8

We have a small office and on checking the router logs I noticed that a number of computers have requested IP address from the office router outside of business hours.

This is the log file output:

188 2016-11-18 06:50:58 DHCPD   Notice  Send ACK to 192.168.1.101
189 2016-11-18 06:50:58 DHCPD   Notice  Recv REQUEST from F8:0F:41:D0:4C:FB
190 2016-11-18 06:50:58 DHCPD   Notice  Send OFFER with ip 192.168.1.101
191 2016-11-18 06:50:58 DHCPD   Notice  Recv DISCOVER from F8:0F:41:D0:4C:FB
192 2016-11-18 06:41:40 DHCPD   Notice  Send ACK to 192.168.1.131
193 2016-11-18 06:41:40 DHCPD   Notice  Recv REQUEST from 64:EB:8C:53:D8:6E
194 2016-11-18 04:45:00 DHCPD   Notice  Send ACK to 192.168.1.143
195 2016-11-18 04:45:00 DHCPD   Notice  Recv REQUEST from 98:EE:CB:03:B8:69
196 2016-11-18 03:58:28 DHCPD   Notice  Send ACK to 192.168.1.143
197 2016-11-18 03:58:28 DHCPD   Notice  Recv REQUEST from 98:EE:CB:03:B8:69
198 2016-11-18 03:40:30 DHCPD   Notice  Send ACK to 192.168.1.111
199 2016-11-18 03:40:29 DHCPD   Notice  Recv REQUEST from F8:0F:41:D0:4D:6E
200 2016-11-18 02:33:52 DHCPD   Notice  Send ACK to 192.168.1.127
201 2016-11-18 02:33:52 DHCPD   Notice  Recv REQUEST from FC:3F:DB:21:34:E2

The employees turn off their computers when finished work. I have confirmed that all but two of the logged MAC addresses belong to computers in our office.

We recently had a security breach. We reset the router, all the admin passwords and the WiFi passwords.

Is it possible that these computers could be turning themselves on outside of business hours and making themselves accessible to people outside of our network?

Kamil Maciorowski
  • 69,815
  • 22
  • 136
  • 202
bloopiebloopie
  • 183
  • 5

1 Answers1

7

Ask for the first question asked:

Is it possible that these computers could be turning themselves` …

Yes, computers can turn themselves on and have had this capability for ages. For IBM compatible PCs this is normal since they got ATX PSU's. (About since 1995). If you go to the motherboards firmware (aka BIOS or UEFI) you often have an option configure this. Quite useful if you have an old PC and want it to power up and boot before you get to the office.

The second part of your question

… and making themselves accessible to people outside of our network?

is independent from the first part. If that happens when the computers power on (regardless of whether they powered on by itself or by you pressing the power button) then you have a problem. If that is the case then the security breach has not been fixed yet.

Lastly, if you got the MAC address then you can look to the first three bytes. They will tell you which manufacturers made the network card that is requesting the IP. This can help to identify the source (e.g. only DHCP reqs from printers, or from mobile (personal?) phones…

I looked up the addresses in your post:

MAC addresses starting with F8:0F:41 or with 98:EE:CB belong to Wistron InfoComm. According to Wikipedia this firm makes tablets, mobile phones and other devices running the Chrome OS.

MAC addresses starting with 64:EB:8C belong to Seiko Epson Corporation. Those might be printers (then again, printers probably have their own IP range in an office, though possibly with a reserved MAC → IP on the DHCP server).

MAC addresses starting with 4C:A1:61 belong to Rain Bird Corporation. Every search I did on that name resulted in a sprinkler firm.

Finally:

Are our logfiles incorrect?

I doubt that. Somethings seem to be requesting IP information. This is being logged. No fault in the logging. The bigger problem is why are they doing that out of office hours? Is there a lawn sprinkler system which is powered on all day (and which is probably supposed to be on 24/7)? Are there printers which are not powered off but instead go to sleep mode? Are there laptops or PCs which do not get properly turned off but which instead go to a low power (sleep?) mode, detect low battery and power up in order to go to a deep sleep mode?

Basically, find out which device (should be easy, you got MACs and IPs, so you can either use documentation to look up which PCs it is, or use the router to find out which device it is). Then research further from that last devices. (In the case of a windows computer try powercfg lastwake).

siegi
  • 287
  • 1
  • 3
  • 8
Hennes
  • 64,768
  • 7
  • 111
  • 168
  • Except that I've recently learned that MAC addresses can be changed. Comcast does this frequently on their router/modems. – DocSalvager Nov 24 '16 at 04:06
  • MAC addresses usually are build into the NICs ROM. Many NICs copy from this to their working space, allowing you to change that. But if it is changed then it becomes the job of the person changing it to make 100% sure that it is unique on the LAN. Which you can only do if you control all [potential] devices on that LAN. Since this offers no advantage and only creates potential problems there is no good reason to ever change a MAC. – Hennes Nov 25 '16 at 09:42
  • Maybe I should expand no 'no good reason'. There are two exceptions: ARP poisoning attacks (as the attacker), and a few decades ago cable modems ISPs only supported one single PC per cable modem. That was done by only allowing access from a single MAC. As fgar as I know this has not been used in the last decades, so any workarounds for that are probably from outdated guides. As for comcast, are they changing their MAC or their device (including its MAC). The latter seems more likely, and may be due to some load balancing. – Hennes Nov 25 '16 at 09:43