Suspicious Outbound NTPD Connection
Moderator: James Steele
Suspicious Outbound NTPD Connection
Hi All,
I came in this morning and found this from Little Snitch:
In Date & Time preferences, I have the system set to use "time.nist.gov".
According to IPillion.com, "The IP address 172.246.126.134 belongs to Enzu ISP in San Francisco (California, CA), United States (37.7748985291 and -122.419403076). The hostname is mail1.watchesofhongkong.com."
Any suggestions about what to look for on my system?
**Leigh
I came in this morning and found this from Little Snitch:
In Date & Time preferences, I have the system set to use "time.nist.gov".
According to IPillion.com, "The IP address 172.246.126.134 belongs to Enzu ISP in San Francisco (California, CA), United States (37.7748985291 and -122.419403076). The hostname is mail1.watchesofhongkong.com."
Any suggestions about what to look for on my system?
**Leigh
I don't care what you play. I care how you play.— Karl Berger
iMac Pro 3 GHz 10-Core Intel Xeon W, 128GB RAM, Mac OS X 14.2, DP 11.3
VSL, VE Pro 7, MIR Pro 3D, UVI Falcon, EZ Keys, EZ Drummer, Ozone 9 Advanced, RX 8 Advanced, Dorico 5, Metric Halo ULN-8-3D mkiv, ULN-2-3D & 2882-3D interfaces, Novation Impulse-49, various mics
iMac Pro 3 GHz 10-Core Intel Xeon W, 128GB RAM, Mac OS X 14.2, DP 11.3
VSL, VE Pro 7, MIR Pro 3D, UVI Falcon, EZ Keys, EZ Drummer, Ozone 9 Advanced, RX 8 Advanced, Dorico 5, Metric Halo ULN-8-3D mkiv, ULN-2-3D & 2882-3D interfaces, Novation Impulse-49, various mics
Re: Suspicious Outbound NTPD Connection
This may shed some light:
http://apple.stackexchange.com/question ... connection
NIST.gov may use a pool as well. I don't know. If nothing else, it may give you some ideas of what to search for. Hope it helps.
Phil
http://apple.stackexchange.com/question ... connection
NIST.gov may use a pool as well. I don't know. If nothing else, it may give you some ideas of what to search for. Hope it helps.
Phil
DP 11.23, 2020 M1 Mac Mini [9,1] (16 Gig RAM), Mac Pro 3GHz 8 core [6,1] (16 Gig RAM), OS 14.3.1/11.6.2, Lynx Aurora (n) 8tb, MOTU 8pre-es, MOTU M6, MOTU 828, Apogee Rosetta 800, UAD-2 Satellite, a truckload of outboard gear and plug-ins, and a partridge in a pear tree.
Re: Suspicious Outbound NTPD Connection
Some Whois lookups say the site is hosted in Guangdong province in China. Different info from what you found.
2018 Mini i7 32G 10.14.6, DP 11.3, Mixbus 9, Logic 10.5, Scarlett 18i8
Re: Suspicious Outbound NTPD Connection
That's a bit more disturbing.bayswater wrote:Some Whois lookups say the site is hosted in Guangdong province in China. Different info from what you found.
I don't care what you play. I care how you play.— Karl Berger
iMac Pro 3 GHz 10-Core Intel Xeon W, 128GB RAM, Mac OS X 14.2, DP 11.3
VSL, VE Pro 7, MIR Pro 3D, UVI Falcon, EZ Keys, EZ Drummer, Ozone 9 Advanced, RX 8 Advanced, Dorico 5, Metric Halo ULN-8-3D mkiv, ULN-2-3D & 2882-3D interfaces, Novation Impulse-49, various mics
iMac Pro 3 GHz 10-Core Intel Xeon W, 128GB RAM, Mac OS X 14.2, DP 11.3
VSL, VE Pro 7, MIR Pro 3D, UVI Falcon, EZ Keys, EZ Drummer, Ozone 9 Advanced, RX 8 Advanced, Dorico 5, Metric Halo ULN-8-3D mkiv, ULN-2-3D & 2882-3D interfaces, Novation Impulse-49, various mics
Re: Suspicious Outbound NTPD Connection
A quick search of mail1.watchesofhongkong.com quickly took me to places I didn't want to go, including places that Chrome tried to automatically block. I understand your concern. If I was in your shoes I'd start by opening Activity Monitor and try to identify every process running. Open in safe mode, lather rinse, repeat. I'd then use FindAnyFile:
http://apps.tempel.org/FindAnyFile/
and search for the strings "genieo" and "installmac".
I'd then run http://www.adwaremedic.com/index.php
I'd finish off with a cocktail of virus scanners, including ClamXav.
Good info here: http://www.thesafemac.com/
Good Luck!
http://apps.tempel.org/FindAnyFile/
and search for the strings "genieo" and "installmac".
I'd then run http://www.adwaremedic.com/index.php
I'd finish off with a cocktail of virus scanners, including ClamXav.
