SAGE EAS Digital Endec remote audio monitor/level meter?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

DnD

New Around Here
My profession is IT but this one has me perplexed. Any help would be appreciated. Sorry if this is a little long winded but here’s the scenario.

I noticed my RT-AX58U running 386.1_2 had a new wired device called Samsung so I scanned it with Nmap (see below). I chased down the MAC address on my switch and located it on the router's port. Shut the router off and I could not ping or scan the address. Turn the router on and I could do both. The only connections to the router are the WAN and cross-connect to my the switch (i.e. no other devices). Not comfortable with the situation I did the following:

Reset router
Booted in CFE miniWeb server mode and upload current image
Performed basic setup
Reset router again
Configured router by hand (i.e. did not import a backup)

After that procedure, the device came back and it select the same IP from my DHCP pool. For now I null routed the IP and disabled internet access in the GUI. Things to note in the data are:

Nmap and the router are reporting different MAC addresses
The suspect device has rpcbind? USB sharing?

So the questions are:
Is this a new feature from ASUS and if so, why would the enable the router with rpcbind and SAGE EAS Digital Endec remote audio monitor/level meter?

Why 2 different MAC addresses? Neither are actual MAC addresses on the router.

Has the router been hacked and I didn’t properly clear the NVRAM during the reload?

Thank you in advance for any assistance. Here is the data.

Finally, awesome software Merlin and love the new logo!

Nmap scan report for x.x.x.95
Host is up (0.0096s latency).
Not shown: 98 closed ports
PORT STATE SERVICE VERSION
80/tcp open http SAGE EAS Digital Endec remote audio monitor/level meter
111/tcp open rpcbind
MAC Address: 2C:08:8C:78:38:26 (Humax)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

From RT-AX58U (different MAC address same IP)
Samsung
x.x.x.95
1C:3A:DE:46:8D:26

Best Regards,
DnD
 

DnD

New Around Here
Yes... My Android based Sony TV has the same technology that allows you to stream content from a laptop, phone or any device the standard. Dunno why it's present on my router.
 

DnD

New Around Here
Also tried ASUS current build and it present there as well. There is nothing upstream of the router besides a DSL modem in passthrough mode.

Thank you for your help in advance
 

ColinTaylor

Part of the Furniture
Sorry, I'm not following you. Do you have a STB?

Is this device connected to your LAN, e.g. does it have a local IP address?
 

DnD

New Around Here
This technology is used for STB's and the only device using this technology in my home is my Sony TV which has a different IP and MAC. So technically no, I do not have and STB. Also, my router reports it as wired.
 

john9527

Part of the Furniture
My SWAG (Silly Wild A** Guess) is that your ISP has something configured strange and you are seeing part of their Emergency Alert System (EAS) on the WAN side. If you unplug the WAN cable does it go away?
 

jdabbs

Super Moderator
I'll spitball too.

MAC changes, same IP--
Different hosts: Host A (2C:08:8C:78:38:26) is leased an IP from your router, it gets X.X.X.95. Router is then rebooted/reset and loses its lease table. Host B (1C:3A:DE:46:8D:26) requests a lease and is allocated X.X.X.95. Or, one host is set with a static IP and the DHCP scope overlaps.
Multiple DHCP servers on the same broadcast domain, .95 gets leased by each server.
I wouldn't suspect a a chattering NIC for a single lease.

Host is visible on switch port connecting router, host is not pingable when router shuts off, so it must be the router--
My guess would be wireless client--router shuts off, wireless hosts are disconnected and unpingable. You didn't import backup settings, but did you reconfigure wireless or otherwise have settings retained after the device reset?
Samsung device--what's the MAC on your phone?

SAGE EAS Digital Endec remote audio monitor/level meter--
Nmap isn't perfect and made a best guess as to what the device is. I'm not familiar enough with consumer routers to say if Asus is running multiple hosts on its HW. I'd suspect a wireless host, followed by "oops, I guess that device was connected after all," then I'd start disabling media sharing or whatever bells and whistles are running on the router until the IP stops responding to ping.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top