[Waterchan]

Hi, I've been lurking around for a while, and this seems to be an extremely helpful forum. This post will be slightly lengthy but it contains detailed information on my problem, so please bear with me.

I have a Belkin Wireless G 2.4Ghz-802.11g router. I have set up security to allow WPA/WPA2 clients to connect, authentication type is Password(PSK). I have a reasonably strong password guest password and an even stronger Admin password , but somehow there is an unknown client named MyBook that keeps connecting.

DHCP is enabled. The router's address is 192.168.2.1. My two computers get assigned the IPs of 192.168.2.2 and 192.168.2.3. When I checked my DHCP client list, the mysterious "MyBook" client was assigned an IP of 192.168.2.18. When I restart my router, it disappears, but then reappears in about 24 hours, using exactly the same IP address 192.168.2.18.

My thoughts: Maybe this is just some kind of automatic system client, since if it was an actual client, my router should have assigned the next available IP which is 192.168.2.4. But then when I turn on MAC Addressing Filtering to allow only my computers to connect, this mysterious MyBook no longer appears in my DHCP client list.

My questions: Is this MyBook a person or some kind of automatic client? I find it hard to believe it's a person, since my passwords are quite strong and it would difficult to "crack" them so fast. Should I be concerned about this? If so, what can I do to prevent this from happening?

Below is my entire router activity log since the last restart. The lines where MyBook (192.168.2.18) is concerned are bolded. Thank you so much for your time.