Good info here: http://www.thesafemac.com/
Good Luck!
828x MacOS 13.6.5 M1 Studio Max 1TB 64G DP11.31
- mikehalloran
- Posts: 15134
- Joined: Sun Jan 25, 2009 5:08 pm
- Primary DAW OS: MacOS
- Location: Sillie Con Valley
Re: Suspicious Outbound NTPD Connection
Why? Because you don't understand it?That's a bit more disturbing.
In that case, there are many, many processes in your Mac that can worry you. The best course is to learn what they are.
Do you know what UDP protocol is? Do you know what /usr/sbin/ntpd does? Both are easily searched.
Anyway, ntpd is the Network Time Protocol Daemon for UNIX. It will broadcast to all servers over UDP. Apparently, there's a time/date server in China on UDP port 41718. Imagine that. The ntpd requests time and date data–that's all it does. Servers, likewise, are broadcasting the same. Without this, your Mac can't keep time.
Read this for some understanding of UDP:
http://www.diffen.com/difference/TCP_vs_UDP
DP 11.31; 828mkII FW, micro lite, M4, MTP/AV USB Firmware 2.0.1
2023 Mac Studio M2 8TB, 192GB RAM, OS Sonoma 14.4, USB4 8TB external, M-Audio AIR 192|14, Mackie ProFxv3 6/10/12; 2012 MBPs Catalina, Mojave
IK-NI-Izotope-PSP-Garritan-Antares, LogicPro X, Finale 27.4, Dorico 5.2, Notion 6, Overture 5, TwistedWave, DSP-Q 5, SmartScore64 Pro, Toast 20 Pro
2023 Mac Studio M2 8TB, 192GB RAM, OS Sonoma 14.4, USB4 8TB external, M-Audio AIR 192|14, Mackie ProFxv3 6/10/12; 2012 MBPs Catalina, Mojave
IK-NI-Izotope-PSP-Garritan-Antares, LogicPro X, Finale 27.4, Dorico 5.2, Notion 6, Overture 5, TwistedWave, DSP-Q 5, SmartScore64 Pro, Toast 20 Pro
- mikehalloran
- Posts: 15134
- Joined: Sun Jan 25, 2009 5:08 pm
- Primary DAW OS: MacOS
- Location: Sillie Con Valley
Re: Suspicious Outbound NTPD Connection
Well, that would be a nice way to waste a lot of time. Read my other post.cuttime wrote:A quick search of mail1.watchesofhongkong.com quickly took me to places I didn't want to go, including places that Chrome tried to automatically block. I understand your concern. If I was in your shoes I'd start by opening Activity Monitor and try to identify every process running. Open in safe mode, lather rinse, repeat. I'd then use FindAnyFile:
http://apps.tempel.org/FindAnyFile/
and search for the strings "genieo" and "installmac".
I'd then run http://www.adwaremedic.com/index.php
I'd finish off with a cocktail of virus scanners, including ClamXav.
Good info here: http://www.thesafemac.com/
Good Luck!
Really, the sky is not falling. Learn what things are before trying to chase the non-existant boogiemen away.
DP 11.31; 828mkII FW, micro lite, M4, MTP/AV USB Firmware 2.0.1
2023 Mac Studio M2 8TB, 192GB RAM, OS Sonoma 14.4, USB4 8TB external, M-Audio AIR 192|14, Mackie ProFxv3 6/10/12; 2012 MBPs Catalina, Mojave
IK-NI-Izotope-PSP-Garritan-Antares, LogicPro X, Finale 27.4, Dorico 5.2, Notion 6, Overture 5, TwistedWave, DSP-Q 5, SmartScore64 Pro, Toast 20 Pro
2023 Mac Studio M2 8TB, 192GB RAM, OS Sonoma 14.4, USB4 8TB external, M-Audio AIR 192|14, Mackie ProFxv3 6/10/12; 2012 MBPs Catalina, Mojave
IK-NI-Izotope-PSP-Garritan-Antares, LogicPro X, Finale 27.4, Dorico 5.2, Notion 6, Overture 5, TwistedWave, DSP-Q 5, SmartScore64 Pro, Toast 20 Pro
Re: Suspicious Outbound NTPD Connection
I have been using some form of Unix since 1983.mikehalloran wrote:Why? Because you don't understand it?That's a bit more disturbing.
In that case, there are many, many processes in your Mac that can worry you. The best course is to learn what they are.
Do you know what UDP protocol is? Do you know what /usr/sbin/ntpd does? Both are easily searched.
Anyway, ntpd is the Network Time Protocol Daemon for UNIX. It will broadcast to all servers over UDP. Apparently, there's a time/date server in China on UDP port 41718. Imagine that. The ntpd requests time and date data–that's all it does. Servers, likewise, are broadcasting the same. Without this, your Mac can't keep time.
Read this for some understanding of UDP:
http://www.diffen.com/difference/TCP_vs_UDP
The well-known port for NTP is 123.
