paragon55 0 Posted July 30, 2020 Share Posted July 30, 2020 As the title says, only ESET Connected Home Monitor seems to be finding this "device". I have tried many other ways to see it but nothing else can find it. Because of this it makes me believe it's just an error or something to do with ESET itself. The "device" shows as different things sometimes, but a common one is "edge-mqtt-shv-01-any2" or "edge-mqtt-shv-01-any2.facebook.com" and the IP is the same as my local computer(10.0.0.xxx) but sometimes it's a different IP which can be looked up as Facebook Ireland and sometimes Google. Makes no sense to me. The MAC address is always the same, being 00-11-22-AB-CD-EE - CIMSIS Inc Sometimes there will be an icon saying it is running network services(port 445, SMB 2), shown in the attached screenshots. ESET sees it at random times during the day, doesn't seem to be specific and nothing I do seems to trigger it. Any ideas? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,277 Posted July 31, 2020 Administrators Share Posted July 31, 2020 The reference to CIMSYS Inc is weird, it seems to be a really small Korean company: Cimsys Inc is a semiconductors company based out of 1831 E 71st St, Tulsa, Oklahoma, United States. Company size: 1-10 employees At https://forums.att.com/conversations/att-internet-features/is-this-a-loop-or-is-someone-trying-to-get-into-my-network/5e43a9a1c17a06619164ea04 I found: All mac addresses beginning with 00-11-22 belong to the owner Cimsys Inc in #301, Sinsung-Clean Bldg, 140, Nongseo-Ri, Kiheung-Eup Yongin-City Kyunggi-Do 449-711 Korea. Please enable advanced logging under Help and support -> Details for technical support and then run a network scan with CHM. Next disable logging and collect logs with Log Collector. When done, upload the generated archive along with the file C:\ProgramData\ESET\ESET Security\homenet.dat here. Maybe it will shed more info. Link to comment Share on other sites More sharing options...
itman 1,751 Posted July 31, 2020 Share Posted July 31, 2020 (edited) My best guess is this is related to Facebook tracking: https://www.henrirantanen.fi/2019/01/05/stop-facebook-tracking/ . Troublesome is the port 445 SMB2 protocol reference which could imply some type of worm use to harvest data from the entire network. The first step here is to see of port 445 is open on the router. Go here: https://www.grc.com/shieldsup and run the Common ports test. Report back on the status of port 445. Edited July 31, 2020 by itman Link to comment Share on other sites More sharing options...
itman 1,751 Posted July 31, 2020 Share Posted July 31, 2020 (edited) As far as this goes: 15 hours ago, paragon55 said: The MAC address is always the same, being 00-11-22-AB-CD-EE - CIMSIS Inc Refer to this thread: https://forum.netgate.com/topic/152536/arp-00-11-22-ab-cd-ee-is-using-my-ip-address/2 Quote So, it turns out my wife's company uses some L2 VPN and due to a server misconfiguration, I was seeing the vpn client on her laptop misbehave. She raised a ticket with their IT and the rest is beyond our control. As far as the issue in my network, after turning off the ISP router's wifi and putting all our devices behind pfsense box, I'm not seeing those issues any more. Phew! The moment I was about to turn off the capture I saw the smoking gun. I was almost getting ready to call the device malicious and return it. Edited July 31, 2020 by itman Link to comment Share on other sites More sharing options...
paragon55 0 Posted July 31, 2020 Author Share Posted July 31, 2020 50 minutes ago, itman said: My best guess is this is related to Facebook tracking: https://www.henrirantanen.fi/2019/01/05/stop-facebook-tracking/ . Troublesome is the port 445 SMB2 protocol reference which could imply some type of worm use to harvest data from the entire network. The first step here is to see of port 445 is open on the router. Go here: https://www.grc.com/shieldsup and run the Common ports test. Report back on the status of port 445. Here is a screenshot of relevant ports on that test. All other tests on the site say Stealth(pass) also. I know that port 445 is open on my computer though, if it matters. Link to comment Share on other sites More sharing options...
itman 1,751 Posted July 31, 2020 Share Posted July 31, 2020 Additional reference here: Quote I have the public hot spot turned off. It's been several weeks since I first posted that question. The stalker continues the attacks but I have figured out that it's automated, precisely 1:01 a.m. & 7:01 a.m. He will usually use the default router IP address & the same description but thanks to my Fingbox, I can see the difference. I used to be able to block it in the router interface, as well as Fingbox, but he caught onto that and changed the MAC address to a generic 00:11:22:AB:CD:EE. Occasionally he'll try using the IP address of my Echo Show or other ones like my iPhone but the MAC address & vendor stays the same, as does the OS, so it's still blocked. Burning question for me is how does he connect to my network in the first place when I have a strong VPN, hidden network name, Xfinity's so-called "Advanced Security" which is supposed to protect against such things? Never mind, that's probably a stupid question. https://community.fing.com/discussion/2486/blocking-a-previously-blocked-device Link to comment Share on other sites More sharing options...