05/06/2006 16:03:11 192.168.2.3 login success
05/06/2006 13:24:52 NTP Date/Time updated.
05/06/2006 12:22:40 DHCP Client: Receive Ack from 192.168.1.1, 'Lease time'=36000
05/06/2006 12:22:40 DHCP Client: Send Request, Request IP=192.168.1.11
05/06/2006 07:24:50 NTP Date/Time updated.
05/06/2006 07:22:39 DHCP Client: Receive Ack from 192.168.1.1, 'Lease time'=36000
05/06/2006 07:22:39 DHCP Client: Send Request, Request IP=192.168.1.11
05/06/2006 02:22:39 DHCP Client: Receive Ack from 192.168.1.1, 'Lease time'=36000
05/06/2006 02:22:39 DHCP Client: Send Request, Request IP=192.168.1.11
05/06/2006 01:24:49 NTP Date/Time updated.
05/05/2006 22:30:51 sending ACK to 192.168.2.2
05/05/2006 21:22:38 DHCP Client: Receive Ack from 192.168.1.1, 'Lease time'=36000
05/05/2006 21:22:38 DHCP Client: Send Request, Request IP=192.168.1.11
05/05/2006 19:24:48 NTP Date/Time updated.
05/04/2006 05:33:06 sending ACK to 192.168.2.3
05/04/2006 05:33:06 sending OFFER to 192.168.2.3
05/04/2006 03:14:05 DHCP Client: Receive Ack from 192.168.1.1, 'Lease time'=36000
05/04/2006 03:14:05 DHCP Client: Send Request, Request IP=192.168.1.11
05/04/2006 01:41:54 sending ACK to 192.168.2.18
05/04/2006 01:41:54 sending OFFER to 192.168.2.18
05/04/2006 01:40:10 sending ACK to 192.168.2.18
05/04/2006 01:00:52 sending ACK to 192.168.2.18
05/04/2006 01:00:45 sending ACK to 192.168.2.18
05/04/2006 00:35:57 User from 192.168.2.3 timed out
05/04/2006 00:30:59 sending ACK to 192.168.2.18
05/04/2006 00:30:48 sending ACK to 192.168.2.18
05/04/2006 00:30:12 sending ACK to 192.168.2.18
05/04/2006 00:30:00 sending ACK to 192.168.2.18
05/04/2006 00:15:46 DHCP Client: Receive Ack from 192.168.1.1, 'Lease time'=36000
05/04/2006 00:15:46 DHCP Client: Send Request, Request IP=192.168.1.11
05/04/2006 00:15:46 DHCP Client: Receive Offer from 192.168.1.1
05/04/2006 00:15:45 DHCP Client: Send Discover
05/05/2006 13:18:45 192.168.2.3 login success
05/05/2006 12:16:15 NTP Date/Time updated.
05/05/2006 11:22:04 DHCP Client: Receive Ack from 192.168.1.1, 'Lease time'=36000
05/05/2006 11:22:04 DHCP Client: Send Request, Request IP=192.168.1.11
05/05/2006 06:22:04 DHCP Client: Receive Ack from 192.168.1.1, 'Lease time'=36000
05/05/2006 06:22:04 DHCP Client: Send Request, Request IP=192.168.1.11
05/05/2006 06:16:14 NTP Date/Time updated.
05/05/2006 02:05:38 sending ACK to 192.168.2.2
05/05/2006 01:22:02 DHCP Client: Receive Ack from 192.168.1.1, 'Lease time'=36000
05/05/2006 01:22:02 DHCP Client: Send Request, Request IP=192.168.1.11
05/05/2006 00:16:12 NTP Date/Time updated.
05/04/2006 22:20:40 sending ACK to 192.168.2.2
05/04/2006 22:20:40 sending OFFER to 192.168.2.2
05/04/2006 21:50:52 **TCP FIN Scan** 217.164.151.48, 11747->> 192.168.2.3, 4942 (from WAN Inbound)
05/04/2006 21:50:52 **TCP FIN Scan** 83.253.148.168, 40953->> 192.168.2.3, 4404 (from WAN Inbound)
05/04/2006 21:50:52 **TCP FIN Scan** 24.93.196.222, 12419->> 192.168.2.3, 4406 (from WAN Inbound)
05/04/2006 21:50:52 **TCP FIN Scan** 82.46.130.82, 16054->> 192.168.2.3, 4391 (from WAN Inbound)
05/04/2006 20:22:00 DHCP Client: Receive Ack from 192.168.1.1, 'Lease time'=36000
05/04/2006 20:22:00 DHCP Client: Send Request, Request IP=192.168.1.11
05/04/2006 18:16:10 NTP Date/Time updated.
05/04/2006 15:21:59 DHCP Client: Receive Ack from 192.168.1.1, 'Lease time'=36000
05/04/2006 15:21:59 DHCP Client: Send Request, Request IP=192.168.1.11
05/04/2006 12:16:09 NTP Date/Time updated.