I do understand what NTP is and how it works. I know that it requests only time and date data. I understand that this is how my Mac (and most computers in the world) keep accurate time. I understand the difference between UDP and TCP.
What I don't understand is why my NTP daemon would be trying to connect to an NTP server at mail1.watchesofhongkong.com on port 41718. I couldn't find a way to check it at ntppool.org. What would be helpful to me is to tell me how to check to see if it's in a legitimate server pool used by time.nist.gov.
**Leigh
I don't care what you play. I care how you play.— Karl Berger
iMac Pro 3 GHz 10-Core Intel Xeon W, 128GB RAM, Mac OS X 14.2, DP 11.3
VSL, VE Pro 7, MIR Pro 3D, UVI Falcon, EZ Keys, EZ Drummer, Ozone 9 Advanced, RX 8 Advanced, Dorico 5, Metric Halo ULN-8-3D mkiv, ULN-2-3D & 2882-3D interfaces, Novation Impulse-49, various mics
iMac Pro 3 GHz 10-Core Intel Xeon W, 128GB RAM, Mac OS X 14.2, DP 11.3
VSL, VE Pro 7, MIR Pro 3D, UVI Falcon, EZ Keys, EZ Drummer, Ozone 9 Advanced, RX 8 Advanced, Dorico 5, Metric Halo ULN-8-3D mkiv, ULN-2-3D & 2882-3D interfaces, Novation Impulse-49, various mics
- James Steele
- Site Administrator
- Posts: 21068
- Joined: Fri Oct 15, 2004 10:01 pm
- Primary DAW OS: MacOS
- Location: San Diego, CA - U.S.A.
- Contact:
Re: Suspicious Outbound NTPD Connection
I'm really trying to make this a friendlier place. If someone has made a mistake, if the correction could be less like scolding, I think that would be nice. Thanks.mikehalloran wrote:Really, the sky is not falling. Learn what things are before trying to chase the non-existant boogiemen away.
JamesSteeleProject.com | Facebook | Instagram | Twitter
Mac Studio M1 Max, 64GB/2TB, MacOS 14.4.1 Sonoma, DP 11.31, MOTU 828es, MOTU 24Ai, MOTU MIDI Express XT, UAD-2 TB3 Satellite OCTO, Console 1 Mk2, Avid S3, NI Komplete Kontrol S88 Mk2, Red Type B, Millennia HV-3C, Warm Audio WA-2A, AudioScape 76F, Dean guitars, Marshall amps, etc., etc.!
Mac Studio M1 Max, 64GB/2TB, MacOS 14.4.1 Sonoma, DP 11.31, MOTU 828es, MOTU 24Ai, MOTU MIDI Express XT, UAD-2 TB3 Satellite OCTO, Console 1 Mk2, Avid S3, NI Komplete Kontrol S88 Mk2, Red Type B, Millennia HV-3C, Warm Audio WA-2A, AudioScape 76F, Dean guitars, Marshall amps, etc., etc.!
Re: Suspicious Outbound NTPD Connection
828x MacOS 13.6.5 M1 Studio Max 1TB 64G DP11.31
Re: Suspicious Outbound NTPD Connection
The first link gave me an impenetrable article. The second gave me an equally opaque blank page.
2018 Mini i7 32G 10.14.6, DP 11.3, Mixbus 9, Logic 10.5, Scarlett 18i8
Re: Suspicious Outbound NTPD Connection
It definitely is a security issue. There was a security update issued by Apple on December 22nd for this.
https://support.apple.com/en-us/HT6601
https://support.apple.com/en-us/HT6601
MacPro5,1 2012, six core 2 x 3.06, 10.12.5, Digital Performer 9.13, 40 gb ram, 828mkIII, 2408 mkII, MTP AV, Logic Pro X 10.3.1, Studio One v 3.2, Pro Tools 12.7.1
- BKK-OZ
- Posts: 1943
- Joined: Sat Jan 22, 2005 10:01 pm
- Primary DAW OS: MacOS
- Location: Oztrailia
- Contact:
Re: Suspicious Outbound NTPD Connection
Ars Technica article: http://arstechnica.com/apple/2014/12/ap ... rity-flaw/
Cheers,
BK
…string theory says that all subatomic particles of the universe are nothing but musical notes. A, B-flat, C-sharp, correspond to electrons, neutrinos, quarks, and what have you. Therefore, physics is nothing but the laws of harmony of these strings. Chemistry is nothing but the melodies we can play on these strings. The universe is a symphony of strings and the mind of God… it is cosmic music resonating through 11 dimensional hyperspace.
- M Kaku
BK
…string theory says that all subatomic particles of the universe are nothing but musical notes. A, B-flat, C-sharp, correspond to electrons, neutrinos, quarks, and what have you. Therefore, physics is nothing but the laws of harmony of these strings. Chemistry is nothing but the melodies we can play on these strings. The universe is a symphony of strings and the mind of God… it is cosmic music resonating through 11 dimensional hyperspace.
- M Kaku