Please excuse me, this is my first question regarding network security and first time I have been really interested in learning more.
I have noticed a host on my network with an IP I dont recognize. I can log into my router and list all connected devices but the host with that IP will not show in the list. It will show in Nmap as a similar MAC as my router, but with last digit changed. The host shows all ports closed except port 80 in Ubuntu MATE (Which it's serving a blank html file).
In my Debian partition it shows the host again with nmap, but shows that all it's ports are closed, and when I type the IP in the browser, sure enough, the blank html file isn't being served. Is there something that is pretending to be my router like a MITMA but only able to open ports when I boot in Ubuntu?
What do I do know? At first I thought it was my router having a 2nd IP (because I have a 8 port switch connected to LAN-4 port so I can connect my IP cameras), but I disconnected that switch and everything except the router and the PC im using.
Help please I dont want my router hacked.
The culprit is always first in the list:
Nmap scan report for 192.168.1.136 <---- this one
Host is up (0.00071s latency).
All 1000 scanned ports on 192.168.1.136 are closed
MAC Address: xx:xx:xx:A6:CE:02 (Unknown)
Nmap scan report for 192.168.1.254 <--- my router has always had this IP
Host is up (0.00079s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
111/tcp filtered rpcbind
443/tcp open https
MAC Address: xx:xx:xx:A6:CE:00 (Unknown)
Stats: 0:01:43 elapsed; 255 hosts completed (3 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 1.00% done; ETC: 08:02 (0:00:00 remaining)
Stats: 0:01:43 elapsed; 255 hosts completed (3 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 2.00% done; ETC: 08:02 (0:00:00 remaining)
Stats: 0:01:43 elapsed; 255 hosts completed (3 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 3.00% done; ETC: 08:02 (0:00:00 remaining)
Nmap scan report for starseed.attlocal.net (192.168.1.133)
Host is up (0.000032s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
I tried arp-scan and here is the result:
Interface: enp0s31f6, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9.5 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.1.136 xx:xx:xx:a6:ce:02 (Unknown)
192.168.1.136 xx:xx:xx:a6:ce:02 (Unknown) (DUP: 2)
192.168.1.254 xx:xx:xx:a6:ce:00 (Unknown)
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.5: 256 hosts scanned in 2.380 seconds (107.56 hosts/sec). 3 responded
Curious as to why my PC doesn't show up (192.168.1.133)
So in the end I got paranoid and turned the WiFi off on router and disconnected everything with sensitive data.
WWYD?