05/04/2006 11:56:49 User from 192.168.2.3 timed out
05/04/2006 11:36:39 192.168.2.3 login success
05/04/2006 11:36:26 User from 192.168.2.3 timed out
05/04/2006 11:32:15 sending ACK to 192.168.2.2
05/04/2006 11:32:15 sending OFFER to 192.168.2.2
05/04/2006 10:46:41 sending ACK to 192.168.2.3
05/04/2006 10:46:41 sending OFFER to 192.168.2.3
05/04/2006 10:21:57 DHCP Client: Receive Ack from 192.168.1.1, 'Lease time'=36000
05/04/2006 10:21:57 DHCP Client: Send Request, Request IP=192.168.1.11
05/04/2006 06:16:07 NTP Date/Time updated.
04/25/2006 06:24:57 DHCP Client: Receive Ack from 192.168.1.1, 'Lease time'=36000
04/25/2006 06:24:57 DHCP Client: Send Request, Request IP=192.168.1.11
04/25/2006 04:03:12 192.168.2.3 login success
04/25/2006 03:31:41 **SYN Flood to Host** 192.168.2.3, 3340->> 206.251.251.70, 80 (from WAN Outbound)
04/25/2006 01:52:44 User from 192.168.2.3 timed out
04/25/2006 01:51:01 **SYN Flood to Host** 192.168.2.3, 2450->> 216.98.48.7, 80 (from WAN Outbound)
04/25/2006 01:24:57 DHCP Client: Receive Ack from 192.168.1.1, 'Lease time'=36000
04/25/2006 01:24:57 DHCP Client: Send Request, Request IP=192.168.1.11
04/25/2006 01:20:03 sending ACK to 192.168.2.2
04/25/2006 01:20:03 sending OFFER to 192.168.2.2
04/25/2006 01:18:38 DHCP Client: Receive Ack from 192.168.1.1, 'Lease time'=36000
04/25/2006 01:18:38 DHCP Client: Send Request, Request IP=192.168.1.11
04/25/2006 01:18:38 DHCP Client: Receive Offer from 192.168.1.1
04/25/2006 01:18:37 DHCP Client: Send Discover
04/25/2006 01:20:03 192.168.2.3 login success
04/25/2006 01:19:56 192.168.2.3 logout
04/25/2006 01:19:34 sending ACK to 192.168.2.3
04/25/2006 01:19:34 sending OFFER to 192.168.2.3
04/25/2006 01:19:28 **Smurf** 169.254.255.255->> 169.254.239.189, Type:3, Code:3 (from WAN Outbound)
04/25/2006 01:19:26 sending OFFER to 192.168.2.3
04/25/2006 01:19:26 **Smurf** 169.254.255.255->> 169.254.239.189, Type:3, Code:3 (from WAN Outbound)
04/25/2006 01:19:24 **Smurf** 169.254.255.255->> 169.254.239.189, Type:3, Code:3 (from WAN Outbound)
04/25/2006 01:19:23 **Smurf** 169.254.255.255->> 169.254.239.189, Type:3, Code:3 (from WAN Outbound)
04/25/2006 01:19:21 **Smurf** 169.254.255.255->> 169.254.239.189, Type:3, Code:3 (from WAN Outbound)
04/25/2006 01:19:20 **Smurf** 169.254.255.255->> 169.254.239.189, Type:3, Code:3 (from WAN Outbound)
04/25/2006 01:19:18 **Smurf** 169.254.255.255->> 169.254.239.189, Type:3, Code:3 (from WAN Outbound)
04/25/2006 01:19:18 sending OFFER to 192.168.2.3
04/25/2006 01:19:17 **Smurf** 169.254.255.255->> 169.254.239.189, Type:3, Code:3 (from WAN Outbound)
04/25/2006 01:19:15 **Smurf** 169.254.255.255->> 169.254.239.189, Type:3, Code:3 (from WAN Outbound)
04/25/2006 01:19:14 **Smurf** 169.254.255.255->> 169.254.239.189, Type:3, Code:3 (from WAN Outbound)
04/25/2006 01:19:13 sending OFFER to 192.168.2.3
04/25/2006 01:19:12 **Smurf** 169.254.255.255->> 169.254.239.189, Type:3, Code:3 (from WAN Outbound)
04/25/2006 01:19:11 **Smurf** 169.254.255.255->> 169.254.239.189, Type:3, Code:3 (from WAN Outbound)
04/25/2006 01:18:53 sending ACK to 192.168.2.3
04/25/2006 01:18:44 sending ACK to 192.168.2.3
04/25/2006 01:18:41 sending ACK to 192.168.2.3
04/25/2006 01:18:38 DHCP Client: Receive Ack from 192.168.1.1, 'Lease time'=36000
04/25/2006 01:18:38 DHCP Client: Send Request, Request IP=192.168.1.11
04/25/2006 01:18:38 DHCP Client: Receive Offer from 192.168.1.1
04/25/2006 01:18:37 DHCP Client: Send Discover
