Recently I began using wicd-client-kde and yesterday I disabled the *.desktop for wicd-gtk so that it's icon wouldn't share the tray with the kde client.

Today, I turned on the wireless router and then my laptop. I noticed immediately that wicd-client-kde received an IP address of 192.168.1.101 instead of *.100. If someone remotely cracked my wireless they had to be patiently waiting for several hours for me to begin my computing day and then log in within a minute as soon as they saw my essid broadcast, so I ruled that out.

The system logs showed nothing out of the ordinary.

I logged into my wireless router and checked the configuration. It was still set to begin dispensing IP addresses beginning with 192.168.1.100. I checked the DHCP Client Listing table which my wireless provides ... I was the only connection showing. I fired up EtherApe and noticed no other connections to my router. I fired up Kismet, and immediately noticed that it found 12 access points where wicd saw only 5. ??? None were connected to my router. The router lights blink rapidly only when I am doing something online. When I do not have the browser up or I am not on an active page, the lights are lazy.

Killing the promiscuous mode and resetting it to Managed I close the connection and tried again. I still got *.101. I did a power down of both my wireless and laptop but on power up still got *.101 assigned to my laptop.

I uninstalled wicd-client-kde and rebooted by my wireless and my laptop. Still got an IP of *.101.

I had my wife turn on her computer. With me setting at *.101 she should have received a *.102 address, but she was given *.103 instead !!! The router's dhcp client listing showed only our two machines being connected to the router.

I presently do not understand how wicd (or wicd-client-kde) could pull an IP address from the wireless router and not have the system logs record it doing so. With nothing in the logs showing that a *.100 address was proffered but thrown away, my working hypothesis is that my wireless is misbehaving. All settings are as I set them when I first set it up.

Recently I began using wicd-client-kde and yesterday I disabled the *.desktop for wicd-gtk so that it's icon wouldn't share the tray with the kde client.

Today, I turned on the wireless router and then my laptop. I noticed immediately that wicd-client-kde received an IP address of 192.168.1.101 instead of *.100. If someone remotely cracked my wireless they had to be patiently waiting for several hours for me to begin my computing day and then log in within a minute as soon as they saw my essid broadcast, so I ruled that out.

The system logs showed nothing out of the ordinary.

I logged into my wireless router and checked the configuration. It was still set to begin dispensing IP addresses beginning with 192.168.1.100. I checked the DHCP Client Listing table which my wireless provides ... I was the only connection showing. I fired up EtherApe and noticed no other connections to my router. I fired up Kismet, and immediately noticed that it found 12 access points where wicd saw only 5. ??? None were connected to my router. The router lights blink rapidly only when I am doing something online. When I do not have the browser up or I am not on an active page, the lights are lazy.

Killing the promiscuous mode and resetting it to Managed I close the connection and tried again. I still got *.101. I did a power down of both my wireless and laptop but on power up still got *.101 assigned to my laptop.

I uninstalled wicd-client-kde and rebooted by my wireless and my laptop. Still got an IP of *.101.

I had my wife turn on her computer. With me setting at *.101 she should have received a *.102 address, but she was given *.103 instead !!! The router's dhcp client listing showed only our two machines being connected to the router.

I presently do not understand how wicd (or wicd-client-kde) could pull an IP address from the wireless router and not have the system logs record it doing so. With nothing in the logs showing that a *.100 address was proffered but thrown away, my working hypothesis is that my wireless is misbehaving. All settings are as I set them when I first set it up.


DHCP leases usually carry an expiration time,and are tied to a MAC address. The expiration commonly default on home routers it is set from 8 hours to 1 day. Unless you are using WEP, you probably haven't been cracked. WPA has been cracked, but it is pretty difficult to break so it isn't really common yet. A few years ago I watched WEP get cracked in just a few seconds, even with MAC filtering enabled. I would never recommend using it in any scenario.

Tell a little more about the situation, do you normally connect with an Ethernet cable and recently changed to WIFI? Do you have any other network capable devices like an iphone, android, DVR, or Wii?

You can take a look at what's going on on your network with an nmap scan. Issue a stealth scan which will normally find even firewalled devices.



sudo nmap -p 1-65535 -sS 192.168.1.0/24


If there is anything there, that should find it or tickle it enough to let whom is ever connected know that you are looking for them.

It is probably nothing though. Depending on the router you may be able to find a status screen showing reservations, you can take the MAC address and trace it back to one of your devices. If it doesn't match any of them that's when you should start becoming concerned (or if you find an unknown device).

Thanks, zlow!

