Hello, I couldn't file a portable Openntpd dedicated mail address so feel free to redirect this mail if necessary.
I am using portable Openntpd on Debian Linux Lenny (v3.9p1). I have noticed since some days a suspect behavior of the program: * the service has stopped without intervention on some hosts (segfault?) with this messages in the logs: Jul 13 11:23:09 ******* ntpd[4949]: dispatch_imsg in main: pipe closed Jul 13 11:23:09 ******* ntpd[4949]: Terminating * yesterday, the chkrootkit bindshell check reported me: Jul 14 10:03:11 ******* chkrootkit: INFECTED (PORTS: 47017) After watching the results of "netstat -taupen" it appears that this port was used by openntpd and was connected to an external NTP server: udp 0 0 *.*.*.*:47017 209.104.4.227:123 ESTABLISHED 104 3529839 14260/ntpd I then noticed several other TCP sockets that has been opened by ntpd with destination internal hosts in my network: tcp 38 0 *.*.*.*:41871 *.*.*.*:**** CLOSE_WAIT 0 3453657 14260/ntpd tcp 38 0 *.*.*.*:59603 *.*.*.*:**** CLOSE_WAIT 0 3522745 14260/ntpd tcp 38 0 *.*.*.*:59577 *.*.*.*:**** CLOSE_WAIT 0 3522605 14260/ntpd ... So the question is, could there be a sort of vulnerability in Openntpd that could allow an external NTP server to issue TCP connection towards internal hosts? Or is it just a normal behavior of the program? I am sorry not being able to provide more informations but I am in a sensible environment and with that behavior I had to replace Openntpd by another NTP daemon. Best regards. -- Jirtme Schell
