A bunch of people are scanning for NTP.
* Shadowserver (multiple addresses). These are the good guys
* Shodan (multiple address). These are also good guys
* 73.186.15.156: Random comcast address: Does a READSTAT (sometimes) and
then a READVAR (maybe to get version info)
* 46.36.38.113: Somebody in CZ land: Does a MON_GETLIST (presumably
looking for DDOS amplifiers)
* scanresearch1.syssec.ruhr-uni-bochum.de: Does MON_GETLIST and a READVAR
* 104.218.48.7: Some hosted box somewhere?: Does a MON_GETLIST
(presumably looking for DDOS amplifiers)
* Bunch of machines in colocrossing.com: Does a MON_GETLIST
* Bunch of machines in Amazon AWS: Does a MON_GETLIST
* Qualys (multiple addresses): this are good guys: Does a client time
request and a READVAR
This short list implies that either there isn't much exploitation going
on at the moment, or else it is highly targeted.
The odd one out in the list is the Comcast address above. It is only
scanning for NTP (and no other ports)
Philip
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
