I've been trying to troubleshoot my DSL router due to slow connections recently. Just now, when I looked under the router's 'Active DHCP Clients' there was a list of seven (instead of the usual 1) ranging from 192.168.2.100 up to 192.168.2.106.

Anyone know what this means? Is it normal?

My computer is the only one on this network and is AFAIK free of spyware, trojans and hopefully any other backdoor garbage. I check daily for all malware.

I am running BitTorrent, though.

Thanks!

2 possibilities spring to mind:

1) That your router has been giving your machine different addresses - those addresses have not been persisting - and that these all reflect IP address allocations to your machine.

2) That other machines are connecting to your network.


As regards 1), you say "instead of the usual 1" - does this mean you have checked this info out before and found that only one address was persistently being assigned to your machine, and now this has changed?

As regards 2), is this a wireless router? Do you have WPA or WEP enabled? If not, then someone is possibly war driving you, in which case you need to enable security immediately. Use WPA as WEP has been cracked.

Recently slowdowns might be due to war driving intruders using your bandwidth. For all you know this is because they are downloading kiddie porn.

Can you post a screenshot of what is worrying you please?

http://en.wikipedia.org/wiki/War_driving

Thanks Phantasm66.

1. Yes, when I've checked in the past, only one DHCP client was ever listed. I checked today for the first time in a month, and was surprised to see seven.

2. This is a wireless router using WEP. It only offers WEP. WPA isn't an option on this model.

Would Bittorrent open up several DHCP clients?

Thanks again

:eek: :eek: :eek:

I just checked "Show Active Wireless Clients" and there was an Unknown Client listed!!!

You guessed correctly, someone has been accessing my network!

I have now completely disabled the wirless function of my router.

It did show the MAC address of the hacker!! Anyway to send the jerk a message??

Thanks again! This is freaking me out!

Have you told anyone your password? Where do you live? Could someone be nearby with a laptop?

Can you please post your DHCP client table? What are the hostnames involved? I've just checked mine on my linksys wired router, and all I have is entries for the two machines that are on on my LAN. I don't have anything else listed there, no old entries for the same machines, etc.

Can you post a screenshot or copy and paste of the table, including hostnames?

Don't send anyone any messages. Why tell someone you are on to them? You want to try and find out who this is, and how they are doing this.

Please post all information you currently have. You don't need to post your external IP, just the internal 192.168.x.x stuff in your dhcp clients table.

Please see above>

I need this kind of information from you :

Client Hostname IP Address MAC Address
machineA 192.168.1.100 00-50-DA-D8-5A-F1
machineB 192.168.1.101 00-01-6C-E9-82-6D

And tell me which of the entries refers to machines you own.

When I first spotted the problem, my internal DHCPs were 192.168.2.100, 192.168.2.100192.168.2.101, 192.168.2.102 etc up to 192.168.2.106.

Now that I've restarted my DSL and reset the router, there is only one DHCP: 192.168.2.100.

What other info can I offer?

Ok, well since I disabled the Wireless, that other MAC address is now gone.

I've now re-enabled it and will post that info as soon as he hooks back up.

So would this person have been able to access my files, or just use my connection?

Hostnames and MACs if you have them would be very useful.

The person is connected to your internal LAN in exactly the same manner as your own machine is. They certainly CAN access your files, and probably have been inside your router as well. Change your router and Windows passwords immediately. Remove any shared folders and drives from your machine, even the $ hidden admin ones.

Even more worrying for you, as far as the outside world is concerned, anything that the intruder did on the Net is trackable only back to you. If they used your connection to hack or to download kiddie porn, you are accountable for that.

Make no mistake, if you have an intruder then this is very serious.

Tell me more about where you live - do you live in a house on its own, or a flat? Do you have neighbors close by? Likely this is all because one of them has been using your Net connection to surf for free, they used too much bandwidth so you noticed the slowdowns.

WEP was cracked recently. Air-Crack is now able to beat it in a couple of minutes or so on a 1.5 GHz pentium.

