Unknown MAC/ IP address showing on cable modem


Recommended Posts

I have an Arris DG3270A cable modem and if I do a port scan it shows two separate MAC /IP addresses. The 192.168.0.1 is the one which I access to check the settings, the other is 192.168.0.252, which way outside the IP range I have set for the network.

 

5a7914b1d18ce_ArrisDG3270A.thumb.jpg.03ac3ded0d1b151e7adce51c039a6fbb.jpg

                     

5a791413612ca_Arris2.thumb.jpg.85e3d8c9cdc823bf8032d8f544aa61c8.jpg

 

Any ideas what is going on here? I called tech support for my ISP and they had no idea what I was talking about - or they do and don't want to say. Just wondering if this is a concern? I can ping the rouge address with no problem - I'm not sure if it is the back door the ISP uses to access the modem if required or what and when accessing the modem settings there is no entry of any kind with that IP address or MAC address (192.168.0.252).

1 is lan modem

252 is wifi module

__________

or

 

192.168.0.1:80 user interface

192.168.0.252:67 dhcp server on it

 

no russians on your modem, no worries

The mac address actually ends in 01:02:03 ??  Really?? That seems like a created mac, the odds are just too fantastic to be that is what your mac actually is.

 

Normally on a wifi router The wifi mac would be 1 off of the lan mac.. And the wan mac would be 1 off of one of those - So you get like :1 :2 :3 for your last number..

 

Why would your wifi have a different IP? I do not think so to be honest..   Did you setup some sort of captive portal or guest network on this device for your wifi users? 01:02:03 just makes no sense for the mac of actual device.. More like a administrative assigned mac.. for example on my VMs use 00:00:01, 00:00:02 etc..

  • Like 1

Budman nothing setup like you mentioned - it is very strange, but  I haven't seen any unusual network traffic or unknown devices - all my devices have been assigned static IP's. Plus with all my previous cable modems I have never seen this before, or never noticed it before, and when I did a search I couldn't find any documentation that would explain it - however other people with Arris modems have reported the same thing so maybe it's by design. The only other possible thing it could be is there is another Arris modem which is separate and is used for the telephone landline it shares the same line in (see image), but i wouldn't think I should be able to see that on the network, but maybe I'm wrong.

 

Untitled.thumb.jpg.b47245e84cc18d6ba5c68fd4a45e8870.jpg

Lets be clear here the DG3270A, is not a "modem" its a gateway... Your saying you have 2 of them?  Your computer would not be seeing the mac address from a device connected to the cable side via a splitter.

 

And it sure wouldn't be on your network.. Sorry but I don't buy the xx:xx:xx:01:02:03 mac address.. That is not a mac you would see on a actual physical device... The odds are CRAZY that would be the devices mac.. That is created mac...  For example

 

setmac.thumb.png.43867fa17afa5e50e74a6f2543372a63.png

 

I specifically set that mac to be that when I created the vm.. So is there any ports listening on that .252 IP - can you ping it.  Can you hit it via we browser?  Do a nmap scan to it..  And even if was a different interface on the gateway your pc is connected too - it wouldn't show you those macs.

 

That is a device on your network.. And the mac is just registered to arris - not sure why your hiding the first part of the mac --- all that shows you is who the maker of the device is.  There is zero reason to hid those.. Its like hiding your rfc1918 address space... especially with a 1:2:3 address like that which is clearly administrated and not actual physical mac of the device.

 

your just seeing a device on your network is all.. That was made by assume arris..

 

ARPING 192.168.100.1 60 bytes from d4:0a:a9:58:30:5e (192.168.100.1): index=0 time=617.857 usec

 

https://macvendors.co/results/d4:0a:a9

 

That is my arris SB6190 modem mac which is on the wan side of my router... My PC would never see that..  And you notice its even off by 1 like I stated from what the cable modem reports as is mac

 

macoffbyone.thumb.png.022057e74b729602c7958dbea87dcdef.png

You need to find what that device is on your network - but its not your cable device..  Do you have a smart switch?  If so you can look at its arp table and see where its connected to your network.. If not ping it, etc.. and start turning stuff off until it doesn't answer anymore..

