Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Rogue device with strange MAC 1

Status
Not open for further replies.
PoliMalaka

PoliMalaka

IS-IT--Management
Aug 31, 2004
138
US
I am in need of another set of eyes on a rogue device I am seeing here on my network.
A treasure hunt can often be fun, but this one is just plain bothering me.
I noticed an oddity in our DHCP server. There is a device on our network that has been grabbing an IP (172.16.42.237) that has a strange MAC addy (67616c353235).
None of our switches (all HP ProCurve 26xx) seem have this addy in their tables.
The address pings (as of now 0900 CST 8/10/2005) but I cannot get to it in any other way.
I use a scanner (GFI LANguard network scanner) that gives a report showing that this device has ports 25 SMTP and 110 POP open. No other information is available.
I thought perhaps it could be one of these management ports that some servers and network devices have for remotemanagement, but i can't think of where this would be coming form (all of our servers are not configured for this).
We have one building and about 450 total network devices.
This look familiar to anyone?
(wasn't sure which forum to use, but this one has quite a bit of traffic and out DHCP server is running W2K server)
Thanks
 
Sort by date Sort by votes
Have you tried telnet on the port 25 or 110, it might give you a header that you can track down.

Goner05
 
Upvote 0 Downvote
I checked 3 different sites (see below) and cannot find the manufacturer of the NIC. It could be a custom or virtual MAC address. Do you have any Network Load Balanced clusters or NLB devices. It seems to me that the Microsoft NLB driver does something like this, but it wouldn't pick up a DHCP address. How about RAS servers?





PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers
 
Upvote 0 Downvote
I have rmoved all RAS servers (at least the ones grabbing IPs) from the network. By removed I mean, killed the service on those (2) boxes.
I'm aware of the virtual MAC used by NLB devices, but only have one server setup with this. It is using a static IP and can't see why it would grab another from DHCP.
It does seem to only be available for a few hours then just disappears.
I first noticed it when scanning the network using the Symantec System Center's Audit Network option.
Thanks for the links PSC.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ravalos
  • Locked
  • Question
Problem with PDFs in IIS
Replies
1
Views
1K
gbaughma
gbaughma
pomazip
  • Locked
  • Question
Windows Server 2019 mac address issue
Replies
2
Views
927
pomazip
pomazip
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
820
DrB0b
DrB0b
DrB0b
  • Locked
  • Question
Hybrid on prem AD with Azure AD
Replies
2
Views
427
DrB0b
DrB0b
Scparks
  • Locked
  • Question
Trouble with setting up a SMTP Relay to Office 365
Replies
0
Views
290
Scparks
Scparks

Part and Inventory Search

Sponsor

Back
Top