[ntp:questions] IP is a shadowserver

Chuck Swiger cswiger at mac.com
Wed Oct 17 17:49:26 UTC 2012


On Oct 17, 2012, at 10:04 AM, sh3120 wrote:
> Have sites complaining that is showing up on command and control server. After research determined that IP is listed in the NTP.POOL.ORG listing of time servers. Unsure who to report this too to get it off the list.

The mailing list for the NTP pool is <pool at lists.ntp.org>.

Whether a machine has been infected by malware is not related directly to whether it is
serving good time.  The NTP pool has a scoring mechanism which will remove that IP if
it no longer provides good time:


[ ...note reply-to: header; also, BCC:ing Ask, in case he decides to remove this IP... ]

> it can b confirmed by going to http://www.threatstop.com/checkip and checking the ip address.

Perhaps try contacting <abuse at indoforum.org> or the netblock owner, per WHOIS:

% whois
[ ... ]
OrgAbuseHandle: ABUSE2456-ARIN
OrgAbuseName:   ABUSE
OrgAbusePhone:  +1-949-202-5305
OrgAbuseEmail:  abuse at staminus.net
OrgAbuseRef:    http://whois.arin.net/rest/poc/ABUSE2456-ARIN

OrgTechHandle: TECH380-ARIN
OrgTechName:   TECH
OrgTechPhone:  +1-949-202-5305
OrgTechEmail:  support at staminus.net
OrgTechRef:    http://whois.arin.net/rest/poc/TECH380-ARIN


More information about the questions mailing list