1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Mystery MAC in AiProtection

Discussion in 'ASUSWRT - Official' started by NSNE, Oct 28, 2018.

  1. NSNE

    NSNE Occasional Visitor

    Joined:
    Jan 23, 2011
    Messages:
    32
    Was checking the AiProtection console and saw the following under Two-Way IPS alerts:

    [​IMG]

    The odd thing about the top-hit MAC address is that it doesn't appear to exist on my network. It's a Cisco device, apparently, but I don't own any Cisco-branded devices and the MAC doesn't appear to be associated with any device I've been able to locate. I have my topology pretty well mapped out and all my devices named in Asus WRT.

    What could be the possible causes for this mystery MAC? Also, what's with the all-zero MAC?

    If it helps ID the device, the most commonly deflected attack appears to be "EXPLOIT Remote Command Execution via Shell Script -2".
     
    Last edited: Oct 28, 2018
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,757
    Location:
    UK
    The Cisco device will be your cable modem or another piece of your ISP's kit depending on your type of connection. Please see all the previous posts that have reported this.
     
  4. NSNE

    NSNE Occasional Visitor

    Joined:
    Jan 23, 2011
    Messages:
    32
    I searched for similar posts with the keyword "aiprotection" but didn't see anything recent.
     
  5. HuskyHerder

    HuskyHerder Regular Contributor

    Joined:
    May 12, 2017
    Messages:
    187
    There are a few around but to be honest they have not helped me much either. I saw a mysterious devices made by arris.

    I originally noticed it in AIProtect too. I don't have any devices made by Arris. I have still not located this device, but I have since turned off AIProtect and instead I am using Skynet w/ Merlin. However there was a device about a year or so ago that I had trouble locating and it turned out to be a wifi down/modem reset plug I had purchased off Amazon.

    My mysterious arris device, has had hits in the 100's when it was running. I have ran many lan scans with multiple apps and none ever detect it. The router itself never finds the devices. It only shows in AIProtect.

    Of interest mine were also always "EXPLOIT Remote Command Execution via Shell Script -2".

    I wonder in the back of my head, could it be something on the AIProtect end. Since I have no logical assumption its mine. Just my pondering on this subject.

    * The only device I have added recently is a Phillips hue, I need to check and see if I borked the MAC address.
     
    Last edited: Oct 29, 2018
  6. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,757
    Location:
    UK
    Is it not your cable modem (i.e. Arris/Motorola SurfBoard)?
     
  7. HuskyHerder

    HuskyHerder Regular Contributor

    Joined:
    May 12, 2017
    Messages:
    187
    Nope,

    I just had my customer owned Netgear modem replaced by a Hitron from Spectrum (gig plan no customer owned allowed).

    I need to really get into my cabinet and look at the hue, its the only change in a year to my devices, well except for a new iPhone upgrade. But its not Arris etc.
    * Think I edited my post about the Hue while you were replying.
     
  8. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,757
    Location:
    UK
    Bear in mind that if the device is on your ISP's side then doing LAN scans won't find it. Also remember that the "vendor" reported will be the company that makes the chipset which is often not the same as the brand on the box.

    If the device is still active on your network it should be identifiable with the following commands when issued from the router.

    Code:
    # ip neigh
    # arp -a
     
    HuskyHerder likes this.
  9. HuskyHerder

    HuskyHerder Regular Contributor

    Joined:
    May 12, 2017
    Messages:
    187
    I think, hesitantly, I am onto something. Its always my teens devices that get hit with the AIProtection warnings. ALWAYS.

    My 15 year old says his mom gave him the wifi password for his Nintendo (what ever kind he has :p )
    For some reason the device was listed as arris, however its wrong ? This is not the first time I have seen this behavior, I saw it before with that wifi plug.

    Thanks for the commands, now when the thing charges up Ill check the commands.

    @NSNE One thing I did find in my search was don't forget about wifi enabled cars. I forgot onetime my Ford Sync was connected to the wifi for an update. I was scratching my, head till that post/thread reminded me. That one is certainly filled away in the filling cabinet for later use now. :D
     
    Last edited: Oct 29, 2018
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!