OpenWrt Forum Archive

Topic: Malware?

The content of this topic has been archived on 28 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

I allowed my TL-WR703N running Attitude Adjustment 12.09 to connect to the internet so it could keep it's time synchronized.
I have just noticed a lot of mystery traffic to:-

18.85.44.59 
173.44.32.10
18.85.44.59 
50.116.55.161
173.44.32.10
72.8.140.240
50.116.55.161
173.44.32.10
72.8.140.240

This behavior was unexpected.....
Does anybody know what's going on here?

_Donnie

Hi,

UDP connections through port 123? That's clock-synchronization(NTP) probably.

Thanks,

Yes, all port 123.
I did google one or two of them but saw nothing about their being time servers.

Time sync once a week is what I would expect, not several per min.

My system is configured to use NTP from 4 time servers:-

0.openwrt.pool.ntp.org = 116.66.162.4
1.openwrt.pool.ntp.org = 128.184.34.53
2.openwrt.pool.ntp.org = 128.184.218.53
3.openwrt.pool.ntp.org = 27.54.95.11

None of the IP addresses match these time servers.
Also there is a lot of DNS lookups to 8.8.8.8

Still a mystery.....

Thanks.

The *.pool.ntp.org are often on a round robin dns, so you can't translate them to an ip like that.
the ip addresses change to load balance over different time servers

all ip's mentioned all are part of the ntp.org time pool

http://www.pool.ntp.org/scores/18.85.44.59
http://www.pool.ntp.org/scores/173.44.32.10
http://www.pool.ntp.org/scores/18.85.44.59
http://www.pool.ntp.org/scores/50.116.55.161
http://www.pool.ntp.org/scores/173.44.32.10
http://www.pool.ntp.org/scores/72.8.140.240
http://www.pool.ntp.org/scores/50.116.55.161
http://www.pool.ntp.org/scores/173.44.32.10
http://www.pool.ntp.org/scores/72.8.140.240

(Last edited by FriedZombie on 19 Sep 2013, 16:26)

Or if you want you can simply disable the ntp client of the router but then you have to set the time yourself if it goes out of sync. (the time is lost on most routers if the power is removed).

But blocking those ip's would be pointless, but if you really want to block the ntp.org time server ip's (3243 different ip's). or you could block the port for ntp
happy blocking smile

p.s. if you block all the ip's you have to set the router time manually yourself as well (if it goes out of sync).
http://www.pool.ntp.org/zone

(Last edited by FriedZombie on 20 Sep 2013, 05:49)

Thanks,

FriedZombie - Thankyou for those links - Not Malware!

I've turned OFF NTP and now that traffic has stopped.

How can I control the activity of NTP to sync just at boot time and then once a week ?

_Donnie

stick this into /etc/rc.local

 /usr/sbin/ntpd -q -p 0.nl.pool.ntp.org -p 1.nl.pool.ntp.org -p 2.nl.pool.ntp.org -p 3.nl.pool.ntp.org

(in the gui under system -> startup)
and add it before the exit 0

and to update it weekly you could add a crontab (cli: crontab -e)
and add

2 3 * * 1 /usr/sbin/ntpd -n -q -p 0.nl.pool.ntp.org -p 1.nl.pool.ntp.org -p 2.nl.pool.ntp.org -p 3.nl.pool.ntp.org

then it will be executed on 03:02 am every Monday
http://www.webmaster-toolkit.com/cron-generator.shtml
(in the gui: system -> scheduled tasks)

Still the default on  setting doesn't generate too much traffic wink

(Last edited by FriedZombie on 20 Sep 2013, 05:34)

Thanks - That's just what I need. wink

The discussion might have continued from here.