Follow us on...
Follow us on G+ Follow us on Twitter Follow us on Facebook Watch us on YouTube
Register
Results 1 to 12 of 12
  1. #1
    Status
    Offline
    dingo's Avatar
    Member Super Senior
    Join Date
    Jan 2008
    Location
    Puncak Kesejukan
    Posts
    641
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0

    LOG MTK yang aneh

    Di LOG winbox saya begini :

    14:19:55 firewall,info DROP INPUT input: in:Wan out: (none), src-
    mac 00:1d:0f:a7:6d:1f, proto TCP (ACK,PSH), 69.63.176.177:80-
    >192.168.1.2:42078, len 300
    14:19:56 firewall,info DROP INPUT input: in:Wan out: (none), src-
    mac 00:1d:0f:a7:6d:1f, proto TCP (ACK,FIN,PSH),
    69.63.176.177:80->192.168.1.2:42078, len 300
    14:19:57 firewall,info DROP INPUT input: in:Wan out: (none), src-
    mac 00:1d:0f:a7:6d:1f, proto TCP (ACK,PSH), 69.63.176.165:80-
    >192.168.1.2:42080, len 263
    14:19:57 firewall,info DROP INPUT input: in:Wan out: (none), src-
    mac 00:1d:0f:a7:6d:1f, proto TCP (ACK,PSH), 69.63.176.165:80-
    >192.168.1.2:42080, len 65
    14:19:57 firewall,info DROP INPUT input: in:Wan out: (none), src-
    mac 00:1d:0f:a7:6d:1f, proto TCP (ACK,FIN), 69.63.176.165:80-
    >192.168.1.2:42080, len 40
    14:19:59 firewall,info DROP INPUT input: in:Wan out: (none), src-
    mac 00:1d:0f:a7:6d:1f, proto TCP (ACK,FIN,PSH),
    69.63.176.177:80->192.168.1.2:42078, len 300
    14:20:00 firewall,info DROP INPUT input: in:Wan out: (none), src-
    mac 00:1d:0f:a7:6d:1f, proto TCP (ACK,PSH), 69.63.176.165:80-
    >192.168.1.2:42080, len 263
    14:20:06 firewall,info DROP INPUT input: in:Wan out: (none), src-
    mac 00:1d:0f:a7:6d:1f, proto TCP (ACK,FIN,PSH),
    69.63.176.177:80->192.168.1.2:42078, len 300



    Saya bingung menempatkan thread ini, maaf ke pak admin jika salah kamar.
    Mohon bantuan nya kepada para master, ini apa maksudnya?
    Gimana solusinya.

    topologinya : Modem = 192.168.1.1 ---- MTK= dari modem 192.168.1.2, Ke arah Klien = 192.168.0.2 -------hub-----klien (dhcp dari MTK). Modem di setting ppoe.

    ini firewall filter nya :