04/25/2006 01:18:38 DHCP Client: Receive Ack from 192.168.1.1, 'Lease time'=36000
04/25/2006 01:18:38 DHCP Client: Send Request, Request IP=192.168.1.11
04/25/2006 01:18:38 DHCP Client: Receive Offer from 192.168.1.1
04/25/2006 01:18:37 DHCP Client: Send Discover
04/25/2006 01:19:58 sending ACK to 192.168.2.2
04/25/2006 01:19:58 sending OFFER to 192.168.2.2
04/25/2006 01:18:38 DHCP Client: Receive Ack from 192.168.1.1, 'Lease time'=36000
04/25/2006 01:18:38 DHCP Client: Send Request, Request IP=192.168.1.11
04/25/2006 01:18:38 DHCP Client: Receive Offer from 192.168.1.1
04/25/2006 01:18:37 DHCP Client: Send Discover
04/25/2006 01:18:38 DHCP Client: Receive Ack from 192.168.1.1, 'Lease time'=36000
04/25/2006 01:18:38 DHCP Client: Send Request, Request IP=192.168.1.11
04/25/2006 01:18:38 DHCP Client: Receive Offer from 192.168.1.1
04/25/2006 01:18:37 DHCP Client: Send Discover
04/25/2006 01:18:38 DHCP Client: Receive Ack from 192.168.1.1, 'Lease time'=36000
04/25/2006 01:18:38 DHCP Client: Send Request, Request IP=192.168.1.11
04/25/2006 01:18:38 DHCP Client: Receive Offer from 192.168.1.1
04/25/2006 01:18:37 DHCP Client: Send Discover
04/25/2006 01:18:38 DHCP Client: Receive Ack from 192.168.1.1, 'Lease time'=36000
04/25/2006 01:18:38 DHCP Client: Send Request, Request IP=192.168.1.11
04/25/2006 01:18:38 DHCP Client: Receive Offer from 192.168.1.1
04/25/2006 01:18:37 DHCP Client: Send Discover
04/25/2006 01:18:38 DHCP Client: Receive Ack from 192.168.1.1, 'Lease time'=36000
04/25/2006 01:18:38 DHCP Client: Send Request, Request IP=192.168.1.11
04/25/2006 01:18:38 DHCP Client: Receive Offer from 192.168.1.1
04/25/2006 01:18:37 DHCP Client: Send Discover
05/03/2006 23:45:34 192.168.2.3 login success
05/03/2006 21:18:50 sending ACK to 192.168.2.2
05/03/2006 21:18:50 sending OFFER to 192.168.2.2
05/03/2006 19:19:07 NTP Date/Time updated.
05/03/2006 19:18:36 DHCP Client: Receive Ack from 192.168.1.1, 'Lease time'=36000
05/03/2006 19:18:36 DHCP Client: Send Request, Request IP=192.168.1.11
05/03/2006 14:18:36 DHCP Client: Receive Ack from 192.168.1.1, 'Lease time'=36000
05/03/2006 14:18:36 DHCP Client: Send Request, Request IP=192.168.1.11
05/03/2006 13:19:06 NTP Date/Time updated.
05/03/2006 09:18:34 DHCP Client: Receive Ack from 192.168.1.1, 'Lease time'=36000
05/03/2006 09:18:34 DHCP Client: Send Request, Request IP=192.168.1.11
05/03/2006 07:19:04 NTP Date/Time updated.
05/03/2006 04:18:33 DHCP Client: Receive Ack from 192.168.1.1, 'Lease time'=36000
05/03/2006 04:18:33 DHCP Client: Send Request, Request IP=192.168.1.11
05/03/2006 01:19:03 NTP Date/Time updated.
05/03/2006 00:56:44 **SYN Flood to Host** 192.168.2.3, 4303->> 64.20.44.77, 80 (from WAN Outbound)
05/02/2006 23:18:31 DHCP Client: Receive Ack from 192.168.1.1, 'Lease time'=36000
05/02/2006 23:18:31 DHCP Client: Send Request, Request IP=192.168.1.11
05/02/2006 19:19:01 NTP Date/Time updated.
05/02/2006 18:18:30 DHCP Client: Receive Ack from 192.168.1.1, 'Lease time'=36000
05/02/2006 18:18:30 DHCP Client: Send Request, Request IP=192.168.1.11
05/02/2006 15:12:39 sending ACK to 192.168.2.3
05/02/2006 15:05:12 sending ACK to 192.168.2.3
05/02/2006 13:19:00 NTP Date/Time updated.
05/02/2006 13:18:29 DHCP Client: Receive Ack from 192.168.1.1, 'Lease time'=36000
05/02/2006 13:18:29 DHCP Client: Send Request, Request IP=192.168.1.11
05/02/2006 12:08:13 sending ACK to 192.168.2.2
05/02/2006 12:08:13 sending OFFER to 192.168.2.2
05/02/2006 10:59:53 sending ACK to 192.168.2.3

