xntpd sendto (possible hack?)
Lovell Mcilwain
lovell.mcilwain at gmail.com
Thu Sep 8 15:59:15 UTC 2005
Paul Howarth wrote:
> Lovell Mcilwain wrote:
>
>> Paul Howarth wrote:
>>
>>> Lovell Mcilwain wrote:
>>>
>>>> Paul Howarth wrote:
>>>>
>>>>> Lovell Mcilwain wrote:
>>>>>
>>>>>> Paul Howarth wrote:
>>>>>>
>>>>>>> Lovell Mcilwain wrote:
>>>>>>>
>>>>>>>> Hello all,
>>>>>>>>
>>>>>>>> I just installed a logwatch on my machine and ran it for the
>>>>>>>> first time just a few minutes ago. It showed me something very
>>>>>>>> interesting and it was the only thing in the logwatch log.
>>>>>>>> Just a bunch of the same entries. The IP address varied but
>>>>>>>> most of them looked like invalid arguments except for about 3
>>>>>>>> of them that didn't. See below:
>>>>>>>>
>>>>>>>> --------------------- XNTPD Begin ------------------------
>>>>>>>> **Unmatched Entries**
>>>>>>>> .....
>>>>>>>> sendto(80.190.233.67): Invalid argument
>>>>>>>> synchronized to 80.190.233.67, stratum 2
>>>>>>>> synchronized to 80.33.117.152, stratum 3
>>>>>>>> sendto(80.190.233.67): Invalid argument
>>>>>>>> .....
>>>>>>>> ---------------------- XNTPD End -----------------------
>>>>>>>>
>>>>>>>> Does anyone know what this means or can this possibly mean that
>>>>>>>> my system has been hacked?
>>>>>>>
>>>>>>>
>>>>>>> These entries mean that some of the ntp servers you're using
>>>>>>> (probably results returned from lookups of pool.ntp.org) aren't
>>>>>>> responding reliably. This is not unusual and may be a result of
>>>>>>> issues with your own network link.
>>>>>>>
>>>>>> I did check my preferences for my time server and found that I
>>>>>> didn't have a time server specified even though I had ntp
>>>>>> enabled. I guess my other question is, if I don't manually
>>>>>> specify one, does it choose from any of the other ones as a
>>>>>> default? I noticed in my ntp.conf file there a bunch of time
>>>>>> servers listed. But does it restrict itself to the # --- OUR
>>>>>> TIMESERVERS ----- section?
>>>>>
>>>>>
>>>>> What's the output of:
>>>>> $ grep '^[^#]*server' /etc/ntp.conf
>>>>
>>
>> Of course, I should have known that. Here is the output.
>>
>> [root at localhost etc]# grep '^[^#]*server' /etc/ntp.conf
>> server 0.pool.ntp.org
>> server 1.pool.ntp.org
>> server 2.pool.ntp.org
>> server 127.127.1.0
>
>
> So, as suspected, you're using the default configuration, with time
> servers selected essentially at random from the pool.ntp.org set.
>
> See http://www.pool.ntp.org/ for more details, including how to limit
> the servers to those more local to you.
>
> Paul.
Thanks for the clarification. I couldn't understand how I got a time
server so far out, but if its a pool then it makes more sense to me.
Lovell
More information about the fedora-list
mailing list