    /ip firewall filter
    add chain=forward connection-state=established action=accept comment="allow \
    established connections" disabled=no
    add chain=forward connection-state=related action=accept comment="allow \
    related connections" disabled=no
    add chain=virus protocol=udp dst-port=135-139 action=drop comment="Drop \
    Messenger Worm" disabled=no
    add chain=forward connection-state=invalid action=drop comment="drop invalid \
    connections" disabled=no
    add chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop \
    Blaster Worm" disabled=no
    add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm" \
    disabled=no
    add chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster \
    Worm" disabled=no
    add chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster \
    Worm" disabled=no
    add chain=virus protocol=tcp dst-port=593 action=drop comment="________" \
    disabled=no
    add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="________" \
    disabled=no
    add chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop MyDoom" \
    disabled=no
    add chain=virus protocol=tcp dst-port=1214 action=drop comment="________" \
    disabled=no
    add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester" \
    disabled=no
    add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server" \
    disabled=no
    add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast" \
    disabled=no
    add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx" \
    disabled=no
    add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid" \
    disabled=no
    add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus" \
    disabled=no
    add chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y" \
    disabled=no
    add chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop Beagle" \
    disabled=no
    add chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop \
    Beagle.C-K" disabled=no
    add chain=virus protocol=tcp dst-port=3127 action=drop comment="Drop MyDoom" \
    disabled=no
    add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor \
    OptixPro" disabled=no
    add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm" \
    disabled=no
    add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm" \
    disabled=no
    add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser" \
    disabled=no
    add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B" \
    disabled=no
    add chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop \
    Dabber.A-B" disabled=no
    add chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop \
    Dumaru.Y, sebaiknya di didisable karena juga sering digunakan utk vpn atau \
    webmin" disabled=no
    add chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop \
    MyDoom.B" disabled=no
    add chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus" \
    disabled=no
    add chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2" \
    disabled=no
    add chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop \
    SubSeven" disabled=no
    add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot, \
    Agobot, Gaobot" disabled=no
    add chain=forward action=jump jump-target=virus comment="jump to the virus \
    chain" disabled=no
    add chain=input connection-state=established action=accept comment="Accept \
    established connections" disabled=no
    add chain=input connection-state=related action=accept comment="Accept related \
    connections" disabled=no
    add chain=input connection-state=invalid action=drop comment="Drop invalid \
    connections" disabled=no
    add chain=input protocol=udp action=accept comment="UDP" disabled=no
    add chain=input protocol=icmp limit=50/5s,2 action=accept comment="Allow \
    limited pings" disabled=no
    add chain=input protocol=icmp action=drop comment="Drop excess pings" \
    disabled=no
    add chain=input protocol=tcp dst-port=21 src-address-list=ournetwork \
    action=accept comment="FTP" disabled=no
    add chain=input protocol=tcp dst-port=22 src-address-list=ournetwork \
    action=accept comment="SSH for secure shell" disabled=no
    add chain=input protocol=tcp dst-port=23 src-address-list=ournetwork \
    action=accept comment="Telnet" disabled=no
    add chain=input protocol=tcp dst-port=80 src-address-list=ournetwork \
    action=accept comment="Web" disabled=no
    add chain=input protocol=tcp dst-port=8291 src-address-list=ournetwork \
    action=accept comment="winbox" disabled=no
    add chain=input protocol=tcp dst-port=1723 action=accept comment="pptp-server" \
    disabled=no
    add chain=input src-address-list=ournetwork action=accept comment="From \
    Nebulanet network" disabled=no
    add chain=input action=log log-prefix="DROP INPUT" comment="Log everything \
    else" disabled=no
    add chain=input action=drop comment="Drop everything else" disabled=no
    add chain=virus protocol=udp dst-port=135 action=drop comment="Confiker" \
    disabled=no
    add chain=virus protocol=udp dst-port=137 action=drop comment="Confiker" \
    disabled=no
    add chain=virus protocol=udp dst-port=138 action=drop comment="Confiker" \
    disabled=no
    add chain=virus protocol=udp dst-port=445 action=drop comment="Confiker" \
    disabled=no
    add chain=virus protocol=tcp dst-port=135 action=drop comment="Confiker" \
    disabled=no
    add chain=virus protocol=tcp dst-port=139 action=drop comment="Confiker" \
    disabled=no
    add chain=virus protocol=tcp dst-port=5933 action=drop comment="Confiker" \
    disabled=no
    add chain=virus protocol=tcp dst-port=445 action=drop comment="Confiker" \
    disabled=no
    add chain=virus protocol=tcp dst-port=4691 action=drop comment="Confiker" \
    disabled=no

    Terimakasih sebelumnya....
    Last edited by dingo; 27-06-2009 at 16:32.

  2. #2
    Status
    Offline
    mattnux's Avatar
    Forum Guru
    Join Date
    Jun 2008
    Location
    jakarta
    Posts
    1,255
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    1 (100%)
    14:20:06 firewall,info DROP INPUT input: in:Wan out: (none), src-
    mac 00:1d:0f:a7:6d:1f, proto TCP (ACK,FIN,PSH),
    69.63.176.177:80->192.168.1.2:42078, len 300


    tuh ip 69.63.176.177 punya siapa?
    mencoba menuju 192.168.1.2 : 42078 kejadiannya 14:20:06, tp jangan parno dulu, kali aja di nat emang di set buat game online, paste ip firewall nat print nya sekalian gan.

    paste ip address pr
    paste ip route pr

  3. The Following User Says Thank You to mattnux For This Useful Post:


  4. #3
    Status
    Offline
    dingo's Avatar
    Member Super Senior
    Join Date
    Jan 2008
    Location
    Puncak Kesejukan
    Posts
    641
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Terimakasih untuk responsnya mas ini data yang mas minta:


    ip add pr
    Flags: X - disabled, I - invalid, D - dynamic
    # ADDRESS NETWORK BROADCAST INTERFACE
    0 192.168.1.2/24 192.168.1.0 192.168.1.255 Wan
    1 192.168.0.2/24 192.168.0.0 192.168.0.255 Lan

    ip route pr
    Flags: X - disabled, A - active, D - dynamic,
    C - connect, S - static, r - rip, b - bgp, o - ospf
    # DST-ADDRESS PREF-SRC G GATEWAY DIS
    0 ADC 192.168.0.0/24 192.168.0.2
    1 ADC 192.168.1.0/24 192.168.1.2
    2 A S 0.0.0.0/0 r 192.168.1.1

    Saya memang warnet sekaligus game online mas.Tapi ga jelas dengan ip itu.
    Iseng saya paste di browser ip , keluarnya cuma teks: "I'll find something to put here."
    Makin khawatir bin parno nih mas.Maklum newbie.
    Last edited by dingo; 27-06-2009 at 16:51.