 

 

Well I checked all my devices and it is not any device that I setup -  I have no smart switch either. Earlier I ran another port scan and it showed an open telnet port assigned to the IP so I ran a scan in Zenmap and it showed an open port, and 2 closed ports (see image) and it doesn't respond to anything but ping. I again spent an hour on the phone with tech support once again they are at a loss for what it is - a factory restore was their advice. When I look up the LAN client list via the router web interface there is no entry for that IP or MAC. Plus the MAC address by the looks of it not a "real" address; MAC Address: 00-00-CA-01-02-03 [ARRIS Group, Inc.].  I did find a post where other Arris users see the same thing as I do Phantom Device and oddly enough the Phantom Device has the identical MAC address I mine - so it must be some sort of Arris bug or hidden features as mentioned in another post (home monitoring /phone, internal firewall etc). Unknown

 So I don't think I will worry about it, it just seemed odd, but from what I read it must be related to one of the things mentioned. Thanks for your thoughts on the subject Budman it is appreciated.

1.thumb.jpg.23a15ea20a690c8137292cc6022a7021.jpg

Best advice I can offer you is unless you are using Xfinity's phone service, buy yourself a cable modem from Amazon or Walmart or Target and quit paying the $8 or $10 a month for leasing there gateway device. @BudMan will be your best bet to suggest what modem is the best. If you are using the phone service from Xfinity then have to lease the gateways, because Comcast has made it impossible to 'buy' the gateways from anyone, you can only buy the modem. Unless you are willing to ditch Comcast/Xfinity phone service in favor of a cheaper VOIP service, then you are stuck with them.

Hey, I should clarify, my ISP is neither Xfinity nor Comcast and I am not even located in the States. The links to the posts just showed the exact same issue I was having with my Arris Gateway. Unfortunately my ISP doesn't allow customers to purchase their own cable modems, and I do in fact use my ISP's phone service and home monitoring service so I'm stuck. I'm just more relieved that I at least seemed to have solved the mystery.

  • 4 months later...

Wouldn't it show a ton of traffic then? @goretsky

 

Also, see photo of Arris router control. Look at the MAC FF:FF:FF:FF:FF:FF and the reserved status. I have removed it several times only to have it come back within 24 hrs. COX Communications Level III Tech Support seems oblivious to how an address could be added as reserve by anyone other than myself. Im more lost on the MAC address variance. I dont know where to go from here so any input would be awesome.

 

more info:

 

With Wireshark Capturing "WiFi"

UDP Stream Follewed output:

 

1.)*********************************************************************

r..................|.................................version.bind............................. CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..!..help

 

OPTIONS sip:nm SIP/2.0

Via: SIP/2.0/UDP nm;branch=foo;rport

From: <sip:nm@nm>;tag=root

To: <sip:nm2@nm2>

Call-ID: 50000

CSeq: 42 OPTIONS

Max-Forwards: 70

Content-Length: 0

Contact: <sip:nm@nm>

Accept: application/sdp

 

..........................................O#Kq.R.0../.....public... ..L3.V......0...0.....+.........0:...0...Ji.............0...............0.........7.......0...................e........

....................... _services._dns-sd._udp.local........0..........................j.n0.k.........

..^0\.....P.......NM..0........0...krbtgt..NM....19700101000000Z..........0.........................=.....CONNECTIONLESS_TDS...................................@P.....]..(......|.@....9.B7e..............................................6...*.......*......|w@..."........

d/."d......0...../..

....*...Q999.

 

#2*************************************************************************

HTTP/1.1 200 OK

CACHE-CONTROL: max-age=1801

DATE: Thu, 05 Jul 2018 02:33:49 GMT

EXT:

LOCATION: http://192.168.100.3:49152/wps_device.xml

SERVER: Unspecified, UPnP/1.0, Unspecified

ST: upnp:rootdevice

USN: uuid:2966113f-d2b2-59fa-ba42-5c801a2385c8::upnp:rootdevice

 

HTTP/1.1 200 OK

CACHE-CONTROL: max-age=1801

DATE: Thu, 05 Jul 2018 02:33:49 GMT

EXT:

LOCATION: http://192.168.100.3:49152/wps_device.xml

SERVER: Unspecified, UPnP/1.0, Unspecified

ST: upnp:rootdevice

USN: uuid:2966113f-d2b2-59fa-ba42-5c801a2385c8::upnp:rootdevice

 

HTTP/1.1 200 OK

CACHE-CONTROL: max-age=1801

DATE: Thu, 05 Jul 2018 02:33:49 GMT

EXT:

LOCATION: http://192.168.100.3:49152/wps_device.xml

SERVER: Unspecified, UPnP/1.0, Unspecified

ST: uuid:2966113f-d2b2-59fa-ba42-5c801a2385c8

USN: uuid:2966113f-d2b2-59fa-ba42-5c801a2385c8

 

