ntpd network connections are all SOCK_DGRAM (udp). SOCK_STREAM is used only for control messages between the privilege-separated daemons (unix-domain sockets not network).
Did you verify that binaries haven't been replaced? From the information given it's certainly possible that you were attacked some other way and a trojan ntpd (and quite possibly other software) was placed on the system. IMHO you should disconnect this system from the network and do a proper investigation rather than just replacing the ntpd with another implementation and keeping it online. On 2011/07/15 10:26, Jirtme Schell wrote: > Hello, > > I couldn't file a portable Openntpd dedicated mail address so feel free > to redirect this mail if necessary. > > I am using portable Openntpd on Debian Linux Lenny (v3.9p1). > I have noticed since some days a suspect behavior of the program: > * the service has stopped without intervention on some hosts (segfault?) > with this messages in the logs: > Jul 13 11:23:09 ******* ntpd[4949]: dispatch_imsg in main: pipe closed > Jul 13 11:23:09 ******* ntpd[4949]: Terminating > > * yesterday, the chkrootkit bindshell check reported me: > Jul 14 10:03:11 ******* chkrootkit: INFECTED (PORTS: 47017) > > After watching the results of "netstat -taupen" it appears that this > port was used by openntpd and was connected to an external NTP server: > udp 0 0 *.*.*.*:47017 209.104.4.227:123 ESTABLISHED 104 3529839 14260/ntpd > > I then noticed several other TCP sockets that has been opened by ntpd > with destination internal hosts in my network: > tcp 38 0 *.*.*.*:41871 *.*.*.*:**** CLOSE_WAIT 0 3453657 14260/ntpd > tcp 38 0 *.*.*.*:59603 *.*.*.*:**** CLOSE_WAIT 0 3522745 14260/ntpd > tcp 38 0 *.*.*.*:59577 *.*.*.*:**** CLOSE_WAIT 0 3522605 14260/ntpd > ... > > So the question is, could there be a sort of vulnerability in Openntpd > that could allow an external NTP server to issue TCP connection towards > internal hosts? > Or is it just a normal behavior of the program? > > I am sorry not being able to provide more informations but I am in a > sensible environment and with that behavior I had to replace Openntpd by > another NTP daemon. > > Best regards. > -- > Jirtme Schell