  5. #4
    Status
    Offline
    mattnux's Avatar
    Forum Guru
    Join Date
    Jun 2008
    Location
    jakarta
    Posts
    1,255
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    1 (100%)
    Click here to enlarge Originally Posted by dingo Click here to enlarge
    Terimakasih untuk responsnya mas ini data yang mas minta:


    ip add pr
    Flags: X - disabled, I - invalid, D - dynamic
    # ADDRESS NETWORK BROADCAST INTERFACE
    0 192.168.1.2/24 192.168.1.0 192.168.1.255 Wan
    1 192.168.0.2/24 192.168.0.0 192.168.0.255 Lan

    ip route pr
    Flags: X - disabled, A - active, D - dynamic,
    C - connect, S - static, r - rip, b - bgp, o - ospf
    # DST-ADDRESS PREF-SRC G GATEWAY DIS
    0 ADC 192.168.0.0/24 192.168.0.2
    1 ADC 192.168.1.0/24 192.168.1.2
    2 A S 0.0.0.0/0 r 192.168.1.1

    Saya memang warnet sekaligus game online mas.Tapi ga jelas dengan ip itu.
    cek ip publikmu pake speedtest.net ata cbn.net.id

    oia ip firewall nat pr blm dipaste gan Click here to enlarge

  6. The Following User Says Thank You to mattnux For This Useful Post:


  7. #5
    Status
    Offline
    dingo's Avatar
    Member Super Senior
    Join Date
    Jan 2008
    Location
    Puncak Kesejukan
    Posts
    641
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    ip fir nat pr
    Flags: X - disabled, I - invalid, D - dynamic
    0 chain=srcnat out-interface=Wan action=masquerade

    1 chain=dstnat in-interface=Lan protocol=icmp
    packet-mark=ICMP-PM action=redirect to-ports=1

    2 chain=dstnat protocol=tcp dst-port=80 action=redirect
    to-ports=3328

    3 chain=dstnat protocol=tcp dst-port=8080 action=redirect
    to-ports=3328

    4 chain=dstnat protocol=tcp dst-port=8000 action=redirect
    to-ports=3328

    Ip publick saya jelas jelas bukan itu mas.

  8. #6
    Status
    Offline
    mattnux's Avatar
    Forum Guru
    Join Date
    Jun 2008
    Location
    jakarta
    Posts
    1,255
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    1 (100%)
    hm brarti ada aksi nakal tuh

    cek whois masukkan ip nakal Click here to enlarge

    soalnya dari ip firewall nat pr ga ada rule buat dota ke arah game online mu gan

  9. #7
    Status
    Offline
    dingo's Avatar
    Member Super Senior
    Join Date
    Jan 2008
    Location
    Puncak Kesejukan
    Posts
    641
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    caranya Mas???

    barusan saya cek lagi log nya berubah lagi ip nya:

    15:44:35 firewall,info DROP INPUT input: in:Wan outClick here to enlargenone), src-
    mac 00:1d:0f:a7:6d:1f, proto TCP (ACK,FIN), 72.14.203.97:443-
    >192.168.1.2:1862, len 40
    15:44:55 firewall,info DROP INPUT input: in:Wan outClick here to enlargenone), src-
    mac 00:1d:0f:a7:6d:1f, proto TCP (ACK,FIN), 72.14.203.97:443-
    >192.168.1.2:1862, len 40
    15:45:44 firewall,info DROP INPUT input: in:Wan outClick here to enlargenone), src-
    mac 00:1d:0f:a7:6d:1f, proto TCP (ACK,FIN), 203.84.158.50:80-
    >192.168.1.2:49643, len 52
    15:51:36 firewall,info DROP INPUT input: in:Wan outClick here to enlargenone), src-
    mac 00:1d:0f:a7:6d:1f, proto TCP (ACK,FIN),
    213.174.140.113:80->192.168.1.2:50219, len 52


    Apakah ini dari game online? apakah ip tadi buat dota?

