Suspicious Outbound NTPD Connection

Macintosh software/hardware discussion and troubleshooting

Moderator: James Steele

Post Reply
User avatar
leigh
Posts: 428
Joined: Fri Oct 15, 2004 10:01 pm
Primary DAW OS: MacOS
Location: Ann Arbor MI

Suspicious Outbound NTPD Connection

Post by leigh »

Hi All,

I came in this morning and found this from Little Snitch:

Image

In Date & Time preferences, I have the system set to use "time.nist.gov".

According to IPillion.com, "The IP address 172.246.126.134 belongs to Enzu ISP in San Francisco (California, CA), United States (37.7748985291 and -122.419403076). The hostname is mail1.watchesofhongkong.com."

Any suggestions about what to look for on my system?

**Leigh
I don't care what you play. I care how you play.— Karl Berger

iMac Pro 3 GHz 10-Core Intel Xeon W, 128GB RAM, Mac OS X 14.2, DP 11.3
VSL, VE Pro 7, MIR Pro 3D, UVI Falcon, EZ Keys, EZ Drummer, Ozone 9 Advanced, RX 8 Advanced, Dorico 5, Metric Halo ULN-8-3D mkiv, ULN-2-3D & 2882-3D interfaces, Novation Impulse-49, various mics
User avatar
Phil O
Posts: 7231
Joined: Thu Jul 28, 2005 10:01 pm
Primary DAW OS: MacOS
Location: Scituate, MA

Re: Suspicious Outbound NTPD Connection

Post by Phil O »

This may shed some light:

http://apple.stackexchange.com/question ... connection

NIST.gov may use a pool as well. I don't know. If nothing else, it may give you some ideas of what to search for. Hope it helps.

Phil
DP 11.23, 2020 M1 Mac Mini [9,1] (16 Gig RAM), Mac Pro 3GHz 8 core [6,1] (16 Gig RAM), OS 14.3.1/11.6.2, Lynx Aurora (n) 8tb, MOTU 8pre-es, MOTU M6, MOTU 828, Apogee Rosetta 800, UAD-2 Satellite, a truckload of outboard gear and plug-ins, and a partridge in a pear tree.
User avatar
bayswater
Posts: 11923
Joined: Fri Feb 16, 2007 9:06 pm
Primary DAW OS: MacOS
Location: Vancouver

Re: Suspicious Outbound NTPD Connection

Post by bayswater »

Some Whois lookups say the site is hosted in Guangdong province in China. Different info from what you found.
2018 Mini i7 32G 10.14.6, DP 11.3, Mixbus 9, Logic 10.5, Scarlett 18i8
User avatar
leigh
Posts: 428
Joined: Fri Oct 15, 2004 10:01 pm
Primary DAW OS: MacOS
Location: Ann Arbor MI

Re: Suspicious Outbound NTPD Connection

Post by leigh »

bayswater wrote:Some Whois lookups say the site is hosted in Guangdong province in China. Different info from what you found.
That's a bit more disturbing.
I don't care what you play. I care how you play.— Karl Berger

iMac Pro 3 GHz 10-Core Intel Xeon W, 128GB RAM, Mac OS X 14.2, DP 11.3
VSL, VE Pro 7, MIR Pro 3D, UVI Falcon, EZ Keys, EZ Drummer, Ozone 9 Advanced, RX 8 Advanced, Dorico 5, Metric Halo ULN-8-3D mkiv, ULN-2-3D & 2882-3D interfaces, Novation Impulse-49, various mics
User avatar
cuttime
Posts: 4291
Joined: Sun May 15, 2005 10:01 pm
Primary DAW OS: MacOS

Re: Suspicious Outbound NTPD Connection

Post by cuttime »

A quick search of mail1.watchesofhongkong.com quickly took me to places I didn't want to go, including places that Chrome tried to automatically block. I understand your concern. If I was in your shoes I'd start by opening Activity Monitor and try to identify every process running. Open in safe mode, lather rinse, repeat. I'd then use FindAnyFile:
http://apps.tempel.org/FindAnyFile/
and search for the strings "genieo" and "installmac".

I'd then run http://www.adwaremedic.com/index.php

I'd finish off with a cocktail of virus scanners, including ClamXav.