I'm confident that I haven't been hacked. The only MAC addresses in the ARP table were my wife's and mine. My lease time is 24 hours. I am usually online for about 12 hours each day, with varying startup and shutdown times.



WPA has been cracked, but it is pretty difficult to break so it isn't really common yet. A few years ago I watched WEP get cracked in just a few seconds, even with MAC filtering enabled. I would never recommend using it in any scenario.


I saw a video of FBI guys hacking into a WPA in just under five minutes. it took about 140,000 packets. 8)



Tell a little more about the situation, do you normally connect with an Ethernet cable and recently changed to WIFI? Do you have any other network capable devices like an iphone, android, DVR, or Wii?


Nope. Just the cable modem connected to the TP-Link wireless router. Usually 1 to 4 laptops connect by wireless. My printer is connected to a wireless print server which is connected to the back of the wireless router and setup in ad hoc mode. My setup hasn't changed in at least 4 or 5 years, except for changing out defective wireless routers about once every 18 months.

The odd thing is the skipping of IP numbers. That is something I have never seen yet and can't find any reference to, so far, in my googling.

My passive scans didn't show anything but I did your nmap scan (since it is for a local IP and not on my ISP's side ! ) and got this:


jerry@sonyvgnfw140e:~$ sudo nmap -p 1-65535 -sS 192.168.1.0/24
[sudo] password for jerry:

Starting Nmap 5.00 ( http://nmap.org ) at 2010-09-29 15:15 CDT
Interesting ports on 192.168.1.1: <--- that's my router address
Not shown: 65532 closed ports
PORT STATE SERVICE
80/tcp open http
1900/tcp open upnp
1910/tcp open unknown
MAC Address: XX:XX:XX:XX:XX:XX (Unknown) <--- that's MY MAC !

Interesting ports on 192.168.1.99: <--- that's the static IP of my network printer
Not shown: 65528 closed ports
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
139/tcp open netbios-ssn
515/tcp open printer
631/tcp open ipp
9100/tcp open jetdirect
34443/tcp open unknown
MAC Address: XX:XX:XX:XX:XX:XX (Cisco-Linksys) <--- wireless print server

All 65535 scanned ports on 192.168.1.101 are closed

Nmap done: 256 IP addresses (3 hosts up) scanned in 73.56 seconds



Nothing I haven't seen before and am not aware of.

Strange problem ???

I saw a video of FBI guys hacking into a WPA in just under five minutes. it took about 140,000 packets. 8)


Yep, it's down to ~5 minutes. Fortunately it isn't very common yet.



Strange problem ???


It is weird, but home routers can be wonky. I use dd-wrt on mine so I can get a decent view into what they are doing. Sounds like nothing malicious though, maybe a router reboot is in order.

Zlow, you were right about
DHCP leases usually carry an expiration time,and are tied to a MAC address. .

My TP-Link TL-WR1043N router is the most expensive and complex that I have ever purchased. Needless to say, I didn't read the manual. (Hey, "it's just a router" ::) )

I checked my DHCP logs and noticed that that last time I was proffered the *.100 was on the 27th, at 21:00 hours. The next day I logged in at 13:00 and was given the *.101 IP address. I didn't notice the *.101 setting until the 29th, yesterday. Since I usually log in first, I usually get the *.100 address, unless my wife logged in first, then I get the *.101 address. She wasn't logged in yesterday so my first thought was someone had cracked my 14 character password and was piggy-backing on my Internet connection.

Netstat, ARP, EtherApe, Kismet and your nmap command showed otherwise. (BTW, kismet allowed me to look at the other 12 wireless connections within range of my TP-Link and several of them had been "networked", with 2 to four other MAC addresses hanging off of them. Interesting. Also interesting was the number of probes even my wireless print server was getting. I was being alerted to probes about every 3 to 5 seconds!).

I thought for a while about what I was doing after 8pm on the 27th and realized that I had compiled the wicd-client-kde application and had installed it for a test run. To keep it up I changed the lease time from 300 minutes to 1440 minutes. I logged into my TP-Link and started rummaging around in those areas I never saw a need to visit before. I noticed an ARP section and in it were two PCs showing their MAC, IP address and time left on their leases. THAT was how the router was keeping track of PCs logged in, their IP and the time left on their lease! I never set ARP or MAC settings when I set up the router so I never looked into that section of the Router menu. I noticed that my MAC and IP address were showing, and the time left on the lease was approximately correct. HOWEVER, my wife's MAC and her *.103 IP address showed over 20 hours left on her lease but she wasn't logged in, and hadn't been for more than four hours. Refreshing the page showed my lease time remaining was going down, but her's remained the same!

