[ntp:questions] Jesus Christ! -> even internet time-sync (NTP) is vulnerable to exploitation?

David H. Lipman DLipman~nospam~ at Verizon.Net
Mon Dec 22 01:13:34 UTC 2014


From: "Virus Guy" <"Virus"@Guy . com>

> "David H. Lipman" wrote:
>
> (Dave Lipman posted examples from his router logs of incoming traffic to
> port 123)
>
>>> Um - did you notice that 149.20.68.17 resolves to
>>> pool-test.ntp.org?
>>>
>>> Your other IP's resolve to:
>>>
>>> 108.61.73.244  = helium.constant.com
>>> 162.243.55.105 = server1.nyc.shellvatore.us
>>> 166.70.136.41  = 166-70-136-41.xmission.com
>>> 198.110.48.12  = time01.muskegonisd.org
>>>
>>> Someone thinks that you are operating a registered public
>>> NTP server on your IP.
>>
>> That was just a short excerpt from one log.  There is way more to
>> the log and I didn't care about who the IP belongs to.
>>
>> A couple of months ago, that wasn't in the log to the same level
>> I am seeing Today.
>
> I agree that it's likely there is a high(er) amount of probing going on
> on port 123 than usual (if there ever was a usual).
>
> But do you have nothing to say regarding the possibility (or
> probability) based on who is hitting you (that you posted above) that
> they think you are operating a real NTP server - and they're trying to
> make a legit time query?
>
> For example:
>
> =======================================
> http://108.61.73.244.ipaddress.com/
>
> We found 2 hostnames for IP Address 108.61.73.244
> 1  north-america.pool.ntp.org
> 2  108.61.73.244
>
> We found 2 hostnames for IP Address 162.243.55.105
> 1  us.pool.ntp.org
> 2  162.243.55.105
>
> We found 2 hostnames for IP Address 198.110.48.12
> 1  1.us.pool.ntp.org
> 2  198.110.48.12
> =========================================
>
> You gave five examples of IP's hitting you on port 123.  Four of those
> are (or were) legit NTP servers.
>
> So either you are misreading your logs (and what you think are incoming
> queries on port 123 are really outgoing queries from some computer on
> your lan to something.pool.ntp.org), or these really are incoming
> queries coming from legit (or previous legit) NTP servers.
>
> If the answer is the latter, then these may very well be examples of
> comprimised / trojanized NTP servers performing their own NTP probes
> under botnet control.

Nope.  There is no reason to believe that the LAN behind the static IP does 
anything but syncs time periodically.

You've included news:protocols.time.ntp  We'll see if anyone form that NG 
has some input/information.

-- 
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp 



More information about the questions mailing list