El 15/07/11 11:52, Stuart Henderson escribis: > ntpd network connections are all SOCK_DGRAM (udp). > SOCK_STREAM is used only for control messages between the > privilege-separated daemons (unix-domain sockets not network). > > Did you verify that binaries haven't been replaced? From the > information given it's certainly possible that you were attacked > some other way and a trojan ntpd (and quite possibly other > software) was placed on the system. > > IMHO you should disconnect this system from the network and do > a proper investigation rather than just replacing the ntpd with > another implementation and keeping it online.
Hello and thanks for your fast response. In fact Openntpd was the only service running on this host and connected to the outside world (the host is behind a firewall). Binaries didn't seem to have been replaced as there is an integrity checking on files on this host and I can't find trace of differences in the reports. I am going to investigate more. Thanks, -- Jirtme > On 2011/07/15 10:26, Jirtme Schell wrote: >> Hello, >> >> I couldn't file a portable Openntpd dedicated mail address so feel free >> to redirect this mail if necessary. >> >> I am using portable Openntpd on Debian Linux Lenny (v3.9p1). >> I have noticed since some days a suspect behavior of the program: >> * the service has stopped without intervention on some hosts (segfault?) >> with this messages in the logs: >> Jul 13 11:23:09 ******* ntpd[4949]: dispatch_imsg in main: pipe closed >> Jul 13 11:23:09 ******* ntpd[4949]: Terminating >> >> * yesterday, the chkrootkit bindshell check reported me: >> Jul 14 10:03:11 ******* chkrootkit: INFECTED (PORTS: 47017) >> >> After watching the results of "netstat -taupen" it appears that this >> port was used by openntpd and was connected to an external NTP server: >> udp 0 0 *.*.*.*:47017 209.104.4.227:123 ESTABLISHED 104 3529839 14260/ntpd >> >> I then noticed several other TCP sockets that has been opened by ntpd >> with destination internal hosts in my network: >> tcp 38 0 *.*.*.*:41871 *.*.*.*:**** CLOSE_WAIT 0 3453657 14260/ntpd >> tcp 38 0 *.*.*.*:59603 *.*.*.*:**** CLOSE_WAIT 0 3522745 14260/ntpd >> tcp 38 0 *.*.*.*:59577 *.*.*.*:**** CLOSE_WAIT 0 3522605 14260/ntpd >> ... >> >> So the question is, could there be a sort of vulnerability in Openntpd >> that could allow an external NTP server to issue TCP connection towards >> internal hosts? >> Or is it just a normal behavior of the program? >> >> I am sorry not being able to provide more informations but I am in a >> sensible environment and with that behavior I had to replace Openntpd by >> another NTP daemon. >> >> Best regards. >> -- >> Jirtme Schell
