6 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 25 November 2014 - 11:21 AM

  " I noticed a node at 192.168.1.254"

 

You noticed this AFTER you changed the subnet right?  If you change back to the 10x subnet does this device also change its ip?

 

Should be as simple as logging into the router and looking at the attached device list. Even better if the router can tell you if its wired or wireless connection.



#7 mikewebb99

mikewebb99
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:S.F. Bay Area, Northern California
  • Local time:05:05 AM

Posted 25 November 2014 - 11:26 AM

Ok but that didn't really clear anything up. Can you do MAC filtering?

Yes I can do MAC filtering on the DPC3939. I inserted the suspect MAC address into both the 2.4 & 5. GHZ WIFI channels. This has no affect on the issue. That address at xxx.xxx.xxx.254 still responds to Ping and network scanning.

 

I suspect that my solution to this is to replace the Gateway with my own equipment, which I will control, and it also has the 'silver lining' of saving me some $$$ on the monthly bill...

 

MIke



#8 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 25 November 2014 - 12:14 PM

Reduce your routers dhcp scope to something like .100 to .150.  Reboot the router.  Does that device remain at .254?



#9 mikewebb99

mikewebb99
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:S.F. Bay Area, Northern California
  • Local time:05:05 AM

Posted 25 November 2014 - 02:30 PM

  " I noticed a node at 192.168.1.254"

 

You noticed this AFTER you changed the subnet right?  If you change back to the 10x subnet does this device also change its ip?

 

Should be as simple as logging into the router and looking at the attached device list. Even better if the router can tell you if its wired or wireless connection.

I did not notice this node, until my router cratered, the first part of November. That doesn't mean it was not there, but I didn't have a reason to look for it I discovered this, while trying to understand why the Router had to be reset. Yes it is simple to do (changing the address range), but very disruptive, since I'm not the only one home.   :thumbup2:

 

I'm reasonably sure it will be there, as I think it is something in the Comcast firmware, but will check when I have a chance...

 

Mike



#10 Tomjones543

Tomjones543

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 05 February 2015 - 01:26 PM

Hello All:

 

I am having the same issue.

I have changed to gateway and Naray Information and Communication Enterprise node changed along with the gateway.

I changed the range, Naray information node changed along with the range.

 

The MAC address 00:05:04:03:02:01 is not valid and I cannot block the MAC address.  The MAC address is definitely spoofed.  

 

I have been having strange issues with the Comcast modem.  A comcast service tech came out since the speed on the Comcast internet was 2.7 Mbps instead of the 50 Mbps that I was paying for.  When the technician tried to access the modem via Ethernet cable to the back of the modem, the password would not work.  The technician reset the modem by placing a paper clip to reset, after reset the default password did not work.  The technician had to remotely access the modem through a Comcast VPN using his computer and rebuild the firmware in the modem.  The boot file in the modem controls the speed of the internet subscription or download speeds as well as the security.  The boot file was changed on the modem.  After the technician left, the speed was back to ~ 50 Mbps.  Later in the evening, the speed dropped back down to 3 Mbps.  Based on the conversations with Comcast technicians and their Tier 3 team throughout this several month long process and being in IT for over 15 years, the boot file was somehow remotely provisioned on the modem.  This would also make sense why the firmware on the Comcast modem was changed.

 

I would cancel Comcast in a heart beat but they have a monopoly in our area.  Their systems are hacked.



#11 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 05 February 2015 - 02:29 PM

A spoofed mac address is one that is known on your network that someone outside has captured/knows and is then used to bypass mac filtering since this known mac address is allowed. It appears this is a made up mac address.  It is more likely the Comcast modem/gateway is corrupted than it is that it has been hacked.

 

That aside where are you seeing this mac listed?  I take it you have a Comcast gateway not just a modem since you would not see this in a modem.



#12 Mpep1

Mpep1

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 02 June 2015 - 08:34 PM

Hi,

 

 I was wondering if anyone found out about this device. I cannot find anything definite about it and am worried about security on my network. We just had a modem/router installed by comcast and it is suppose to be a superb modem/router. I had a piece of software that checks who is on the network and what devices. This thing shows up in it but if I log in my router is does not show. Please can anyone tell me if this is a security threat? Thanks in advance.. Worried



#13 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 02 June 2015 - 09:36 PM

I would suggest you start your own thread which will allow you to post information like make and model of the router and what software is telling you what you are worried about.



#14 technonymous

technonymous

  • Members
  • 2,520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:05 AM

Posted 03 June 2015 - 02:07 AM

Could be a xifnity public hotpost. I think you can turn that off in the wifi settings in the router or logon to comcast online and turn it off though the account. It does look suspicious with the MAC address changed like that. Also with the Ip statically set to .254 out of range of the dhcp ip pool typically starting at .2 .3. etc. That's a tell tale sign of a compromised wifi router or a rogue ap. I checked the router for WPS vulnerabilties, but found nothing. That doesn't mean that it isn't vunerable.

 

First flaws in routers was WPS and still hasn't been resolved on many routers. Now just recently a flaw was found the SOAP protocol in realtek radios. Also a USB port vunerability had been found and are vunerable allowing root access. With all those combined just about 90% of consumer routers out there today are unsecured. These will probably never be resolved. :::sigh::: :rolleyes:

 

Anyways go to run and type cmd and try net view see if anything comes up. You could also try nbtstat -A 192.168.1.254 to resolve it's IP to PC name if it has one. It should also show the MAC address, which you already know, but will comfirm that matches to ip & pc name. Are you sure this isn't a VOIP phone or something you're missing? Maybe a VMware?


Edited by technonymous, 03 June 2015 - 02:10 AM.


#15 mikewebb99

mikewebb99
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:S.F. Bay Area, Northern California
  • Local time:05:05 AM

Posted 12 June 2015 - 06:56 PM

This is not part of the Xfinity Hot Spot "service"... I requested it turned off and Comcast did that and I verified that it is no longer available. We do not have or use  their IP phone service (we are throw-backs, and use a <shudder> land line for our main telephone access. We also do not use the security service.

 

Using the CMD prompt did not give anything useful, and interestingly enough, none of those commands, except Ping even show that node as being on the LAN.

 

If I change My LAN to 10.0.0.1 the strange node changes right along with it, so I'm back to 192.168.1.xxx...

 

Mike






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users