xntpd sendto (possible hack?)

Paul Howarth paul at city-fan.org
Thu Sep 8 15:14:03 UTC 2005 

Lovell Mcilwain wrote:
> Paul Howarth wrote:
>> Lovell Mcilwain wrote:
>>> Paul Howarth wrote:
>>>> Lovell Mcilwain wrote:
>>>>> Paul Howarth wrote:
>>>>>> Lovell Mcilwain wrote:
>>>>>>> Hello all,
>>>>>>>
>>>>>>> I just installed a logwatch on my machine and ran it for the 
>>>>>>> first time just a few minutes ago.  It showed me something very 
>>>>>>> interesting and it was the only thing in the logwatch log.  Just 
>>>>>>> a bunch of the same entries.  The IP address varied but most of 
>>>>>>> them looked like invalid arguments except for about 3 of them 
>>>>>>> that didn't.  See below:
>>>>>>>
>>>>>>> --------------------- XNTPD Begin ------------------------
>>>>>>> **Unmatched Entries**
>>>>>>> .....
>>>>>>> sendto(80.190.233.67): Invalid argument
>>>>>>> synchronized to 80.190.233.67, stratum 2
>>>>>>> synchronized to 80.33.117.152, stratum 3
>>>>>>> sendto(80.190.233.67): Invalid argument
>>>>>>> .....
>>>>>>> ---------------------- XNTPD End -----------------------
>>>>>>>
>>>>>>> Does anyone know what this means or can this possibly mean that 
>>>>>>> my system has been hacked?
>>>>>>
>>>>>> These entries mean that some of the ntp servers you're using 
>>>>>> (probably results returned from lookups of pool.ntp.org) aren't 
>>>>>> responding reliably. This is not unusual and may be a result of 
>>>>>> issues with your own network link.
>>>>>>
>>>>> I did check my preferences for my time server and found that I 
>>>>> didn't have a time server specified even though I had ntp enabled.  
>>>>> I guess my other question is, if I don't manually specify one, does 
>>>>> it choose from any of the other ones as a default?  I noticed in my 
>>>>> ntp.conf file there a bunch of time servers listed.  But does it 
>>>>> restrict itself to the # --- OUR TIMESERVERS ----- section?
>>>>
>>>> What's the output of:
>>>> $ grep '^[^#]*server' /etc/ntp.conf
> 
> Of course, I should have known that.  Here is the output.
> 
> [root at localhost etc]# grep '^[^#]*server' /etc/ntp.conf
> server 0.pool.ntp.org
> server 1.pool.ntp.org
> server 2.pool.ntp.org
> server 127.127.1.0

So, as suspected, you're using the default configuration, with time 
servers selected essentially at random from the pool.ntp.org set.

See http://www.pool.ntp.org/ for more details, including how to limit 
the servers to those more local to you.

Paul.

More information about the fedora-list mailing list