Menu
What's new
By:
Filters Better Search

Strange MAC Address in log. Is it OpenVPN security problem?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

stambeccuccio

stambeccuccio

Senior Member
2cy04eg.jpg


In my log web history adaptive QoS, I find about a fifty pages of this series of unknown MAC Address to me and they does not belonging to any network device.

These MAC addresses or clients name, have the characteristic of having the first 4 suffixes equal 40:00:3F:06: and the other two variables with a series of combinations...

What are they and who are these mutants MAC addresses?

Why are there? Who creates them?

Does anyone know what is this or what it might be?

Could it depend on using OpenVPN?

Anyway, isn't strange this thing?

2016-4-27 09:28:09 40:00:3F:06:87:F6 clients1.google.com
2016-4-27 09:28:20 40:00:3F:06:8C:CF tools.google.com
2016-4-27 09:29:45 40:00:3F:06:EF:62 www.google.com
2016-4-27 11:59:06 40:00:3F:06:82:80 clients3.google.com
2016-4-27 11:59:06 40:00:3F:06:82:7F clients3.google.com
2016-4-27 11:59:14 40:00:3F:06:5A:49 accounts.google.com
2016-4-27 11:59:14 40:00:3F:06:2D:78 clients4.google.com
2016-4-27 11:59:14 40:00:3F:06:6B:C3 clients4.google.com
2016-4-27 11:59:14 40:00:3F:06:45:19 accounts.google.com
2016-4-27 11:59:15 40:00:3F:06:EC:7C android.clients.google.com
2016-4-27 11:59:17 40:00:3F:06:F4:7A clients4.google.com
2016-4-27 11:59:17 40:00:3F:06:D6:70 www.google.com
2016-4-27 11:59:52 40:00:3F:06:44:83 masdk.3g.qq.com
2016-4-27 12:00:16 40:00:3F:06:86:DB api.myfoscam.com
2016-4-27 12:00:18 40:00:3F:06:66:56 push.myfoscam.com
2016-4-27 12:01:45 40:00:3F:06:A1:3B www.googleapis.com
2016-4-27 12:02:12 40:00:3F:06:BB:D9 services11.ieee.org
2016-4-27 12:02:12 40:00:3F:06:D3:BF services11.ieee.org
2016-4-27 12:04:01 40:00:3F:06:CE:05 clients4.google.com
2016-4-27 12:04:01 40:00:3F:06:9E:12 clients4.google.com
2016-4-27 12:06:27 40:00:3F:06:C7:FD www.google.com
2016-4-27 12:06:29 40:00:3F:06:5F:7D www.google.it
2016-4-27 16:25:58 40:00:3F:06:0C:07 clients3.google.com
2016-4-27 16:26:01 40:00:3F:06:D3:0A accounts.google.com
2016-4-27 16:26:01 40:00:3F:06:88:F5 translate.googleapis.com
2016-4-27 16:26:01 40:00:3F:06:E2:DD accounts.google.com
2016-4-27 16:26:02 40:00:3F:06:25:99 clients4.google.com
2016-4-27 16:26:04 40:00:3F:06:0C:77 clients4.google.com
2016-4-27 16:26:06 40:00:3F:06:F8:5B www.google.com
2016-4-27 16:26:08 40:00:3F:06:9A:09 settings.crashlytics.com
2016-4-27 18:40:36 40:00:3F:06:A3:A8 clients1.google.com
2016-4-27 18:42:13 40:00:3F:06:4C:75 www.googleapis.com
2016-4-27 18:42:13 40:00:3F:06:47:4B www.googleapis.com
2016-4-27 18:42:13 40:00:3F:06:4F:6B www.googleapis.com
2016-4-27 18:42:13 40:00:3F:06:37:3E www.googleapis.com
2016-4-27 18:42:14 40:00:3F:06:20:DE lh4.googleusercontent.com
2016-4-27 18:42:14 40:00:3F:06:6D:4A lh3.googleusercontent.com
2016-4-27 18:42:14 40:00:3F:06:07:24 lh6.googleusercontent.com
2016-4-27 18:42:14 40:00:3F:06:F7:7B lh6.googleusercontent.com
2016-4-27 18:42:15 40:00:3F:06:0C:67 lh6.googleusercontent.com
2016-4-27 20:28:43 40:00:3F:06:8F:55 www.google.com
2016-4-27 20:29:16 40:00:3F:06:BD:B5 e13.whatsapp.net
2016-4-27 20:30:27 40:00:3F:06:64:D2 www.google.com
2016-4-27 20:30:27 40:00:3F:06:70:B9 www.google.com
2016-4-27 20:30:27 40:00:3F:06:E7:4A www.google.it
2016-4-27 20:32:12 40:00:3F:06:87:C7 clients4.google.com
2016-4-27 20:32:12 40:00:3F:06:C9:CF clients4.google.com
2016-4-27 20:34:21 40:00:3F:06:66:5D www.googleapis.com
2016-4-27 20:36:54 40:00:3F:06:29:71 graph.facebook.com
2016-4-27 20:37:53 40:00:3F:06:C7:F9 edge-mqtt.facebook.com
2016-4-27 20:40:27 40:00:3F:06:8E:6A edge-mqtt.facebook.com
2016-4-27 20:40:27 40:00:3F:06:7B:93 clients3.google.com
2016-4-27 20:40:27 40:00:3F:06:C1:4A e2.whatsapp.net
2016-4-27 20:40:28 40:00:3F:06:EA:DF play.googleapis.com
2016-4-27 20:46:07 40:00:3F:06:C4:1D www.googleapis.com
2016-4-27 20:46:12 40:00:3F:06:7E:7F api.myfoscam.com
2016-4-28 15:05:56 40:00:3F:06:00:1A clients3.google.com
2016-4-28 15:05:56 40:00:3F:06:0B:45 graph.facebook.com
2016-4-28 15:05:56 40:00:3F:06:EE:65 www.google.com
2016-4-28 15:06:03 40:00:3F:06:40:56 clients3.google.com
Click to expand...
*smiles = are the two points D