  10. #8
    Status
    Offline
    mattnux's Avatar
    Forum Guru
    Join Date
    Jun 2008
    Location
    jakarta
    Posts
    1,255
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    1 (100%)
    sepertinya bukan game online deh, actionnya=drop soalnya Click here to enlarge

    kalo game online pasti ngeluh dong yg main game karena ga bisa join dari luar ke game online mu

  11. #9
    Status
    Offline
    mattnux's Avatar
    Forum Guru
    Join Date
    Jun 2008
    Location
    jakarta
    Posts
    1,255
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    1 (100%)
    karena udah terlanjur bikin kamu parno yaudah saya cek deh ip tsb
    hasilnya

    mattnux@mattnux-desktop:~$ whois 69.63.176.177

    OrgName: Facebook, Inc.
    OrgID: THEFA-3
    Address: 156 University Ave, 3rd floor
    City: Palo Alto
    StateProv: CA
    PostalCode: 94301
    Country: US

    NetRange: 69.63.176.0 - 69.63.191.255
    CIDR: 69.63.176.0/20
    OriginAS: AS32934
    NetName: TFBNET2
    NetHandle: NET-69-63-176-0-1
    Parent: NET-69-0-0-0-0
    NetType: Direct Assignment
    NameServer: DNS04.SF2P.TFBNW.NET
    NameServer: DNS05.SF2P.TFBNW.NET
    Comment: Contact abuse@facebook.com with issues.
    RegDate: 2007-02-07
    Updated: 2009-03-04

    RAbuseHandle: OPERA82-ARIN
    RAbuseName: Operations
    RAbusePhone: +1-650-543-4800
    RAbuseEmail: ops@facebook.com

    RNOCHandle: OPERA82-ARIN
    RNOCName: Operations
    RNOCPhone: +1-650-543-4800
    RNOCEmail: ops@facebook.com

    RTechHandle: OPERA82-ARIN
    RTechName: Operations
    RTechPhone: +1-650-543-4800
    RTechEmail: ops@facebook.com

    OrgTechHandle: OPERA82-ARIN
    OrgTechName: Operations
    OrgTechPhone: +1-650-543-4800
    OrgTechEmail: ops@facebook.com

    # ARIN WHOIS database, last updated 2009-06-26 20:00
    # Enter ? for additional hints on searching ARIN's WHOIS database.
    mattnux@mattnux-desktop:~$

    ternyata facebook, oh my god ....
    bukan masalah gan....

  12. #10
    Status
    Offline
    dingo's Avatar
    Member Super Senior
    Join Date
    Jan 2008
    Location
    Puncak Kesejukan
    Posts
    641
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    tapi knp masuk di log dan di drop mas???
    ip yang satunya juga Beemp3.com

  13. #11
    Status
    Offline
    mattnux's Avatar
    Forum Guru
    Join Date
    Jun 2008
    Location
    jakarta
    Posts
    1,255
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    1 (100%)
    kenapa di drop karena nyangkut sama rule firewall filter

    kalo mau nyari rule yg mana cek satu2 gan, comparasi dengan rule filter mu, atau matikan semua rule filter mu (buka winbox>ip>firewall>filter, klik salah satu rule, control+A lalu disalble/klik tanda silang merah)
    liat log mu lagi, lalu enable satu2 rule filter td, selamat mencoba Click here to enlarge

  14. #12
    Status
    Offline
    xgoes's Avatar
    Baru Gabung
    Join Date
    Dec 2009
    Posts
    5
    Reviews
    Read 0 Reviews
    Downloads
    1
    Uploads
    0
    Feedback Score
    0
    mas skalian numpang nanya, saya mempunyai masalah yg sama sperti diatas :
    DROP INPUT input: inClick here to enlargeppoe-out1Click here to enlargenone),proto TCP (ACK),117.121.249.26:80->125.xxx.xxx.xxx:2451,len 1480

    trus mikrotik jg nga bisa di remote dari luar slalu ke blok firewall, kemudian saya buatkan rule di firewall :
    add action=accept chain=input comment="From Speedy" disabled=no in-interface=\ "(unknown)"

    log yg berulang2 itu nga muncul lagi dan mikrotik bisa diremote dari luar. yg menjadi pertanyaannya apakah tidak masalah jika saya mengaktifkan filter rules From speedy? karna kalau sy aktifkan sering sekali di firewall connection muncul IP2 yg nga jelas

    terima kasih pencerahannya.

 

 

Thread Information

Users Browsing this Thread

There are currently 2 users browsing this thread. (0 members and 2 guests)

Similar Threads

  1. [aks]Ada yang aneh di Mikrotik gua
    By Lordzion in forum General Networking
    Replies: 40
    Last Post: 26-05-2009, 01:35
  2. ssh ip yang aneh
    By tamuluyun in forum General Networking
    Replies: 14
    Last Post: 11-05-2009, 23:26
  3. Penerapan Proxy yang aneh...
    By chaly in forum Beginner Basics
    Replies: 13
    Last Post: 06-03-2009, 19:32
  4. ping yang aneh.....
    By adeishere in forum General Networking
    Replies: 7
    Last Post: 08-08-2008, 14:56

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •