Windows Time Service going to non-local IP?

  • Thread starter Thread starter Phil McNeill
  • Start date Start date
P

Phil McNeill

Hi,

Since Friday roughly 30 PCs on my network of 600 have been sending traffic
to 157.184.0.2 via TCP port 123 (NTP). I am seeing this traffic being
dropped outbound at my firewall and each PC is generating it every 15
seconds. I don't understand why they would all of a sudden start doing
this. I don't see any rogue processes or services running, and if I turn
off the Windows Time Service on the PC, it stops sending the traffic.

Any ideas on what would cause this to pop up all of a sudden on a small
percentage of PCs? Possible that a common print driver could cause this? I
see references to that IP range being the default for some Lexmark printers.

Thanks for any thoughts!

Phil
 
Hi,

Since Friday roughly 30 PCs on my network of 600 have been sending traffic
to 157.184.0.2 via TCP port 123 (NTP). I am seeing this traffic being
dropped outbound at my firewall and each PC is generating it every 15
seconds. I don't understand why they would all of a sudden start doing
this. I don't see any rogue processes or services running, and if I turn
off the Windows Time Service on the PC, it stops sending the traffic.

Any ideas on what would cause this to pop up all of a sudden on a small
percentage of PCs? Possible that a common print driver could cause this? I
see references to that IP range being the default for some Lexmark printers.

Thanks for any thoughts!

Phil

Wierd. Do you have a group policy setup to use a specific server for
ntp? Our company has a GP for the domain controllers to be ntp
servers, and the machines at each location are setup as ntp client
pointing to the local DC. What does your setup look like? Do you
need help setting up ntp servers and clients via ntp?

Look here for some info:
http://www.microsoft.com/technet/pr.../technologies/security/ws03mngd/26_s3wts.mspx

Good luck!
 
Wierd. Do you have a group policy setup to use a specific server for
ntp? Our company has a GP for the domain controllers to be ntp
servers, and the machines at each location are setup as ntp client
pointing to the local DC. What does your setup look like? Do you
need help setting up ntp servers and clients via ntp?

Look here for some info:http://www.microsoft.com/technet/prodtechnol/windowsserver2003/techno...

Good luck!- Hide quoted text -

- Show quoted text -

I meant to say "Weird" not "Wierd"
 
Lexmark is probably phoning home to report on how often you're printing.
Lexmark is assigned that IP block.

Ray
 
Ray said:
Lexmark is probably phoning home to report on how often you're printing.
Lexmark is assigned that IP block.

Ray

The "why" is not cofirmed, but it did come down to a blabbermouth Lexmark
printer. Killed it, problem solved.
 
You really have to wonder what these vendors are doing. We installed several
Zebra label printers and they're all trying to go to dozens of URLs on the
Internet with the time-tcp protocol.

There is nothing on the printer that does a timestamp. There's nothing
exposed in the interface for time servers and the vendor swears they're not
doing it.

I really wonder where they're getting their firmware and how closely they
are (not) auditing what it does.

Ray
 
Back
Top