CIMSYS anyone?

realm174
Grasshopper

I've recently came across something slightly unusual, and I'm hoping some of you here either know about this or can figure it out.  Shaw's technical lack-of-support stance on the subject is "Your internet is working, this is outside the scope of support".

My LAN is on 192.168.0.0/24

I recently was monitoring traffic, trying to troubleshoot an unrelated issue, and noticed that there was a device talking all over my network. The strange things about it is the MAC and IP:

00:11:22:AB:CD:EE  which according to google is CIMSYS Inc device.

IP Address is 192.168.147.100

 

I can ping it, I can tracert it and I can ssh to it (although I get disconnected as soon as I enter anything on the login name). Advanced Port Scanner  shows this:

Status:Alive
Operating system:Linux
IP: 192.168.147.100
MAC: 00:11:22:AB:CD:EE
Manufacturer: CIMSYS Inc
NetBIOS:
User:
Type:
Date:
Comments:
Service                Details
Port 22 (TCP)          Dropbear sshd 2017.75 protocol 2.0
Port 111 (TCP)         rpcbind
Port 938 (TCP)
Port 948 (TCP)

For one thing, I don't understand how I can reach it considering the IP/Subnet.

The other strange thing is when I do a tracert... If I tracert any device on my network, it goes directly to it.  When I tracert this particular device, it goes through the cable modem, as if the device was on the other side of it, or on a different network.

Packet sniffing doesn't show a whole lot other than it appears to be trying different ports/protocols.

So I'm curious.. Anyone else on Shaw seeing that device when they ping or network scan?

Labels (2)
0 Kudos
4 Replies

-- I don't understand how I can reach it considering the...

mdk
Legendary Grand Master

@realm174 -- I don't understand how I can reach it considering the IP/Subnet. My LAN is on 192.168.0.0/24

Any traffic to any device on your LAN reaches your Shaw router, but never "exits" onto the router's WAN interface.

Any traffic outside of the range of your LAN is "routed" through the Shaw router's WAN interface, out to the Shaw router somewhere in your city.

Experiment: if you disconnect the coaxial-cable from the Shaw router's WAN interface, can you still reach that "foreign" IP-address? If so, it must be another network-interface "inside" the Shaw router.

From a Microsoft Windows command-line, enter: netsh lan show tracing

Do you get: There is no trace session currently in progress ?

If so, then enter: netsh trace start ?

for details on how to start a trace to that IP-address, and how to stop the trace, and how to view its output.

-------------

Edit: a Google-search for CIMSYS INC indicates that the company dissolved, decades ago.

But, I also found a posting by somebody in Luxembourg:

Posted: Tue Apr 27, 2010 3:25 am

The "mysterious device" turns out to be my Internet radio (model: Clarus Plus), acquired some months back but only used intermittently. The network scan information gives no hint of this, 
 

Weird!

 

Reply
Loading...

Thanks for digging into this.  Following your suggestion,...

realm174
Grasshopper

Thanks for digging into this.  Following your suggestion, I disconnected the coax cable. I was unable to ping it.  I plugged in the coax cable back, and the device came back.

I also managed to figure out the netsh bit, and I did end up with a capture file, which I'm looking at with netmon, but frankly, I'm not 100% sure what I'm looking at... but it created 2 files.. capture.etl and capture.cab.  I can open the etl in netmon, and I can open the cab file with 7zip and it contains 51 files that seem to be diagnostic output for a bunch of things. Just going through them now to see if I can find anything related to that IP or MAC address.. but so far nothing.

 

0 Kudos
Reply
Loading...

I don't have any insight, but FWIW my Technicolor router...

ShantelS
Grasshopper

 

I don't have any insight, but FWIW my Technicolor router periodically shows up in Fing as a CYMSIS device with the same MAC address.

0 Kudos
Reply
Loading...

MAC-addresses are assigned to manufacturers of network-ad...

mdk
Legendary Grand Master

MAC-addresses are assigned to manufacturers of network-adapters.

In this case, all MAC-addresses starting with "00:11:22" have been assigned to a manufacturer in Korea, namely CIMSYS.

The point is that any "device" (network router, iPhone, heart pace-maker, or smart-doorbell) needs some network adapter as a component of the device, A manufacturer of a device may have purchased a network-adapter from CIMSYS, as one small component of the device. Or, maybe, the manufacturer of the device has licensed the CIMSYS network adapter's hardware/software & its technology, for embedding as part of the device's motherboard.

So, if you are looking for a CIMSYS device, you may need to use a microscope to look at a few circuits on a motherboard.

In this case, the motherboard may be inside the cable-modem/router that Shaw supplies to customers.

The LAN adapter inside my HITRON cable-modem has a MAC prefix of 00:FC:8D  This prefix is assigned to HITRON Technologies, Inc, located in Hsin-chu (Taiwan).

 

 

0 Kudos
Reply
Loading...