HTTP/1.1 200 OK

CACHE-CONTROL: max-age=1801

DATE: Thu, 05 Jul 2018 02:33:49 GMT

EXT:

LOCATION: http://192.168.100.3:49152/wps_device.xml

SERVER: Unspecified, UPnP/1.0, Unspecified

ST: uuid:2966113f-d2b2-59fa-ba42-5c801a2385c8

USN: uuid:2966113f-d2b2-59fa-ba42-5c801a2385c8

 

HTTP/1.1 200 OK

CACHE-CONTROL: max-age=1801

DATE: Thu, 05 Jul 2018 02:33:49 GMT

EXT:

LOCATION: http://192.168.100.3:49152/wps_device.xml

SERVER: Unspecified, UPnP/1.0, Unspecified

ST: urn:schemas-wifialliance-org:device:WFADevice:1

USN: uuid:2966113f-d2b2-59fa-ba42-5c801a2385c8::urn:schemas-wifialliance-org:device:WFADevice:1

 

HTTP/1.1 200 OK

CACHE-CONTROL: max-age=1801

DATE: Thu, 05 Jul 2018 02:33:49 GMT

EXT:

LOCATION: http://192.168.100.3:49152/wps_device.xml

SERVER: Unspecified, UPnP/1.0, Unspecified

ST: urn:schemas-wifialliance-org:device:WFADevice:1

USN: uuid:2966113f-d2b2-59fa-ba42-5c801a2385c8::urn:schemas-wifialliance-org:device:WFADevice:1

 

HTTP/1.1 200 OK

CACHE-CONTROL: max-age=1801

DATE: Thu, 05 Jul 2018 02:33:49 GMT

EXT:

LOCATION: http://192.168.100.3:49152/wps_device.xml

SERVER: Unspecified, UPnP/1.0, Unspecified

ST: urn:schemas-wifialliance-org:service:WFAWLANConfig:1

USN: uuid:2966113f-d2b2-59fa-ba42-5c801a2385c8::urn:schemas-wifialliance-org:service:WFAWLANConfig:1

 

HTTP/1.1 200 OK

CACHE-CONTROL: max-age=1801

DATE: Thu, 05 Jul 2018 02:33:49 GMT

EXT:

LOCATION: http://192.168.100.3:49152/wps_device.xml

SERVER: Unspecified, UPnP/1.0, Unspecified

ST: urn:schemas-wifialliance-org:service:WFAWLANConfig:1

USN: uuid:2966113f-d2b2-59fa-ba42-5c801a2385c8::urn:schemas-wifialliance-org:service:WFAWLANConfig:1

 

 

Nmap #1**************************************************************************8

Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-05 02:08 Pacific Daylight Time
NSE: Loaded 56 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 02:08
Completed NSE at 02:08, 0.00s elapsed
Initiating NSE at 02:08
Completed NSE at 02:08, 0.00s elapsed
Initiating ARP Ping Scan at 02:08
Scanning 192.168.0.252 [1 port]
Completed ARP Ping Scan at 02:08, 1.41s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 02:08
Completed Parallel DNS resolution of 1 host. at 02:08, 0.02s elapsed
Initiating ACK Scan at 02:08
Scanning 192.168.0.252 [1000 ports]
Completed ACK Scan at 02:08, 0.72s elapsed (1000 total ports)
Initiating Service scan at 02:08
Initiating OS detection (try #1) against 192.168.0.252
Retrying OS detection (try #2) against 192.168.0.252
NSE: Script scanning 192.168.0.252.
Initiating NSE at 02:08
Completed NSE at 02:08, 9.22s elapsed
Initiating NSE at 02:08
Completed NSE at 02:09, 50.27s elapsed
Nmap scan report for 192.168.0.252
NSOCK ERROR [25.4970s] mksock_bind_addr(): Bind to 0.0.0.0:443 failed (IOD #8): An attempt was made to access a socket in a way forbidden by its access permissions.  (10013)
NSOCK ERROR [25.5100s] mksock_bind_addr(): Bind to 0.0.0.0:445 failed (IOD #20): An attempt was made to access a socket in a way forbidden by its access permissions.  (10013)
NSOCK ERROR [28.5710s] mksock_bind_addr(): Bind to 0.0.0.0:443 failed (IOD #73): An attempt was made to access a socket in a way forbidden by its access permissions.  (10013)
NSOCK ERROR [36.7010s] mksock_bind_addr(): Bind to 0.0.0.0:135 failed (IOD #248): An attempt was made to access a socket in a way forbidden by its access permissions.  (10013)
NSOCK ERROR [68.9380s] mksock_bind_addr(): Bind to 0.0.0.0:445 failed (IOD #887): An attempt was made to access a socket in a way forbidden by its access permissions.  (10013)
NSOCK ERROR [72.3680s] mksock_bind_addr(): Bind to 0.0.0.0:443 failed (IOD #956): An attempt was made to access a socket in a way forbidden by its access permissions.  (10013)
Host is up (0.017s latency).
All 1000 scanned ports on 192.168.0.252 are unfiltered
MAC Address: 00:00:CA:01:02:03 (Arris Group)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

