Re: [tanya-jawab] Artikel: Conficker dan bagaimana mengenalinya

Sun, 20 Dec 2009 23:33:12 -0800 

On Mon, Dec 21, 2009 at 07:24:31AM +0000, Arief Yudhawarman wrote:

Ralat, tidak perlu sampai chain FORWARD, cukup sampai chain PREROUTING.

2. Script kecil di bawah akan menambah rule ke iptables untuk mencatat
   akses ke ip conficker:

   #!/bin/sh
   LAN_IFACE="eth0"
   IPTABLES="/usr/sbin/iptables"
   FIPCONFICKER="/etc/conficker/ip.conficker"
   while read IPCONFICKER
   do
        # only for kernel 2.6 for use with option -m comment
        # CHAIN PREROUTING
        # uncomment this to drop access to ip conficker
        #$IPTABLES -t nat -I PREROUTING -i $LAN_IFACE -d $IPCONFICKER -j DROP \
        #-m comment --comment "IP Conficker"
        $IPTABLES -t nat -I PREROUTING -i $LAN_IFACE -d $IPCONFICKER -j LOG \
           --log-prefix "CONFICKER" --log-ip-options
done <$FIPCONFICKER
 
Ini dari client akses ke ip conficker:

y...@files:~$ ping 221.7.91.31 -c 1
PING 221.7.91.31 (221.7.91.31) 56(84) bytes of data.

--- 221.7.91.31 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

y...@files:~$ telnet 221.7.91.31 80
Trying 221.7.91.31...

y...@files:~$ 

Ini tampilan syslog:
....
Dec 21 14:29:14 proxy kernel: CONFICKERIN=eth0 OUT= 
MAC=00:50:04:d1:02:e0:00:19:21:13:57:5d:08:00 SRC=192.168.0.252 DST=221.7.91.31 
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=11322 
SEQ=1 
Dec 21 14:29:34 proxy kernel: CONFICKERIN=eth0 OUT= 
MAC=00:50:04:d1:02:e0:00:19:21:13:57:5d:08:00 SRC=192.168.0.252 DST=221.7.91.31 
LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=4679 DF PROTO=TCP SPT=40877 DPT=80 
WINDOW=5840 RES=0x00 SYN URGP=0 
Dec 21 14:29:37 proxy kernel: CONFICKERIN=eth0 OUT= 
MAC=00:50:04:d1:02:e0:00:19:21:13:57:5d:08:00 SRC=192.168.0.252 DST=221.7.91.31 
LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=4680 DF PROTO=TCP SPT=40877 DPT=80 
WINDOW=5840 RES=0x00 SYN URGP=0 

-- 

Terimakasih sebelumnya.

Salam,

~~ Arief Yudhawarman ~~


-- 
FAQ milis di http://wiki.linux.or.id/FAQ_milis_tanya-jawab
Unsubscribe: kirim email ke tanya-jawab-unsubscr...@linux.or.id
Arsip dan info milis selengkapnya di http://linux.or.id/milis

Kirim email ke