My profession is IT but this one has me perplexed. Any help would be appreciated. Sorry if this is a little long winded but here’s the scenario.
I noticed my RT-AX58U running 386.1_2 had a new wired device called Samsung so I scanned it with Nmap (see below). I chased down the MAC address on my switch and located it on the router's port. Shut the router off and I could not ping or scan the address. Turn the router on and I could do both. The only connections to the router are the WAN and cross-connect to my the switch (i.e. no other devices). Not comfortable with the situation I did the following:
Reset router
Booted in CFE miniWeb server mode and upload current image
Performed basic setup
Reset router again
Configured router by hand (i.e. did not import a backup)
After that procedure, the device came back and it select the same IP from my DHCP pool. For now I null routed the IP and disabled internet access in the GUI. Things to note in the data are:
Nmap and the router are reporting different MAC addresses
The suspect device has rpcbind? USB sharing?
So the questions are:
Is this a new feature from ASUS and if so, why would the enable the router with rpcbind and SAGE EAS Digital Endec remote audio monitor/level meter?
Why 2 different MAC addresses? Neither are actual MAC addresses on the router.
Has the router been hacked and I didn’t properly clear the NVRAM during the reload?
Thank you in advance for any assistance. Here is the data.
Finally, awesome software Merlin and love the new logo!
Nmap scan report for x.x.x.95
Host is up (0.0096s latency).
Not shown: 98 closed ports
PORT STATE SERVICE VERSION
80/tcp open http SAGE EAS Digital Endec remote audio monitor/level meter
111/tcp open rpcbind
MAC Address: 2C:08:8C:78:38:26 (Humax)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
From RT-AX58U (different MAC address same IP)
Samsung
x.x.x.95
1C:3AE:46:8D:26
Best Regards,
DnD
I noticed my RT-AX58U running 386.1_2 had a new wired device called Samsung so I scanned it with Nmap (see below). I chased down the MAC address on my switch and located it on the router's port. Shut the router off and I could not ping or scan the address. Turn the router on and I could do both. The only connections to the router are the WAN and cross-connect to my the switch (i.e. no other devices). Not comfortable with the situation I did the following:
Reset router
Booted in CFE miniWeb server mode and upload current image
Performed basic setup
Reset router again
Configured router by hand (i.e. did not import a backup)
After that procedure, the device came back and it select the same IP from my DHCP pool. For now I null routed the IP and disabled internet access in the GUI. Things to note in the data are:
Nmap and the router are reporting different MAC addresses
The suspect device has rpcbind? USB sharing?
So the questions are:
Is this a new feature from ASUS and if so, why would the enable the router with rpcbind and SAGE EAS Digital Endec remote audio monitor/level meter?
Why 2 different MAC addresses? Neither are actual MAC addresses on the router.
Has the router been hacked and I didn’t properly clear the NVRAM during the reload?
Thank you in advance for any assistance. Here is the data.
Finally, awesome software Merlin and love the new logo!
Nmap scan report for x.x.x.95
Host is up (0.0096s latency).
Not shown: 98 closed ports
PORT STATE SERVICE VERSION
80/tcp open http SAGE EAS Digital Endec remote audio monitor/level meter
111/tcp open rpcbind
MAC Address: 2C:08:8C:78:38:26 (Humax)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
From RT-AX58U (different MAC address same IP)
Samsung
x.x.x.95
1C:3AE:46:8D:26
Best Regards,
DnD