TRACEROUTE
HOP RTT      ADDRESS
1   16.98 ms 192.168.0.252

NSE: Script Post-scanning.
Initiating NSE at 02:09
Completed NSE at 02:09, 0.00s elapsed
Initiating NSE at 02:09
Completed NSE at 02:09, 0.00s elapsed
Read data files from: C:\Program Files (x86)\Nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 75.72 seconds
           Raw packets sent: 1013 (41.696KB) | Rcvd: 1013 (41.632KB)

 

 

Nmap #2*******************************************************************

please forgive the incomplete arguments----

 

Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-05 02:12 Pacific Daylight Time
NSE: Loaded 285 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 02:13
NSE: [shodan-api] Error: Please specify your ShodanAPI key with the shodan-api.apikey argument
NSE: [mtrace] A source IP must be provided through fromip argument.
Completed NSE at 02:13, 13.78s elapsed
Initiating NSE at 02:13
Completed NSE at 02:13, 0.00s elapsed
Initiating NSE at 02:13
Completed NSE at 02:13, 0.00s elapsed
Pre-scan script results:
| broadcast-igmp-discovery:
|   192.168.0.9
|     Interface: eth2
|     Version: 2
|     Group: 224.0.0.251
|     Description: mDNS (rfc6762)
|_  Use the newtargets script-arg to add the results as targets
| broadcast-ping:
|   IP: 192.168.0.1  MAC: 38:70:0c:c9:50:65
|_  Use --script-args=newtargets to add the results as targets
| knx-gateway-discover:
|_ ERROR: Couldn't get interface for 224.0.23.12
| targets-asn:
|_  targets-asn.asn is a mandatory parameter
Initiating ARP Ping Scan at 02:13
Scanning 192.168.0.252 [1 port]
Completed ARP Ping Scan at 02:13, 0.60s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 02:13
Completed Parallel DNS resolution of 1 host. at 02:13, 0.01s elapsed
Initiating SYN Stealth Scan at 02:13
Scanning 192.168.0.252 [1000 ports]
Completed SYN Stealth Scan at 02:13, 0.72s elapsed (1000 total ports)
Initiating UDP Scan at 02:13
Scanning 192.168.0.252 [1000 ports]
Increasing send delay for 192.168.0.252 from 0 to 50 due to 11 out of 17 dropped probes since last increase.
Increasing send delay for 192.168.0.252 from 50 to 100 due to 11 out of 12 dropped probes since last increase.
UDP Scan Timing: About 10.88% done; ETC: 02:18 (0:04:14 remaining)
Increasing send delay for 192.168.0.252 from 100 to 200 due to 11 out of 12 dropped probes since last increase.
Increasing send delay for 192.168.0.252 from 200 to 400 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 192.168.0.252 from 400 to 800 due to 11 out of 11 dropped probes since last increase.
UDP Scan Timing: About 15.43% done; ETC: 02:19 (0:05:34 remaining)
UDP Scan Timing: About 18.62% done; ETC: 02:21 (0:06:38 remaining)
UDP Scan Timing: About 21.60% done; ETC: 02:22 (0:07:19 remaining)
UDP Scan Timing: About 26.53% done; ETC: 02:23 (0:07:48 remaining)
UDP Scan Timing: About 43.43% done; ETC: 02:26 (0:07:15 remaining)
UDP Scan Timing: About 50.60% done; ETC: 02:26 (0:06:33 remaining)
UDP Scan Timing: About 56.75% done; ETC: 02:26 (0:05:53 remaining)
UDP Scan Timing: About 62.53% done; ETC: 02:27 (0:05:12 remaining)
UDP Scan Timing: About 68.07% done; ETC: 02:27 (0:04:29 remaining)
UDP Scan Timing: About 73.60% done; ETC: 02:27 (0:03:45 remaining)
UDP Scan Timing: About 78.83% done; ETC: 02:27 (0:03:02 remaining)
UDP Scan Timing: About 84.05% done; ETC: 02:27 (0:02:19 remaining)
UDP Scan Timing: About 89.28% done; ETC: 02:27 (0:01:34 remaining)
UDP Scan Timing: About 94.60% done; ETC: 02:27 (0:00:47 remaining)
Completed UDP Scan at 02:28, 931.08s elapsed (1000 total ports)
Initiating Service scan at 02:28
Scanning 64 services on 192.168.0.252
Service scan Timing: About 1.56% done; ETC: 04:13 (1:42:54 remaining)
Service scan Timing: About 48.44% done; ETC: 02:35 (0:03:28 remaining)
Completed Service scan at 02:33, 292.84s elapsed (64 services on 1 host)
Initiating OS detection (try #1) against 192.168.0.252
Retrying OS detection (try #2) against 192.168.0.252
NSE: Script scanning 192.168.0.252.
Initiating NSE at 02:33
Completed NSE at 02:34, 32.66s elapsed
Initiating NSE at 02:34
Completed NSE at 02:34, 4.12s elapsed
Initiating NSE at 02:34
Completed NSE at 02:34, 0.03s elapsed
Nmap scan report for 192.168.0.252
Host is up (0.0045s latency).
All 2000 scanned ports on 192.168.0.252 are closed (1936) or open|filtered (64)
MAC Address: 00:00:CA:01:02:03 (Arris Group)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

