Suspicious Outbound NTPD Connection

[leigh]

Hi All,

I came in this morning and found this from Little Snitch:



In Date & Time preferences, I have the system set to use "time.nist.gov".

According to IPillion.com, "The IP address 172.246.126.134 belongs to Enzu ISP in San Francisco (California, CA), United States (37.7748985291 and -122.419403076). The hostname is mail1.watchesofhongkong.com."

Any suggestions about what to look for on my system?

**Leigh

[Phil O]

This may shed some light:

http://apple.stackexchange.com/question ... connection

NIST.gov may use a pool as well. I don't know. If nothing else, it may give you some ideas of what to search for. Hope it helps.

Phil

[bayswater]

Some Whois lookups say the site is hosted in Guangdong province in China. Different info from what you found.

[leigh]

Some Whois lookups say the site is hosted in Guangdong province in China. Different info from what you found.

That's a bit more disturbing.

[cuttime]

A quick search of mail1.watchesofhongkong.com quickly took me to places I didn't want to go, including places that Chrome tried to automatically block. I understand your concern. If I was in your shoes I'd start by opening Activity Monitor and try to identify every process running. Open in safe mode, lather rinse, repeat. I'd then use FindAnyFile:
http://apps.tempel.org/FindAnyFile/
and search for the strings "genieo" and "installmac".

I'd then run http://www.adwaremedic.com/index.php

I'd finish off with a cocktail of virus scanners, including ClamXav.

Good info here: http://www.thesafemac.com/

Good Luck!

[mikehalloran]

That's a bit more disturbing.

Why? Because you don't understand it?

In that case, there are many, many processes in your Mac that can worry you. The best course is to learn what they are.

Do you know what UDP protocol is? Do you know what /usr/sbin/ntpd does? Both are easily searched.

Anyway, ntpd is the Network Time Protocol Daemon for UNIX. It will broadcast to all servers over UDP. Apparently, there's a time/date server in China on UDP port 41718. Imagine that. The ntpd requests time and date data–that's all it does. Servers, likewise, are broadcasting the same. Without this, your Mac can't keep time.

Read this for some understanding of UDP:
http://www.diffen.com/difference/TCP_vs_UDP

[mikehalloran]

A quick search of mail1.watchesofhongkong.com quickly took me to places I didn't want to go, including places that Chrome tried to automatically block. I understand your concern. If I was in your shoes I'd start by opening Activity Monitor and try to identify every process running. Open in safe mode, lather rinse, repeat. I'd then use FindAnyFile:
http://apps.tempel.org/FindAnyFile/
and search for the strings "genieo" and "installmac".

I'd then run http://www.adwaremedic.com/index.php

I'd finish off with a cocktail of virus scanners, including ClamXav.

Good info here: http://www.thesafemac.com/

Good Luck!

Well, that would be a nice way to waste a lot of time. Read my other post.

Really, the sky is not falling. Learn what things are before trying to chase the non-existant boogiemen away.

[leigh]

That's a bit more disturbing.

Why? Because you don't understand it?

In that case, there are many, many processes in your Mac that can worry you. The best course is to learn what they are.

Do you know what UDP protocol is? Do you know what /usr/sbin/ntpd does? Both are easily searched.

Anyway, ntpd is the Network Time Protocol Daemon for UNIX. It will broadcast to all servers over UDP. Apparently, there's a time/date server in China on UDP port 41718. Imagine that. The ntpd requests time and date data–that's all it does. Servers, likewise, are broadcasting the same. Without this, your Mac can't keep time.

Read this for some understanding of UDP:
http://www.diffen.com/difference/TCP_vs_UDP

I have been using some form of Unix since 1983.

The well-known port for NTP is 123.

I do understand what NTP is and how it works. I know that it requests only time and date data. I understand that this is how my Mac (and most computers in the world) keep accurate time. I understand the difference between UDP and TCP.

What I don't understand is why my NTP daemon would be trying to connect to an NTP server at mail1.watchesofhongkong.com on port 41718. I couldn't find a way to check it at ntppool.org. What would be helpful to me is to tell me how to check to see if it's in a legitimate server pool used by time.nist.gov.

**Leigh

[James Steele]

Really, the sky is not falling. Learn what things are before trying to chase the non-existant boogiemen away.

I'm really trying to make this a friendlier place. If someone has made a mistake, if the correction could be less like scolding, I think that would be nice. Thanks.

[cuttime]

https://ics-cert.us-cert.gov/advisories/ICSA-14-353-01A

http://support.apple.com/kb/DL1782

[bayswater]

https://ics-cert.us-cert.gov/advisories/ICSA-14-353-01A

http://support.apple.com/kb/DL1782

The first link gave me an impenetrable article. The second gave me an equally opaque blank page.

[billf]

It definitely is a security issue. There was a security update issued by Apple on December 22nd for this.

https://support.apple.com/en-us/HT6601

[BKK-OZ]

Ars Technica article: http://arstechnica.com/apple/2014/12/ap ... rity-flaw/