I reset the lease time to 300 minutes and rebooted the router. My proffered IP was *.100.

It was an interesting trip through the router setup and playing with Kismet was fun.

About 6 or 8 years ago, while running an open router, someone piggy back on my connection. I had an admin program installed that was web based. IIRC, it used a SATAN clone to explore an Internet connection. I don't remember what it was called but I went googling yesterday and saw "webmin", but the demo and screen shots don't look like what I remember and it didn't have an network diagnostics tool or plugin. Anyway, I sent SATAN out to explore the TimeWarner trunk I was on and within 10 minutes I had graphical maps showing uptimes, packet counts, ports opened, etc..., of over 200 computers and a couple of TW servers. I also found the PC that was piggy-backing mine disconnected it and began using WEP encryption on my wireless.

Anyway, I sent SATAN out to explore the TimeWarner trunk I was on and within 10 minutes I had graphical maps showing uptimes, packet counts, ports opened, etc..., of over 200 computers and a couple of TW servers. I also found the PC that was piggy-backing mine disconnected it and began using WEP encryption on my wireless.


SATAN. ;D So you have a copy? Does the NSA know? ;D ;D ;D
(I remember the 'scare' (and threats to the developer) surrounding the release of SATAN onto the 'Net)

Zlow, you were right about
DHCP leases usually carry an expiration time,and are tied to a MAC address. .


Glad you figured it out.



My TP-Link TL-WR1043N router is the most expensive and complex that I have ever purchased. Needless to say, I didn't read the manual. (Hey, "it's just a router" ::) )


LOL! I always make it a point to learn everything about these sorts of devices because one bad flag is all it takes to bring down your security. The cheap-o home routers with dd-wrt are fantastic. The learning curve is higher (unless you already know Linux), but the payoff is pretty high.



I checked my DHCP logs and noticed that that last time I was proffered the *.100 was on the 27th, at 21:00 hours. The next day I logged in at 13:00 and was given the *.101 IP address. I didn't notice the *.101 setting until the 29th, yesterday. Since I usually log in first, I usually get the *.100 address, unless my wife logged in first, then I get the *.101 address. She wasn't logged in yesterday so my first thought was someone had cracked my 14 character password and was piggy-backing on my Internet connection.

Netstat, ARP, EtherApe, Kismet and your nmap command showed otherwise. (BTW, kismet allowed me to look at the other 12 wireless connections within range of my TP-Link and several of them had been "networked", with 2 to four other MAC addresses hanging off of them. Interesting. Also interesting was the number of probes even my wireless print server was getting. I was being alerted to probes about every 3 to 5 seconds!).

I thought for a while about what I was doing after 8pm on the 27th and realized that I had compiled the wicd-client-kde application and had installed it for a test run. To keep it up I changed the lease time from 300 minutes to 1440 minutes. I logged into my TP-Link and started rummaging around in those areas I never saw a need to visit before. I noticed an ARP section and in it were two PCs showing their MAC, IP address and time left on their leases. THAT was how the router was keeping track of PCs logged in, their IP and the time left on their lease! I never set ARP or MAC settings when I set up the router so I never looked into that section of the Router menu. I noticed that my MAC and IP address were showing, and the time left on the lease was approximately correct. HOWEVER, my wife's MAC and her *.103 IP address showed over 20 hours left on her lease but she wasn't logged in, and hadn't been for more than four hours. Refreshing the page showed my lease time remaining was going down, but her's remained the same!

I reset the lease time to 300 minutes and rebooted the router. My proffered IP was *.100.

It was an interesting trip through the router setup and playing with Kismet was fun.




About 6 or 8 years ago, while running an open router, someone piggy back on my connection. I had an admin program installed that was web based. IIRC, it used a SATAN clone to explore an Internet connection. I don't remember what it was called but I went googling yesterday and saw "webmin", but the demo and screen shots don't look like what I remember and it didn't have an network diagnostics tool or plugin. Anyway, I sent SATAN out to explore the TimeWarner trunk I was on and within 10 minutes I had graphical maps showing uptimes, packet counts, ports opened, etc..., of over 200 computers and a couple of TW servers. I also found the PC that was piggy-backing mine disconnected it and began using WEP encryption on my wireless.


I had a break-in once around 10 years ago. I had made the mistake of leaving a service exposed to the internet that ended up having a vulnerability. I learned a LOT about security that day (and have subsequently stayed on top of security practices since). It may sound like I am overly anal about it sometimes, but it is just experience talking.