Host script results:
|_fcrdns: FAIL (No PTR record)
|_firewalk: ERROR: Script execution failed (use -d to debug)
|_ipidseq: ERROR: Script execution failed (use -d to debug)
|_path-mtu: ERROR: Script execution failed (use -d to debug)
| traceroute-geolocation:
|   HOP  RTT   ADDRESS        GEOLOCATION
|_  1    4.54  192.168.0.252  - ,-

TRACEROUTE
HOP RTT     ADDRESS
1   4.54 ms 192.168.0.252

NSE: Script Post-scanning.
Initiating NSE at 02:34
Completed NSE at 02:34, 0.01s elapsed
Initiating NSE at 02:34
Completed NSE at 02:34, 0.00s elapsed
Initiating NSE at 02:34
Completed NSE at 02:34, 0.00s elapsed
Read data files from: C:\Program Files (x86)\Nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1289.31 seconds
           Raw packets sent: 2693 (95.250KB) | Rcvd: 2025 (97.945KB)
 

Capture1111.PNG

forgot to add:

 

 

Hardware Information

System:ARRIS DOCSIS 3.0 / PC 1.5 Touchstone Residential Gateway
HW_REV: 3
VENDOR: ARRIS Group, Inc.
BOOTR: 4.2.0.45
SW_REV: 9.1.103BP
MODEL: TG2472G

Serial Number:7452ULAEG******

Battery Charger FW Rev:03.30

Options:

 Firmware Build and Revisions

Firmware Name:TS0901103BP_020418_24XX.GW

Firmware Build Time:Sun Feb 4 18:33:43 EST 2018

eSAFE 0 FW Revision:TS0901103BP_020418_ARRIS_GW

Looks like .252 is the USB attached storage virtual server as reference here - https://arris.secure.force.com/consumers/articles/General_FAQs/SBG7580-AC-USB-Media-Sharing/?l=en_US&amp;fs=RelatedArticle

 

That would make sense. Go into the options and uncheck Enable Media Sharing and see if it goes away.

Hello,

 

Here's what I found for ARRIS Corp:

 

Support

1-877-466-8646, option 1

Sun-Sat 7AM-12AM CST

 

There are also several local offices in the United States:

 

Austin, Texas

512 837 7400

 

Beaverton, Oregon

503 495 9240

 

Boca Raton, Florida

561 995 6000

 

Chicago, Illinois

630 281 3000

 

Denver, Colorado

720 895 7000

 

Horsham, Pennsylvania

215 323 1000

 

Lowell, Massachusetts

978 614 2900

 

Nevada City, California

530 274 5400

 

Philadelphia, Pennsylvania

215 209 6160

 

San Diego, California

1 800 225 9446

 

Santa Clara, California

408 235 5500

 

Sunnyvale, California

650 265 4200

 

Suwanee, Georgia

678 473 2907

 

Wallingford, Connecticut

203 303 6400

 

Regards,

 

Aryeh Goretsky

 

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.