You need to go out and get a WPA enabled router, and you can't use wireless any more until you get that.

WEP can be easily cracked !!!

http://www.cdc.informatik.tu-darmstadt.de/aircrack-ptw/

Go here

http://www.aircrack-ng.org/doku.php

If you want to read all about hacking WEP. WEP is basically worthless now. All you need is a cheap laptop, maybe Linux, a network card, aircrack and about 1-2 minutes of your time.

If you have a WEP only router, replace it with a WPA enabled one, unless you live in a place where no one could be war driving you.

I live in an urban area. A city in Asia, one of the world's most densely populated, in fact. This could have come from any of hundreds of neighbors.

I have now disabled the Wireless function on the router. I turned it back on for twenty minutes to see if the intruder would reconnect, but they did not. It will remain off until I can buy a new router with better encryption.

I know that many of the folders on my HD were Shared Access.

Is there a way to remove this access from all of them at once, or must I change this for each individual folder?

Many Thanks

Edit: Just disabled File and Printer sharing in CP>Network Connections>Local Area Connections.

File Sharing uses the GUEST account, so
set the guest password (from an admin accnt):
first ENABLE the guest account as normal, then launch

run->cmd /k control userpasswords2

select the Guest account and set the pw

be sure to revert Guest to Disabled when you're done.

Now any access to the Shares will require a user/password to be entered

If you have a router, you can also set the DHCP so that your systems
are in a known IP range AND then set your firewall to allow File Sharing ONLY
on that range.

Mind you:
A: You can never detect someone listening to your wireless network, gathering data and cracking keys. Once the keys are cracked, everything you do wirelessly can be read by the hacker person.
B: You cannot rely on MAC addresses for finding intruders - all one has to do is to detect and use the MAC address of one of your own machines.

Make sure your WPA passwords are long and complex. A dictionary attack for a 10-letter word is a matter of minutes. Make your WPA password a string of 20 letters and numbers.

Its possible that your key has been cracked and perhaps shared by several people. These people might live around you, but might well not know that the connection they are stealing is yours.

Get yourself a WPA router and follow Nodsu's advice as regards the WPA password. Don't use the wireless function of your router until then.

If you use WPA encryption, then the SSID is a component to the key.
(see http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access)

CHANGE the SSID and create a new key

The WPA2 technique explaination

GRC's Ultra High Security Password Generator
https://www.grc.com/passwords.htm

Some examples :

5DD22F2A02C74ACF854C108A36A693A4E7829B42FB8F57432EF4160C7F0B6440
UhzSYn6BUyGR3LmDoeqWAuISR3nbhu077OiTYF7MuGVjiYbW4aky3JcIqLMuRxX
912A44421245EA49A856F480404D02F5FB6A4ED43D8B925C6DAE4D4B04403E7E
SwC6CcNSpI9Bum6JrCLjB24vtOMv5QyvWsNwFox3GME1Ev4emgKwRXVOQaCSVto

More of the same is just a click away.

You can store these passwords inside a TrueCrypt encrypted volume :

http://www.truecrypt.org/

Thanks again for your help everyone.

My wireless has been turned off these past few days, until I buy a new router.

Just curious: If I had written down the MAC address and DHCP of the hithchiker, what would I have been able to do?

MAC filtering is all/nothing. You can choose to ALLOW from a list or DENY from a list.
As you can't know all those who might need to be denied, my choice would be
to ALLOW mac addresses of only my systems. It's not perfect, but it stops the naive users effectively.

That's a good step until he can get himself a WPA router.

That's a useful security tip, actually.

Unless you get your hands on the suspect, all you can do is to find out who made his wireless chip

I you do get a suspect, then you can check the MAC address of his wireless adapter. If these match, then you have proven his guilt (excluding the extremely low probability of duplicate MAC addresses).

With a WPA enabled router, changed SSID, hidden SSID (disable SSID broadcasting), strong Key, and MAC filtering you'll be better off than you had been.

But always remember that wireless is never 100% secure. But each security precaution you take will help reduce the chances of the average user gaining access to your wireless network.