Edited by Waterchan, 06 May 2006 - 06:39 PM.

[Advertisements]

Hi Waterchan,

"MyBook" sounds like a name that some one would give to their laptop or "notebook". Do you have a laptop? Does anyone near you have a laptop? However, I'd have to agree with you on this one.. Since you have WPA encryption, it's not very likely that some one has cracked into your Wireless. To be on the safe side, I'd suggest that you implement MAC Filtering. The chances of this actually being a malicous user are very slim, but it's better to be safe than sorry.

[Dan]

Hi Waterchan,

"MyBook" sounds like a name that some one would give to their laptop or "notebook". Do you have a laptop? Does anyone near you have a laptop? However, I'd have to agree with you on this one.. Since you have WPA encryption, it's not very likely that some one has cracked into your Wireless. To be on the safe side, I'd suggest that you implement MAC Filtering. The chances of this actually being a malicous user are very slim, but it's better to be safe than sorry.

[Waterchan]

I have a laptop but it's not named "MyBook", although I'm not sure of my roommates' laptops. Do you know any particular brand of laptop that comes with this name by default?

It's curious that "MyBook" always gets the local IP 192.168.2.18, because my router usually assigns addresses in sequential order (192.168.2.2, 192.168.2.3... and so on. 192.168.2.1 is the router's address). This lead me to suspect that it could possibly be some kind of automatic program.

Anyway, this isn't exactly a big problem. I'm just curious as to what this exactly is. If I see "MyBook" connect again, I'll implement MAC filtering as you advised, just to be safe. Thanks for the reply

[Dan]

Routers will assign IP Addresses in sequential order unless a user has opted to use a Static IP Address, in which case the router will attempt to assign the requested IP. In this case, it's likely that the user has setup a Static IP (192.168.2.18), and will therefore recieve that specific IP each time s/he connects to the Network (unless there is an IP conflict).

I don't know of any brand of laptop which has the default name "MyBook", and when I Google'd the name, nothing leapt out at me. The way I see it, there are really only three possibilites --
a) One of your roommates has a computer/laptop named "MyBook" and is using your Wireless, under a Static IP;
b) There is some device connecting to your network for some strange reason; or
c) A malicous user is connecting to your Wireless.

In which case, if you were to assign MAC Filtering --
a) Eventually one of your roommates would investigate into why they have suddenly lost their wireless access;
b) You'll notice a change in performance of some device in your household;
c) You will have to sincerely apologise to the malicous user for inconveniencing him/her.

Either way, your little mystery will eventually be solved You might have to step on some peoples toes, but at least you won't have to worry about some one leeching off of your Wireless.

[chopyaedoff]

The name "MyBook" is the name that you assign to you computer in Windows (e.g W2K3-BOX or LAPTOP1 are what 2 of the PCs on my natwork are called).

Athough, in Mac OS there is no name.

[Waterchan]

I just want to say that this issue has been resolved. It turns out that my girlfriend's new Dell Inspiron 6000 has the default name MyBook. When I found that out I almost snapped at her to change it to something recognizable .

It seems that my Belkin wireless router doesn't always clear disconnected clients from the DHCP client list. So any clients that are listed there might have already been disconnected.

Anyway, just letting you know that if anyone else has this kind of problem, remember to check a friend's Dell.

[Supernoob]

I am having similar problems with my Belkin. I have a guy called 'elvis' listed on my DHCP client list. Since he appeared, the connection has been slow as [bleep]. Interestingly, it sometimes fails to list my own computer in the list, while my flatmates is always present, wether his machine is on or not. The two 'real' computers are .1 and .2 at the end of our IP address, but this guy is .9. I really don't want to go knocking on neighbours doors until the very last resort, as it could be seen as quite an aggressive accusation.

I am using MAC filtering, WEP, Client IP filter. None of it does a thing. HELP!

