Mystery MAC in AiProtection

[NSNE]

Was checking the AiProtection console and saw the following under Two-Way IPS alerts:



The odd thing about the top-hit MAC address is that it doesn't appear to exist on my network. It's a Cisco device, apparently, but I don't own any Cisco-branded devices and the MAC doesn't appear to be associated with any device I've been able to locate. I have my topology pretty well mapped out and all my devices named in Asus WRT.

What could be the possible causes for this mystery MAC? Also, what's with the all-zero MAC?

If it helps ID the device, the most commonly deflected attack appears to be "EXPLOIT Remote Command Execution via Shell Script -2".

 

[ColinTaylor]

The Cisco device will be your cable modem or another piece of your ISP's kit depending on your type of connection. Please see all the previous posts that have reported this.

 

[NSNE]

Please see all the previous posts that have reported this.

I searched for similar posts with the keyword "aiprotection" but didn't see anything recent.

 

[HuskyHerder]

I searched for similar posts with the keyword "aiprotection" but didn't see anything recent.

There are a few around but to be honest they have not helped me much either. I saw a mysterious devices made by arris.

I originally noticed it in AIProtect too. I don't have any devices made by Arris. I have still not located this device, but I have since turned off AIProtect and instead I am using Skynet w/ Merlin. However there was a device about a year or so ago that I had trouble locating and it turned out to be a wifi down/modem reset plug I had purchased off Amazon.

My mysterious arris device, has had hits in the 100's when it was running. I have ran many lan scans with multiple apps and none ever detect it. The router itself never finds the devices. It only shows in AIProtect.

Of interest mine were also always "EXPLOIT Remote Command Execution via Shell Script -2".

I wonder in the back of my head, could it be something on the AIProtect end. Since I have no logical assumption its mine. Just my pondering on this subject.

* The only device I have added recently is a Phillips hue, I need to check and see if I borked the MAC address.

 

[ColinTaylor]

I don't have any devices made by Arris.

Is it not your cable modem (i.e. Arris/Motorola SurfBoard)?

 

[HuskyHerder]

Nope,

I just had my customer owned Netgear modem replaced by a Hitron from Spectrum (gig plan no customer owned allowed).

I need to really get into my cabinet and look at the hue, its the only change in a year to my devices, well except for a new iPhone upgrade. But its not Arris etc.
* Think I edited my post about the Hue while you were replying.

 

[ColinTaylor]

Bear in mind that if the device is on your ISP's side then doing LAN scans won't find it. Also remember that the "vendor" reported will be the company that makes the chipset which is often not the same as the brand on the box.

If the device is still active on your network it should be identifiable with the following commands when issued from the router.

# ip neigh
# arp -a

 

[HuskyHerder]

I think, hesitantly, I am onto something. Its always my teens devices that get hit with the AIProtection warnings. ALWAYS.

My 15 year old says his mom gave him the wifi password for his Nintendo (what ever kind he has )
For some reason the device was listed as arris, however its wrong ? This is not the first time I have seen this behavior, I saw it before with that wifi plug.

Thanks for the commands, now when the thing charges up Ill check the commands.

@NSNE One thing I did find in my search was don't forget about wifi enabled cars. I forgot onetime my Ford Sync was connected to the wifi for an update. I was scratching my, head till that post/thread reminded me. That one is certainly filled away in the filling cabinet for later use now.