[ntp:questions] IP 72.8.140.222 is a shadowserver

Chuck Swiger cswiger at mac.com
Wed Oct 17 17:49:26 UTC 2012


Hi--

On Oct 17, 2012, at 10:04 AM, sh3120 wrote:
> Have sites complaining that 72.8.140.222 is showing up on command and control server. After research determined that IP is listed in the NTP.POOL.ORG listing of time servers. Unsure who to report this too to get it off the list.

The mailing list for the NTP pool is <pool at lists.ntp.org>.

Whether a machine has been infected by malware is not related directly to whether it is
serving good time.  The NTP pool has a scoring mechanism which will remove that IP if
it no longer provides good time:

  http://www.pool.ntp.org/scores/72.8.140.222

[ ...note reply-to: header; also, BCC:ing Ask, in case he decides to remove this IP... ]

> it can b confirmed by going to http://www.threatstop.com/checkip and checking the ip address.

Perhaps try contacting <abuse at indoforum.org> or the netblock owner, per WHOIS:

% whois 72.8.140.222
[ ... ]
OrgAbuseHandle: ABUSE2456-ARIN
OrgAbuseName:   ABUSE
OrgAbusePhone:  +1-949-202-5305
OrgAbuseEmail:  abuse at staminus.net
OrgAbuseRef:    http://whois.arin.net/rest/poc/ABUSE2456-ARIN

OrgTechHandle: TECH380-ARIN
OrgTechName:   TECH
OrgTechPhone:  +1-949-202-5305
OrgTechEmail:  support at staminus.net
OrgTechRef:    http://whois.arin.net/rest/poc/TECH380-ARIN

Regards,
-- 
-Chuck



More information about the questions mailing list