Odd network activity

[Hostile]

My wife just got a message that another computer on our network was using the static IP of her MacBook Pro, X.X.X.7.

When I run a tracert to any of our other network devices (ap, server, phones on wifi, etc) the tracert only goes to the device and stays in our network.

But when I run a tracert to .7 it leaves out network and goes through about 20+ hops.

It's looking like this computer has been compromised somehow...

Our wifi is WPA2 with a string key- 10 character hey with upper/lower case, numbers and punctuation, no complete words in the key. But I'm not convinced that it's an intrusion through Wifi.

I'm not really familiar enough with the processes that in on a MBP to easily ID and thing out of the ordinary and nothing besides dashboard was using a high amount of either CPU or RAM.

Only 5 addresses are open for DHCP (.90 - .95) for our phones, iPad, nook and my work laptop.

EDIT: As a precaution I have disabled DHCP and put all our mobile devices on static IPs. I've also logged the MAC addresses for all our devices, unfortunately the stupid ActionTec router for FiOS is such a stupid PITA to use.

[Egilbe]

try running ifconfig and see if another computer is running on your network with that ip address

[Hostile]

I downloaded a network scanner and it's showing the MAC address that is using .7 (wife's laptop's ip) is our Airport Extreme...

Now I'm perplexed since the IP of the Airport Extreme is .2. Everything else on WiFi is showing it's own MAC, not the AP's MAC.

EDIT- I power cycled the airport extreme and turned the MBP back on- now the correct MAC is showing for .7...

[Egilbe]

Something is running DHCP and assigned a network address in use already. You should be running DHCP and using mac address filtering, if you can. That would keep any unwanted intruders out of your network.

[Hostile]

Something is running DHCP and assigned a network address in use already. You should be running DHCP and using mac address filtering, if you can. That would keep any unwanted intruders out of your network.

That doesn't make sense- only two devices on my network are capable of running a DHCP server, my router and my ap. The router was limited to a DHCP range of 90-95 and the AP is set to bridge mode so DHCP is disabled.

[Egilbe]

That doesn't make sense- only two devices on my network are capable of running a DHCP server, my router and my ap. The router was limited to a DHCP range of 90-95 and the AP is set to bridge mode so DHCP is disabled.

Weird.

[ATL_Av8r]

Are you running any VM software? BootCamp, VMWare, Parallels, VirtualBox?

[Hostile]

Are you running any VM software? BootCamp, VMWare, Parallels, VirtualBox?

Nope.

[Flyin18T]

Change all of your clients from dynamic to static IP address. As someone already mentioned configure MAC filtering in the router. (only allow the mac id's you input) Sometimes when you boot up a machine that is dynamic you'll see a message pop up like that. Not to worry. For peace of mind just configure as I mentioned. You'll never see that message again.

Sent from my HTC_Amaze_4G using Tapatalk 2

[Hostile]

As I mentioned in my first post the conflicting IP that popped up was not in my DHCP range (DHCP range was .90-.95 and the conflicting IP was .7) and the only devices set to use DHCP addresses were our iphones and our ipad- our wireless devices.

All other devices are hard wired (computers, gaming consoles, etc) and had static IPs. I moved the iphones/ipad to static IP as a first step and disabled DHCP on my router.

Regardless none of this really addresses why a tracert to one of my internal NAT addresses was leaving my network.

[SpiffyGTI]

[SAPJetta]

[dr_spock]

You could ping the IP address and then check your arp table for its mac address. From the mac address you can determine the manufacturer of the NIC card. That could give you indication if it is one of your devices.

If you're concerned, change your WPA2 passphrase and enable MAC filter on your wireless AP. It is not a bad idea to have list of the MAC addresses of all your devices.

What subnet are you using for your internal network? Is it one of the non-routeable private addresses?

[azunderg]

[Hostile]

****, it's happening again. Same IP too, 192.168.1.7.

I fired up a network scanner I had downloaded last time and there are no errant MAC addresses.

One thing that doesn't make a lot of sense, my FiOS router (192.168.1.1, all IPs are hard-coded to 192.168.1.X) shows a MAC address of 00:1F:90:22:A5:65 on the router's status page but the network scanner IDs it as 00:1F:90:CB:5A:E9.

The 00:1F:90 portion of the MAC identifies it as an Actiontec Electronics product, but I'm puzzled why the MAC addresses aren't matching up.

WiFi is disabled on the actiontec router, all devices ultimately go through this to get out to the internet. I also have an Apple AirPort Extreme that I only use for WiFi, it's in bridge mode so it is not doing any routing.

[Hostile]

I just re-ran the scan and now the MAC for .7 is showing as the MAC address from my AirPort which is coded to .2.

So there are two IPs (.2 and .7) showing the same MAC.

I refreshed it again and it's back to the MacBook Pro's MAC address.

When the scanner was showing the AirPort's MAC on .7 the Host Name field in the scanner was blank. When it switched back to the MBP's MAC it updated to who the correct host name, I7-MBP.

So either something is up with my AirPort extreme or this scanner is flaky. I'm using SoftPerfect Network Scanner.

EDIT: Here is a network diagram:


Internet comes into a wiring cabinet in our garage, network drops in rooms connect directly to the switch ports in the FiOS router. The WiFi radio in this router is disabled, a DHCP range of .100-.150 is enabled for the FiOS cable box (lame).

At my desk the AirPort Extreme is connected directly into the wall plate (connected through the walls directly to a port on the FiOS router). The AirPort handles WiFi and my desktop and server are wired into the switch ports.

In the living room a switch is connected directly to a wall plate (connected through the walls directly to a port on the FiOS router). The TV, PS3, Xbox and WD TV are all wired into that switch.

The two iPhones, iPad and MBP all connect to the AP in the AirPort with WPA2.

[Hostile]

Here is a screen cap of the network scanner reporting that the MAC from the AirPort extreme is taking over .7

[Avus]

can you configure another device (example: another notebook or cell phone) to use 192.168.1.7? at least you can see if this problem is from your mac book or network...

or you configure the macbook to use another IP address (example:192.168.1.99) to see if the problem is following the macbook.

[Hostile]

I can try that. This problem initially popped up almost 2 weeks ago and only re-appeared today- it doesn't appear to easy to reproduce.

[SAPJetta]

Solar flares....

[azunderg]

Solar flares....