Ghost in the machine

  • 6 January 2017
  • 28 replies
  • 2704 views

Userlevel 6
Badge +17
A couple of days ago and every day since I checked my Windows 10 Network and observed some strange devices that showed up on it. My PC is Ethernet-connected only; I am using a TP Link Archer C7 wireless router.
 
After much research, I found people have been complaining about this (Windows 8, too) since 2013 and as recently as December 2016.
 
The number of threads is huge, including from MS itself, and I don't believe any of the reasons for this stuff happening or most of the suggested solutions.
 
Most suggestions are that machines are picking up nearby devices or drive-by's. I don't believe that explanation because most of the specific device names are the same in many cases with people spread out all over the USA and beyond. Here's just one example of somebody else that saw "full-ford":
 
http://www.overclock.net/t/1583033/strange-unknown-devices-on-my-network
 
I've noticed the stuff that shows up has a MAC address, but no IP. In most cases the devices disappear after a few seconds.
 
Another strange thing is how some of the devices are associated with Amazon or Amazon protocols. I do not think this phenomenon is isolated to individuals' locations or wireless devices because of the common device names involved.
 
You Webroot folks are the security experts; that's why I wrote this here. Here are some screen shots for your enjoyment. The devices that do not belong are DL701Q; MaxGuava; angler; full-giza and full-ford:
 


 
 


 
 


 
 


 
 


 
 


 
 


 
 
 
 
 

28 replies

I too now have various devices showing up in Windows 10 network. I ran advanced IP scanner and it found a second subnet.


 
 
 
 
 
The 172 octet is mine, the 192 is not. And it is unscannable. 
At first I thought it was an older Linksys that I run in WEP mode periodically for an old iBook but the random devices till pop in with that off.
Very interesting…
 
Same problem here.  full_giza appears and disappears.  I added its MAC address to my router reject filter and haven't seen it since. 
 
But also I am seeing a transient 'network infrastructure' device show up on my File Explorer network display.  I have an ASUS RT-AC66U_B1 router, but occasionally I also see a Linksys E8350 router appear.  Both of these devices will appear and disappear from the File Explorer display, but only the ASUS should be there.  I am connected to a Ubee DVW32CB modem that can serve as a wireless router, but I am not using that function.  I don't see any info on the modem that suggests that an embedded E8350 is providing the router function.  The MAC address shown for the E8350 doesn't match the MAC addresses on the label of the modem.  ??????
Okay I have definitive proof that the devices showing up on my network are fictitous. I'm including a screen shot of the latest called "argonglobal".


This is clearly a fictitous device. No one uses a Blackberry anymore.


I recently found someone in Washington that was also getting a full_ford device showing up on his network. It had the same MAC address as mine & I live in Georgia. 
My router doesn't block MAC addresses but I doubt it would do any good, anyway.
Thanks for your reply, I assure you that I have no Amazon devices. These devices have names that are created by user. So it is unlikely that we all have Amazon devices that we have setup with the name full_biscuit but none of us remember doing so.
Look at the similarity in the names, full-ford, full-giza, full-biscuit. Take into consideration that they all are Amazon devices with no info other than MAC address. 
You have to rule out picking up a neighbor's network or some drive by phone thing. 
Hi Darryl,

Welcome to the Webroot Community,

From what I've read about "full_biscuit", some people say this may be caused by Amazon echo, or other Amazon devices, like Alexa or dot.
Do you have one of these?

Just curious,
    This may be the most frustrating problem I have ever encountered on a computer. How is it possible that people that live on different sides of the planet are catching the exact same "Drive-By" devices on their network? FULL-FORD, FULL-GIZA, FULL-BISCUIT, DOUGLAS. 
    The people that own these devices must do a lot of travelling because I'm in Georgia. Any chance that I & somebody in California both have a neighbor named "FULL-BISCUIT"?
    It's odd that any time I google the name of an unknown device on my network, there is always someone who has posted on some forum that they have same device name appearing on their network.
    
Userlevel 7
Badge +63
It sounds like your seeing other Wi-Fi networks so I wouldn't worry about it and you can see this from Microsoft: https://goo.gl/uuo2Pr and here: https://goo.gl/TvYp1c for other possible reasons.
 
Daniel
My ghost is named full_biscuit.
He is new and showed up right after I installed a new TP-Link router, no prior visitations by anyone.
Could TP-Link be the commonality?
Saw this on another similar post, try disabling the Windows Connect Now service (WPS) and see if that stops the devices from showing up. So far so good for me.
Weird. I haven't seen full_ford since I shut my bluetooth off, but I did just see "douglas" for the first time. Seen several other threads, someone has to know what these are, right?
Forgot to note that I live 0.25 mi. from the nearest paved road (on 7.5 acres).  I can't detect any wireless routers except mine, so at least for me, neighbors probably aren't tampering with my equipment.
My Bluetooth is off.  I use 24-bit network encryption to help protect it.  Nevertheless, "douglas" is a consistant squatter on my network.  Apparaently he's an Amazon device with a MAC address that's associated with Amazon (as the vendor).  I can't fiind a link between his model number (KFDOW) and a specific device, but he's always chilling in the computer section of my network system files.
 
