MAC Addresses coming up as unavailable

yellowbluegreen

Also there appears to be a device pretending to be my Mac book which I've removed multiple times that keeps reappearing. Initially it was coming up with the exact same name (Voldemort's Mac book air) so I uncapitalised the V in Voldemort on my Mac book which it then copied. I renamed the one I believe to be my real Mac book on the fing app so I can now tell them apart.

I reset my router last night and changed the name and password of my network two weeks ago and haven't shared it with anyone.

When I check the ports on my router from the fing app it looks as though there's thousands open. Is this normal?

Lastly, when I factory reset my router it reverts to the last network name and password I had. I contacted my ISP about this as I thought it seemed to defeat the purpose of a factory reset but they assured me it's normal. Is this normal?

I have very little knowledge in this area (which is probably quite apparent lol). Any advice would be much appreciated.

Thanks in advance 🙏

Marc

@yellowbluegreen, it looks like the router is remotely managed and stores it’s configuration in the cloud as well.  I am imagining the vendor considers this a convenience in case you need to replace it, data is not lost.  That could also explain why your account and password settings come back after a reset.  
As to why the phantom system keeps appearing, some routers clone a systems MAC and impersonate the router with it.  Could be why but I’m not convinced.  @Robin, @Pooh, @kltaylor, @Hronos, any ideas?

yellowbluegreen

Also, maybe a day ago I was adjusting what comes up in the sidepane in finder, either under connected serves or bonjour computers (I know nothing about either) noticed it said there was a PC with a random number as it's name connected. Then while going through my settings trying not to freak out I saw whatever this is (smbd?) had full disk access which I revoked

Marc

Are you sharing files or printers with any windows machines on your network?  See this..  https://discussions.apple.com/thread/1125437

yellowbluegreen

I've got an HP printer which I bought about a month ago and have been using via Bluetooth off my phone. I'm pretty sure I haven't installed HP software on my Mac so far but will double check. I definitely don't recall granting anything full disk access other than Etrecheck a while ago.

yellowbluegreen

This is what comes up for the mac address for all devices

yellowbluegreen

This is the only information showing for the phantom laptop. Also the hostname for my actual Mac book is showing as my phone's name (the ✨😈etc emojis

Marc

I'm at a loss...  I'm hoping one of the others on this forum can help...

yellowbluegreen

No worries, appreciate your help Marc.

Pooh

Just as an FYI; smbd is the Windows file sharing daemon that is part of the samba implementation.

IIRC it comes out the box configured with full disk access.

yellowbluegreen

Ok cool, I didn't know that Mac books come with it preconfigured and thought Etrecheck was the only software I'd seen previously under full drive access. I'll google samba also.

Thanks

Marc

https://community.fing.com/discussion/comment/5878#Comment_5878

The mac shouldn’t come with it preconfigured and running. For example mine is not running it. Something would have caused it to be used. Probably nothing nefarious, just some piece of software or agent that needed it.

VioletChepil

@yellowbluegreen I'm just inquiring on some follow-up information with the team and we'll be back shortly with more details from @Robin

kltaylor

Marc said:

@yellowbluegreen, it looks like the router is remotely managed and stores it’s configuration in the cloud as well.  I am imagining the vendor considers this a convenience in case you need to replace it, data is not lost.  That could also explain why your account and password settings come back after a reset.  
As to why the phantom system keeps appearing, some routers clone a systems MAC and impersonate the router with it.  Could be why but I’m not convinced.  @Robin, @Pooh, @kltaylor, @Hronos, any ideas?

I would assume the same thing, @Marc , but don't ask my opinion on saving router settings on the manufacturer's server ("cloud").

Robin_Ex_Fing

Hi @yellowbluegreen
First, Can you confirm if you have Fingbox or not? If you don't, then Can you make please make sure all permissions especially location permissions are enabled for the Fing App? After checking the permissions, can you remove the same device and then run the scan again if the same device appears or not.

kltaylor

Good questions to ask, @Robin

Marc

kltaylor said:

Marc said:

@yellowbluegreen, it looks like the router is remotely managed and stores it’s configuration in the cloud as well.  I am imagining the vendor considers this a convenience in case you need to replace it, data is not lost.  That could also explain why your account and password settings come back after a reset.  
As to why the phantom system keeps appearing, some routers clone a systems MAC and impersonate the router with it.  Could be why but I’m not convinced.  @Robin, @Pooh, @kltaylor, @Hronos, any ideas?

I would assume the same thing, @Marc , but don't ask my opinion on saving router settings on the manufacturer's server ("cloud").

Yea, there are some cloud manage gear features I stay away from.  The ability to manage my NAS and Router.  Local access and control is just fine thank you very much Western Digital and Linksys. 

yellowbluegreen

Hi @Robin

I don't have a Fingbox yet. I'll check the permissions then remove it and rescan now then give an update on how it goes.

Thanks heaps

yellowbluegreen

I went to the permissions and changed location from 'while using' to 'always' and noticed recognise devices wasn't on so I turned that on too. I removed it then rescanned and it's still there. For the first half second it was back up after rescanning it came up as 'generic' before going back to the name 'voldermorts-air'

yellowbluegreen

😧 I re-read your comment and saw you said ALL permissions and realised I hadn't turned on privacy mode, just re did it with it on and it came up 'generic' then 'VOLDERMORT etc' in capitals then first letter capitalisation all within a second. Now when I click on it a lot more is coming up in the info like mac address while my other devices still have no mac address. Below is a screenshot of the phantom one with the mac address vs my real mac and it's name changing while the scan loaded

VioletChepil

Hello @yellowbluegreen

I've checked in with multiple team members and have some more tips/information for you. 

We can pin this down to device identification issues. Since iOS 11 - device ID is based on random MACs and thus not reliable. 
https://help.fing.com/knowledge-base/cant-fing-see-mac-addresses-ios-11/

Fing App can't detect by MAC address devices without Fingbox - and thus when a device changes IP addresses - the customizations get mixed up. In iOS 11 and above, Apple implemented MAC address randomization - and this seems like an effect of that. 
So seems that the MAC address customizations got dropped when the device changed IP. 

What can we do about it?
- We're working on a more reliable means of device ID for this case - which we're currently testing with Fingbox users. https://community.fing.com/discussion/1121/improved-device-recognition-for-fingbox-users-testers-needed#latest 
- If you follow beta testing category here:  https://community.fing.com/categories/announcements You'll get notified if/when that beta test comes to Fing App.

- We're developing a PC/MAC version of Fing App to help mitigate this too. (Also like above, beta testing would be posted in that category). Device ID will be much improved on PC/MAC version of Fing App.  
- In the meantime, we suggest that you enter as many details as possible about the device to improve Fing algorithms for device ID 
- It will be best that you use Fingbox and soon Fing Desktop for the best device ID possible. 
I hope this helps!
Cheers,
Violet

yellowbluegreen

Hey all,

Thought I'd update this as I just got to the bottom of the issue after installing malwarebytes. It turns out it was osx.birdminer using my computer for cryptomining 😯 lol. https://securityaffairs.co/wordpress/87422/malware/bird-miner-cryptominer.html

Thanks everyone for helping me to try and figure it out.

Cheers

[Deleted User]

The user and all related content has been deleted.