[ntp:questions] Jesus Christ! -> even internet time-sync (NTP) is vulnerable to exploitation?
David H. Lipman
DLipman~nospam~ at Verizon.Net
Mon Dec 22 01:13:34 UTC 2014
From: "Virus Guy" <"Virus"@Guy . com>
> "David H. Lipman" wrote:
> (Dave Lipman posted examples from his router logs of incoming traffic to
> port 123)
>>> Um - did you notice that 220.127.116.11 resolves to
>>> Your other IP's resolve to:
>>> 18.104.22.168 = helium.constant.com
>>> 22.214.171.124 = server1.nyc.shellvatore.us
>>> 126.96.36.199 = 166-70-136-41.xmission.com
>>> 188.8.131.52 = time01.muskegonisd.org
>>> Someone thinks that you are operating a registered public
>>> NTP server on your IP.
>> That was just a short excerpt from one log. There is way more to
>> the log and I didn't care about who the IP belongs to.
>> A couple of months ago, that wasn't in the log to the same level
>> I am seeing Today.
> I agree that it's likely there is a high(er) amount of probing going on
> on port 123 than usual (if there ever was a usual).
> But do you have nothing to say regarding the possibility (or
> probability) based on who is hitting you (that you posted above) that
> they think you are operating a real NTP server - and they're trying to
> make a legit time query?
> For example:
> We found 2 hostnames for IP Address 184.108.40.206
> 1 north-america.pool.ntp.org
> 2 220.127.116.11
> We found 2 hostnames for IP Address 18.104.22.168
> 1 us.pool.ntp.org
> 2 22.214.171.124
> We found 2 hostnames for IP Address 126.96.36.199
> 1 1.us.pool.ntp.org
> 2 188.8.131.52
> You gave five examples of IP's hitting you on port 123. Four of those
> are (or were) legit NTP servers.
> So either you are misreading your logs (and what you think are incoming
> queries on port 123 are really outgoing queries from some computer on
> your lan to something.pool.ntp.org), or these really are incoming
> queries coming from legit (or previous legit) NTP servers.
> If the answer is the latter, then these may very well be examples of
> comprimised / trojanized NTP servers performing their own NTP probes
> under botnet control.
Nope. There is no reason to believe that the LAN behind the static IP does
anything but syncs time periodically.
You've included news:protocols.time.ntp We'll see if anyone form that NG
has some input/information.
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
More information about the questions