n5oikn.jpg

20krris.jpg
 
Isn't there another thread with the exact same question/observation?
 
I believe I read that some devices (Apple for example) have decided it's a good idea to generate random MAC addresses as a security measure...which of course drives things like our routers crazy. You may want to check the security options on any mobile devices that you are using.

Also note that 40:00:3F isn't assigned to any vendor in the OUI database.
 
john9527 said:
I believe I read that some devices (Apple for example) have decided it's a good idea to generate random MAC addresses as a security measure...which of course drives things like our routers crazy. You may want to check the security options on any mobile devices that you are using.
Click to expand...

iOS MAC randomization only occurs on devices that are not associated with the AP as part of the BSS/ESS, if that helps..

This looks more like something Android driven - either ASOP, or some vendors implementation - maybe a Chromecast? Media Streamer maybe?
 
sfx2000 said:
iOS MAC randomization only occurs on devices that are not associated with the AP as part of the BSS/ESS, if that helps..

This looks more like something Android driven - either ASOP, or some vendors implementation - maybe a Chromecast? Media Streamer maybe?
Click to expand...
Thanks for the clarification.

Also, can rule out a Chromecast.....I have one and it doesn't do anything like this.
 
Well, it's odd - Looking at some of the hosts - AndroidGalaxys.net, SamsungKnowledge.com - any Samsung Galaxy things in the house? Table/SmartPhone/TV?
 
Doing further testing I found that these MAC Addresses are displayed only when you connect via OpenVPN.
Does anyone have any idea if this is correct or not?
 
Do you have a network extender or bridge in your network?

Sent from my SM-N920V using Tapatalk
 
one thing you might try... telnet/ssh into the router, and try "arp -a" and see if that 40:00:3f range is inside your network...
 
You must log in or register to reply here.

Similar threads

corgan2224
RT-AX88U creates a lot of dropbear processes after update
Replies
8
Views
419
Ripshod
Ripshod
dgraham78
I keep seeing this when I have lost ability to use the internet even though I’m connected on RT-AX86U on latest version
Replies
5
Views
928
ColinTaylor
C
C
Loss of Internet and Red Light after a few days when one particular computer is on
Replies
16
Views
1K
cgrey8
C
S
AX88U Crashed only reboot would fix
Replies
3
Views
2K
samuraijmb
S
W
RT-AX86U wifi capping out 300mb below max speed
2
Replies
31
Views
3K
dlandiss
dlandiss
Similar threads
Thread starter Title Forum Replies Date
S Strange wired device? Asuswrt-Merlin 0
C Strange WAN connection issue Asuswrt-Merlin 9
R Some strange things in my log I'm hoping somone could take a look at Asuswrt-Merlin 6
E [HACKED?] SSH not working all of a sudden (and strange log lines) - RTAC87U Asuswrt-Merlin 17
RamGuy Strange packet loss with IPv6 going through my Asus RT-AX88U running 3004.388.4 Asuswrt-Merlin 7
S Strange issues with WireGuard client Asuswrt-Merlin 2
TheLyppardMan Strange things afoot! Asuswrt-Merlin 4
L merlin default iptables. why are there strange logdrops for specific pattens and ips? Asuswrt-Merlin 3
Volt To anyone who started seeing strange high CPU and memory usage - Merlin is not affected! Asuswrt-Merlin 12
R Wireless MAC (Band filter filtering out Guest network) Asuswrt-Merlin 2

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 828 (members: 28, guests: 800)
Top