When I remember to check for his presence, he's always there.  When I access his properties, he becomes skittish and disappears.  He always returns, though.  How do I evict him (and re-key the locks)?  He would have had to change my network settings to allow him access to the network (but I don't claim a great understanding of network configurations).
 
 

I've just recently noticed full_ford a couple of times., only showing up for a minute then vanishing Realized my onboard Bluetooth radio was turned on. Turned it off and haven't seen it since. Anyone else have Bluetooth? Makes the passing car theory a bit more plausible, I think.
I've just had this happen, too. Noticed full_ford network on my Windows Network tab, then it was gone. Haven't logged any new clients on my router.

Is it possible this is a Bluetooth thing? I do live by a busy road, and never even thought about the fact that my computer had bluetooth, just to find now that it's "Discoverable as [computer name]" in the Bluetooth & other devices page in Windows 10. Oops. Anyone else? It does seem plausible that car bluetooth systems could be popping up when in range of my bluetooth radio, although lardlad00 said he's in a rural area, so maybe not. Are you close to a road at all?

One other thought - I recently installed some AWS developer tools, including Docker. I know some virtual network devices got installed in the process, but didn't pay as close of attention as I should... anyone else work with AWS stuff? Seems like it could relate to the Amazon device tag at least.

Finally, and I hope this isn't the case... is there any chance we've all been compromised by a similar malware? Anyone have any ideas on other patterns we could look for? I get the whole wipe your network config and start fresh perspective... but would love to figure this out, too.
Userlevel 1
Badge +7
Just realized this was happening to me as well.  full_giza and a Dell Venue 8 tablet
I have just noticed that I've full_ford on my lap top.The only identifying items on it state Amazon .Again no IP just a MAC address.Ive been having problems with one of my email accounts since 04/07/2017 and I'm unable to receive any of my emails from that account onto my iPhone but can get them on my laptop.Now I'm wondering if this has something to do with it !!!!!!ANY help or advice will be gladly received
Perfect Summary and Analysis of my Identical Problem!
Userlevel 6
Badge +17
Dear IronSkillet,
Welcome to the forum! I have no suggestions because the answer (as far as I know) remains a mystery. I gave up a while ago after being abused on another forum. At least here at Webroot everybody is civil and helpful--as you'll soon learn.
 
So my answer is "Resistance Is Futile."
Enjoy your time here, and keep your network locked down.
--Rick
So I've been noticing for months that "something" kept happening in the network window but it was always very fast and I'd miss what actually happened. Today, full_ford.

I own 0 Amazon devices, I am home alone, I'm connected to the router via ethernet, the router is broadcasting but is passworded - using WPA/WPA2 PSK. Someone driving by or even a neighbor, unless they've previously stopped and hacked my router specifically, doesn't make sense... right?

Any suggestions?
I found this thread while searching for this issue and thought I should post.
 
I, too, have experienced this issue and I find the suggested solutions to be insufficient to explain what's happening here.
 
I bought a new wireless printer today and went to install it. On opening the "network" page in Windows 10 I noticed a device called "full_giza".  Curious about it, I googled it and found some forum posts about people wondering about full_giza and full_ford devices on their network. Then I saw that it had disappeared. For what it's worth, I don't own any amazon devices.
 
Poking around, I was refreshing my network page and then a Lenovo device showed up. Interestingly enough, the device is another 8" tablet. This is too strange to just be a coincidence.
 
I live in a very rural area and there's zero chance that someone is within my wifi range and just hopping on for short bursts. 
 
My network is a bit strange. I connect using a 4G verizon hotspot. I have an old linksys router with dd-wrt on it acting as a client for the hotspot. Connected to that I have a d-link router acting as a DHCP server and wireless access point. Connected to that d-link router I have two other identical d-links acting as access points in other buildings.
 
Here's a shot of the two devices I'm seeing: http://i.imgur.com/ZUWnSBZ.png
 
Any ideas?
Userlevel 6
Badge +17
James G.,
 
My router does not have a WPS setting, WDS is disabled and it's as locked down as I technically could do it. Your "drive-by" explanation is viable as I am close to a county road. I have seen nothing on my list since I stopped broadcasting my SSID.
 
Thanks,
 
Rick
Userlevel 7
Badge +56
@ To me you should contact your ISP as we can't do anything for you from a Forum and it's not a WSA issue.
 
Daniel
Userlevel 7
Hello,
 
How close are you to a street? And how much traffic does it receive?

I believe this is an example of smartphones, smart devices, or even smart cars scanning your wifi. This does not mean that you are being targeted or that someone is attempting to hack you. Basically when someone drives by, their smartphone is picking up on your wifi and scanning it, in the event that they tried to connect. My phone does this all the time wherever I go as long as wifi is enabled. 
 
This would also explain why you see them appear, and then quickly disappear as they get out of range. I would check to see if WPS is enabled, and disable it if so. This is a router setting.
Userlevel 6
Badge +17
The best answer thus far was to disable SSID broadcasting on Wi-Fi. That appears to have worked.
Userlevel 6
Badge +17
This morning another phone appeared on my network list; so something escaped from my Ecto Containment Unit. As before, there was a Mac address, no IP, and right after I grabbed a screen shot and refreshed my network list a couple of times, it disappeared.
 


 
 


 
The common theme is the devices have Mac addresses, no IP's, and disappear after several refreshes of the network list--only to reappear.

Reply