HPE Community
Operating System - Linux
1827771 Members
2621 Online
109969 Solutions
New Discussion

Linux NTP issue

 
Tom Wolf_3
Valued Contributor

‎11-19-2008 08:58 AM

‎11-19-2008 08:58 AM

Linux NTP issue

Hello, we have a Red Hat Enterprise Linux ES release 4 (Nahant Update 5) server that seems to be sending packets containing the time to three different external servers:

121.50.43.11
121.50.43.12
c-biznet.com

We checked the /etc/ntp.conf file on this server and it's configured the same as all the other hosts in our environment - the 121.50.43 and c-biznet.com addresses aren't in the file.

We also checked the /usr/sbin/ntpd binaries and they are the same as all the other Linux hosts in our environment. Only a single Linux server in our organization is experiencing this issue.

When we stop NTP, the packets stop being sent to the three addresses. When we restart NTP on this server, the packets start transmitting again.

We ran a virus scan and came back with nothing.

Do any of the Linux experts out there have any suggestions on how to determine where these three addresses are being referenced from and how to stop this issue?

Any help would be greatly appreciated.

Thank you.

Tom Wolf
0 Kudos
Reply
4 REPLIES 4
Fredrik.eriksson
Valued Contributor

‎11-19-2008 11:43 PM

‎11-19-2008 11:43 PM

Re: Linux NTP issue

Well I'm not entirely sure, but the first thing I would try is something like this:
$ grep -R "c-biznet.com" /etc/*

This is just to make sure nothing stupid is getting included or is set in another place.
Then, I'm not entirely sure this will lead somewhere thou, I would probably check set and env for any misschief variables.

If the addresses is used they are usually written down somewhere. I would just recommend searching some more.

Best regards
Fredrik Eriksson
0 Kudos
Reply
Jeeshan
Honored Contributor

‎11-20-2008 11:06 AM

‎11-20-2008 11:06 AM

Re: Linux NTP issue

run this command

#cat /etc/ntp/ntpservers

or

#cat /etc/ntp/step-tickers
a warrior never quits
0 Kudos
Reply
Tom Wolf_3
Valued Contributor

‎11-20-2008 12:17 PM

‎11-20-2008 12:17 PM

Re: Linux NTP issue

Thanks for both responses.

Unfortunately they did not provide any new leads.

We did a recursive search of all files using the find command but did not have any matches. We searched for all three addresses.

Any other suggestions?

Thanks again.
0 Kudos
Reply
Ragu_3
Trusted Contributor

‎11-20-2008 09:05 PM

‎11-20-2008 09:05 PM

Re: Linux NTP issue

>> how to determine where these three addresses are being referenced

They all maybe part of the server pool list referenced by the server lines like '0.rhel.pool.ntp.org' in /etc/ntp.conf.

Nobody runs a virus scan on a GNU/Linux machine, run 'rkhunter' instead.

All these; 121.50.43.11, 121.50.43.12, c-biznet.com maybe stratum-3 servers.

Debian GNU/Linux for the Enterprise! Ask HP ...
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.