Good info here: http://www.thesafemac.com/

Good Luck!
828x MacOS 13.6.5 M1 Studio Max 1TB 64G DP11.31
User avatar
mikehalloran
Posts: 15134
Joined: Sun Jan 25, 2009 5:08 pm
Primary DAW OS: MacOS
Location: Sillie Con Valley

Re: Suspicious Outbound NTPD Connection

Post by mikehalloran »

That's a bit more disturbing.
Why? Because you don't understand it?

In that case, there are many, many processes in your Mac that can worry you. The best course is to learn what they are.

Do you know what UDP protocol is? Do you know what /usr/sbin/ntpd does? Both are easily searched.

Anyway, ntpd is the Network Time Protocol Daemon for UNIX. It will broadcast to all servers over UDP. Apparently, there's a time/date server in China on UDP port 41718. Imagine that. The ntpd requests time and date data–that's all it does. Servers, likewise, are broadcasting the same. Without this, your Mac can't keep time.

Read this for some understanding of UDP:
http://www.diffen.com/difference/TCP_vs_UDP
DP 11.31; 828mkII FW, micro lite, M4, MTP/AV USB Firmware 2.0.1
2023 Mac Studio M2 8TB, 192GB RAM, OS Sonoma 14.4, USB4 8TB external, M-Audio AIR 192|14, Mackie ProFxv3 6/10/12; 2012 MBPs Catalina, Mojave
IK-NI-Izotope-PSP-Garritan-Antares, LogicPro X, Finale 27.4, Dorico 5.2, Notion 6, Overture 5, TwistedWave, DSP-Q 5, SmartScore64 Pro, Toast 20 Pro
User avatar
mikehalloran
Posts: 15134
Joined: Sun Jan 25, 2009 5:08 pm
Primary DAW OS: MacOS
Location: Sillie Con Valley

Re: Suspicious Outbound NTPD Connection

Post by mikehalloran »

cuttime wrote:A quick search of mail1.watchesofhongkong.com quickly took me to places I didn't want to go, including places that Chrome tried to automatically block. I understand your concern. If I was in your shoes I'd start by opening Activity Monitor and try to identify every process running. Open in safe mode, lather rinse, repeat. I'd then use FindAnyFile:
http://apps.tempel.org/FindAnyFile/
and search for the strings "genieo" and "installmac".

I'd then run http://www.adwaremedic.com/index.php

I'd finish off with a cocktail of virus scanners, including ClamXav.

Good info here: http://www.thesafemac.com/

Good Luck!
Well, that would be a nice way to waste a lot of time. Read my other post.

Really, the sky is not falling. Learn what things are before trying to chase the non-existant boogiemen away.
DP 11.31; 828mkII FW, micro lite, M4, MTP/AV USB Firmware 2.0.1
2023 Mac Studio M2 8TB, 192GB RAM, OS Sonoma 14.4, USB4 8TB external, M-Audio AIR 192|14, Mackie ProFxv3 6/10/12; 2012 MBPs Catalina, Mojave
IK-NI-Izotope-PSP-Garritan-Antares, LogicPro X, Finale 27.4, Dorico 5.2, Notion 6, Overture 5, TwistedWave, DSP-Q 5, SmartScore64 Pro, Toast 20 Pro
User avatar
leigh
Posts: 428
Joined: Fri Oct 15, 2004 10:01 pm
Primary DAW OS: MacOS
Location: Ann Arbor MI

Re: Suspicious Outbound NTPD Connection

Post by leigh »

mikehalloran wrote:
That's a bit more disturbing.
Why? Because you don't understand it?

In that case, there are many, many processes in your Mac that can worry you. The best course is to learn what they are.

Do you know what UDP protocol is? Do you know what /usr/sbin/ntpd does? Both are easily searched.

Anyway, ntpd is the Network Time Protocol Daemon for UNIX. It will broadcast to all servers over UDP. Apparently, there's a time/date server in China on UDP port 41718. Imagine that. The ntpd requests time and date data–that's all it does. Servers, likewise, are broadcasting the same. Without this, your Mac can't keep time.

Read this for some understanding of UDP:
http://www.diffen.com/difference/TCP_vs_UDP
I have been using some form of Unix since 1983.