paragon55 0 Posted July 31, 2020 Author Share Posted July 31, 2020 I've seen those posts already but they don't help much. Link to comment Share on other sites More sharing options...
itman 1,751 Posted July 31, 2020 Share Posted July 31, 2020 Assumed here is the CIMSYS reference is to some type of network hardware device that existed at some time. As noted here: https://macaddress.webwat.ch/vendor/CIMSYS_Inc , there was a driver for whatever this is. Note that the driver download link is no longer valid. This does not however imply that somehow the driver is currently being used maliciously. You might want to check your Windows driver directory for any recent driver; i.e. .sys, file creations and anything related to CIMSYS. Link to comment Share on other sites More sharing options...
paragon55 0 Posted July 31, 2020 Author Share Posted July 31, 2020 I should mention the only reason this sparked some interest is because only ESET CHM so far has detected it. I tried other ways to see it(Avast, AVG, TrendMicro and other IP scanner utilities) but only ESET has ever found anything. This almost leads me to believe it's just a problem with ESET CHM somehow. Link to comment Share on other sites More sharing options...
itman 1,751 Posted July 31, 2020 Share Posted July 31, 2020 It also appears that the CIMSYS reference might be related to a driver for BlueTooth devices: https://escrutgers.com/cimsys-bluetooth-15/ In Windows, open Control Panel -> Hardware and Sound -> Devices and Printers and see if anything related to CIMSYS is shown. Likewise using Device Manager, look for unknown devices and what driver those devices are using. Link to comment Share on other sites More sharing options...
itman 1,751 Posted July 31, 2020 Share Posted July 31, 2020 (edited) 11 minutes ago, paragon55 said: This almost leads me to believe it's just a problem with ESET CHM somehow. You can download the portable version of this: https://www.nirsoft.net/utils/wireless_network_watcher.html i.e. ZIP file download, and see if the COMSYS device shows. Edited July 31, 2020 by itman Link to comment Share on other sites More sharing options...
paragon55 0 Posted July 31, 2020 Author Share Posted July 31, 2020 (edited) 11 minutes ago, itman said: It also appears that the CIMSYS reference might be related to a driver for BlueTooth devices: https://escrutgers.com/cimsys-bluetooth-15/ In Windows, open Control Panel -> Hardware and Sound -> Devices and Printers and see if anything related to CIMSYS is shown. Likewise using Device Manager, look for unknown devices and what driver those devices are using. Interesting because I have been using some Bluetooth devices recently(USB bluetooth keys for a controller). I don't have them currently plugged in but I did install some drivers for them, although I uninstalled the drivers after removing the device so, not sure? I also currently use a 2.4ghz wireless gaming controller which is directly plugged into the PC. Although no idea how to check any information on that. Edited July 31, 2020 by paragon55 Link to comment Share on other sites More sharing options...
paragon55 0 Posted July 31, 2020 Author Share Posted July 31, 2020 22 minutes ago, itman said: You can download the portable version of this: https://www.nirsoft.net/utils/wireless_network_watcher.html i.e. ZIP file download, and see if the COMSYS device shows. Just the usual(expected) devices are shown using this software as per all the other software I've tried. Link to comment Share on other sites More sharing options...
paragon55 0 Posted July 31, 2020 Author Share Posted July 31, 2020 It was gone for a while but now ESET detected it again as shown in the screenshot Link to comment Share on other sites More sharing options...
itman 1,751 Posted July 31, 2020 Share Posted July 31, 2020 (edited) IP address 172.253.63.199 is Google: Quote Hierarchical analysis of the entity 172.253.63.188 whois: Google LLC (GOGL) route : 172.253.63.0/24 bgp: AS15169 asname: Google Google, Inc descr: Google location: Mountain View, United States Pondering this a bit more, "my money is on" this is Bluetooth device connection. Eset HCM is detecting it whenever the device establishes a connection on your Wi-Fi router. When the device disconnects from your router, the connection disappears. The source device could be within your premises. Or if your Wi-Fi connection on the router is not properly secured, it can be any device within range of your Wi-Fi router such as your neighbors or a Wardriveby: https://en.wikipedia.org/wiki/Wardriving Edited July 31, 2020 by itman Link to comment Share on other sites More sharing options...
paragon55 0 Posted July 31, 2020 Author Share Posted July 31, 2020 26 minutes ago, itman said: IP address 172.253.63.199 is Google: Pondering this a bit more, "my money is on" this is Bluetooth device connection. Eset HCM is detecting it whenever the device establishes a connection on your Wi-Fi router. When the device disconnects from your router, the connection disappears. The source device could be within your premises. Or if your Wi-Fi connection on the router is not properly secured, it can be any device within range of your Wi-Fi router such as your neighbors or a Wardriveby: https://en.wikipedia.org/wiki/Wardriving I have checked all my modem settings including changing the passwords to more secure ones and upping the firewall level also. Why would ESET only be able to see this and literally nothing else I've tried can, though? That's the puzzling part. Link to comment Share on other sites More sharing options...
