machines send ntp packets to 85.85.170.170

[Guest]

Using a packet sniffer, I've discovered that the XP computers on my network
send ntp packets to 85.85.170.170. Would anyone know why this is happening?
How do I stop it? How can I track down what is doing it?

Thanks,
Henry

 

[Dusty Harper {MS}]

NTP is the Network Time Protocol. This is used to try and synch the
machines time with that of a Time server.

you can see who is configured as your time server by using

Net Time /QuerySNTP

you can change your time server by using

Net Time /SetSNTP

 

[Guest]

I have programmed some computers to use a different NTP server but they are
still sending packets to 85.85.170.170.

 

[Ron Lowe]

I have programmed some computers to use a different NTP server but they are
still sending packets to 85.85.170.170.

Hmm, Alarm bells are ringing.
I'd be inclined to block this traffic untill it's been investigated.

Reverse DNS lookup on that IP has no host associated.
That would not be the case for a legitimate Internet NTP server.
http://www.dnsstuff.com/tools/ptr.ch?ip=85.85.170.170

If ethereal is saying that it's NTP traffic, that's just based on the port
number.
It may not be legitimate NTP traffic.
It could be malware using that port number, because ethereal just flags up
the traffic type based on port number. If you use a well-known port for
other traffic, ethereal will not report it correctly. You need to expand
up the actual packet details to see what the traffic really is.

Have you looked through the contents of the packet in ethereal?
Is it consistent with NTP traffic?

I have a rather strong suspicion the traffic may not be legitimate time sync
traffic.

Install a host firewall like the free version of ZoneAlarm, and see what
program is attempting to connect to that IP address.

 

[cgostin]

Using a packet sniffer, I've discovered that the XP computers on my network
send ntp packets to 85.85.170.170. Would anyone know why this is happening?
How do I stop it? How can I track down what is doing it?

Thanks,
Henry