The well-known port for NTP is 123.

I do understand what NTP is and how it works. I know that it requests only time and date data. I understand that this is how my Mac (and most computers in the world) keep accurate time. I understand the difference between UDP and TCP.

What I don't understand is why my NTP daemon would be trying to connect to an NTP server at mail1.watchesofhongkong.com on port 41718. I couldn't find a way to check it at ntppool.org. What would be helpful to me is to tell me how to check to see if it's in a legitimate server pool used by time.nist.gov.

**Leigh
I don't care what you play. I care how you play.— Karl Berger

iMac Pro 3 GHz 10-Core Intel Xeon W, 128GB RAM, Mac OS X 14.2, DP 11.3
VSL, VE Pro 7, MIR Pro 3D, UVI Falcon, EZ Keys, EZ Drummer, Ozone 9 Advanced, RX 8 Advanced, Dorico 5, Metric Halo ULN-8-3D mkiv, ULN-2-3D & 2882-3D interfaces, Novation Impulse-49, various mics
User avatar
James Steele
Site Administrator
Posts: 21068
Joined: Fri Oct 15, 2004 10:01 pm
Primary DAW OS: MacOS
Location: San Diego, CA - U.S.A.
Contact:

Re: Suspicious Outbound NTPD Connection

Post by James Steele »

mikehalloran wrote:Really, the sky is not falling. Learn what things are before trying to chase the non-existant boogiemen away.
I'm really trying to make this a friendlier place. If someone has made a mistake, if the correction could be less like scolding, I think that would be nice. Thanks.
JamesSteeleProject.com | Facebook | Instagram | Twitter

Mac Studio M1 Max, 64GB/2TB, MacOS 14.4.1 Sonoma, DP 11.31, MOTU 828es, MOTU 24Ai, MOTU MIDI Express XT, UAD-2 TB3 Satellite OCTO, Console 1 Mk2, Avid S3, NI Komplete Kontrol S88 Mk2, Red Type B, Millennia HV-3C, Warm Audio WA-2A, AudioScape 76F, Dean guitars, Marshall amps, etc., etc.!
User avatar
cuttime
Posts: 4291
Joined: Sun May 15, 2005 10:01 pm
Primary DAW OS: MacOS

Re: Suspicious Outbound NTPD Connection

Post by cuttime »

828x MacOS 13.6.5 M1 Studio Max 1TB 64G DP11.31
User avatar
bayswater
Posts: 11923
Joined: Fri Feb 16, 2007 9:06 pm
Primary DAW OS: MacOS
Location: Vancouver

Re: Suspicious Outbound NTPD Connection

Post by bayswater »

The first link gave me an impenetrable article. The second gave me an equally opaque blank page.
2018 Mini i7 32G 10.14.6, DP 11.3, Mixbus 9, Logic 10.5, Scarlett 18i8
User avatar
billf
Posts: 3662
Joined: Sat Jan 22, 2005 10:01 pm
Primary DAW OS: MacOS
Location: Home

Re: Suspicious Outbound NTPD Connection

Post by billf »

It definitely is a security issue. There was a security update issued by Apple on December 22nd for this.

https://support.apple.com/en-us/HT6601
MacPro5,1 2012, six core 2 x 3.06, 10.12.5, Digital Performer 9.13, 40 gb ram, 828mkIII, 2408 mkII, MTP AV, Logic Pro X 10.3.1, Studio One v 3.2, Pro Tools 12.7.1
User avatar
BKK-OZ
Posts: 1943
Joined: Sat Jan 22, 2005 10:01 pm
Primary DAW OS: MacOS
Location: Oztrailia
Contact:

Re: Suspicious Outbound NTPD Connection

Post by BKK-OZ »

Cheers,
BK

…string theory says that all subatomic particles of the universe are nothing but musical notes. A, B-flat, C-sharp, correspond to electrons, neutrinos, quarks, and what have you. Therefore, physics is nothing but the laws of harmony of these strings. Chemistry is nothing but the melodies we can play on these strings. The universe is a symphony of strings and the mind of God… it is cosmic music resonating through 11 dimensional hyperspace.
- M Kaku
Post Reply