itman 1,751 Posted July 31, 2020 Share Posted July 31, 2020 (edited) 1 hour ago, paragon55 said: Why would ESET only be able to see this and literally nothing else I've tried can, though? That's the puzzling part. The first question is if Eset is showing a firewall alert when one of these connections is established? Try setting Eset new network detection to "Ask user" as shown below. Hopefully this might shed some light on the device being used. Edited July 31, 2020 by itman Link to comment Share on other sites More sharing options...
paragon55 0 Posted July 31, 2020 Author Share Posted July 31, 2020 10 minutes ago, itman said: The first question is if Eset is showing a firewall alert when one of these connections is established? Try setting Eset new network detection to "Ask user" as shown below. Hopefully this might shed some light on the device being used. I have it set like that and yes I do get a pop-up saying a device connected when it happens but nothing further. Link to comment Share on other sites More sharing options...
itman 1,751 Posted July 31, 2020 Share Posted July 31, 2020 Also refer to this Eset CHM Knowledgebase FAQ: https://support.eset.com/en/kb6268-eset-connected-home-monitor-faq . Browse to this section, What do the icons on the devices in Connected Home Monitor mean?. What icon is showing for this device? Link to comment Share on other sites More sharing options...
itman 1,751 Posted July 31, 2020 Share Posted July 31, 2020 4 minutes ago, paragon55 said: yes I do get a pop-up saying a device connected when it happens but nothing further. If this is the alert: Click on "View device" to see device details about the new connection. Link to comment Share on other sites More sharing options...
paragon55 0 Posted July 31, 2020 Author Share Posted July 31, 2020 9 minutes ago, itman said: If this is the alert: Click on "View device" to see device details about the new connection. Yes that's it and I when I click it that's how I obtain the above details Link to comment Share on other sites More sharing options...
itman 1,751 Posted July 31, 2020 Share Posted July 31, 2020 1 minute ago, paragon55 said: Yes that's it and I when I click it that's how I obtain the above details And just what are the details? Preferably shown in a screen shot. Link to comment Share on other sites More sharing options...
paragon55 0 Posted July 31, 2020 Author Share Posted July 31, 2020 1 minute ago, itman said: And just what are the details? Preferably shown in a screen shot. Not much and it seems to vary but right now it's showing(blacked out computer and network name for privacy) Link to comment Share on other sites More sharing options...
itman 1,751 Posted July 31, 2020 Share Posted July 31, 2020 (edited) Is 10.0.0.220 your router's IP address? That's what it looks like to me. Next, in regards to the MAC address of your router. I assume it is not 10-11-22-AB-CD-EF. It really appears that some type of MAC spoofing: https://en.wikipedia.org/wiki/MAC_spoofing is being performed against your router. This is what is triggered the Eset alert since as far as Eset is concerned, this is a new device to it. As the Wikipedia article notes: Quote However, many drivers allow the MAC address to be changed. As such, it really is starting to look like you have a malicious driver installed. Additional possibilities are: Quote Identity masking If a user chooses to spoof their MAC address in order to protect the user's privacy,[citation needed] this is called identity masking. One might wish to do this because, as an example, on a Wi-Fi network connection a MAC address is not encrypted. Even the secure IEEE 802.11i-2004 (WPA) encryption method does not prevent Wi-Fi networks from sending out MAC addresses.[citation needed] Hence, in order to avoid being tracked, the user might choose to spoof the device's MAC address. However, hackers use the same technique to maneuver around network permissions without revealing their identity. Some networks use MAC filtering in order to prevent unwanted access. Hackers can use MAC spoofing to get access to a particular network and do some damage. Hackers' MAC spoofing pushes the responsibility for any illegal activity onto authentic users. As a result, the real offender may go undetected by law enforcement.[citation needed] MAC Address Randomization in WiFi To prevent third parties from using the MAC address to track devices, Android, Linux, iOS, and Windows[5] have implemented MAC address randomization. In June 2014, Apple announced that future versions of their iOS platform would randomize MAC addresses for all WiFi connections. The Linux kernel has supported MAC address randomization during network scans since March 2015,[6] but drivers need to be updated to use this feature.[7] Windows has supported it since the release of Windows 10[5] in July 2015. The strong possibility is Win 10 is doing the above MAC address randomization and Eset is misidentifying this activity as a new network connection. BTW - this has nothing to do with Eset Home Connection Monitor per se. It's Eset Network Protection that is detecting a new network connection. Edited July 31, 2020 by itman Link to comment Share on other sites More sharing options...
paragon55 0 Posted August 1, 2020 Author Share Posted August 1, 2020 10.0.0.220 is my computer's address and no 00-11-22-AB-CD-EF is not my routers MAC address. Link to comment Share on other sites More sharing options...
Recommended Posts