[Waterchan]

Supernoob,

In my case, the mysterious client on my DHCP list appeared and remained there when my girlfriend's laptop failed to connect to my network, for whatever reason. In the beginning, I did not consider that it would be her, since all I thought was "Oh, her laptop never connected successfully, therefore it couldn't possibly be her." I guess it wasn't a total failure to connect. Do a router restart, which should clear your DHCP client list, and keep a mental note of who connects to your network with your permission. When "elvis" reappears, check your log, and post it here, and maybe some of the staff will be able to help.

The result of my confusion was an oversight. Since you have both client IP and MAC filtering, I highly doubt it's an actual hacer, and I am tempted to think that my situation is not too different from yours.

Edited by Waterchan, 27 May 2006 - 05:36 PM.

[Supernoob]

I'm STILL getting this elvis character. in the log, 'Russ' is my main computer (plugged to the router directly), 'unknown' is my XBOX (with wireless thingy), and 'Phoenix' is my flatmate. So who the [bleep] is 'Elvis'?

Jun.19.2006 17:43:35 security:59736.284 Blocked Prot=6, 151.197.59.220:62316 > 84.9.42.227:1976, S Seq=1225467105, Ack=0 -Disallowed Destination IP
Jun.19.2006 17:43:35 security:59736.593 Blocked Prot=17, 24.137.74.194:1156 > 84.9.42.227:137 -Default Defense
Jun.19.2006 17:43:35 security:59736.593 Blocked Prot=17, 24.137.74.194:1156 > 84.9.42.227:137 -Disallowed Destination IP
Jun.19.2006 17:43:36 security:59737.878 Blocked Prot=6, 84.9.217.48:18740 > 84.9.42.227:445, S Seq=0, Ack=0 -Default Defense
Jun.19.2006 17:43:36 security:59737.878 Blocked Prot=6, 84.9.217.48:18740 > 84.9.42.227:445, S Seq=0, Ack=0 -Disallowed Destination IP
Jun.19.2006 17:43:37 security:59739.154 Blocked Prot=6, 220.238.209.78:3914 > 84.9.42.227:1976, S Seq=911587950, Ack=0 -Default Defense
Jun.19.2006 17:43:38 security:59739.154 Blocked Prot=6, 220.238.209.78:3914 > 84.9.42.227:1976, S Seq=911587950, Ack=0 -Disallowed Destination IP
Jun.19.2006 17:43:39 security:59740.165 Blocked Prot=6, 71.116.40.133:50922 > 84.9.42.227:32459, S Seq=-1391304344, Ack=0 -Default Defense
Jun.19.2006 17:43:39 security:59740.165 Blocked Prot=6, 71.116.40.133:50922 > 84.9.42.227:32459, S Seq=-1391304344, Ack=0 -Disallowed Destination IP
Jun.19.2006 17:43:41 security:59742.424 Blocked Prot=6, 151.197.59.220:62316 > 84.9.42.227:1976, S Seq=1225467105, Ack=0 -Default Defense
Jun.19.2006 17:43:41 security:59742.424 Blocked Prot=6, 151.197.59.220:62316 > 84.9.42.227:1976, S Seq=1225467105, Ack=0 -Disallowed Destination IP
Jun.19.2006 17:43:42 security:59744.858 Blocked Prot=6, 220.238.209.78:3914 > 84.9.42.227:1976, S Seq=911587950, Ack=0 -Default Defense
Jun.19.2006 17:43:43 security:59744.858 Blocked Prot=6, 220.238.209.78:3914 > 84.9.42.227:1976, S Seq=911587950, Ack=0 -Disallowed Destination IP
Jun.19.2006 17:43:49 security:59750.234 Blocked Prot=6, 84.9.235.228:18334 > 84.9.42.227:445, S Seq=0, Ack=0 -Default Defense
Jun.19.2006 17:43:49 security:59750.234 Blocked Prot=6, 84.9.235.228:18334 > 84.9.42.227:445, S Seq=0, Ack=0 -Disallowed Destination IP