Strange NTP requests on a PC

sgtwilliams

I have a Windows AD domain spanning 4 sites. PIX firewalls on all Internet access and a rather secure setup overall.

However as a goof I ran showtraffic on a single PC that seems to have significant Network problems that I cannot reproduce anywhere else, nor can I attribute it to the LAN at all. What I find is a few random NTP requests being made to strange places.

lolly.dreamcommunity.nl
mail.linicks.net
fenna.vuntz.net
piray.unam.edu.ar

These to name a few. The NTP request is initiated by the local machine, then once that UDP connection is made the outside machine is then talking using the same protocol back? it is always 76 packets.

Has anyone seen this before? Any ideas?

primesuspect

Sounds like the machine is compromised somehow. I can't identify it by those URLs, but there is definitely a trojan or a zombie running on that PC.

sgtwilliams

I would tend to agree with you on that. I am not finding any sort of reference to this type of problem though. I feel a reload coming on.

sgtwilliams

Well smack me and call me Shirley.

The user in question had at one point configured their time service to check pool.ntp.org which is a pool of time servers, and a non validated pool at that so any old person can say, hey lets be a time server and add it to the ntp pool. For whatever reason that setting was overriding my domain AD setting.

http://www.pool.ntp.org/

Stopping, unregistering then re-registering the W32time service fixed the problem and the computer now asks a domain controller for time as it should be.

I was sitting here banging my head on my desk (see my avatar) just like that watching my firewall, and the only devices making internet time requests were my Cisco stuff (which I have configured to do so) and then this one lowly internal Natted client. I was truly about to go nuts.

End of story.

Shorty

A successful end