Ive had a letter from VM saying that something on my ip address has an ntp monlist vulnerability. I've followed the instructions to test ip addresses but find them very vague, even though I'm reasonably tech savvy .So far, Ive had no response from the scanning page, whether entering my ip address or internal network addresses. However, the manual check command ntpdc is not recognised by Windows XP. Nor can I find ntp.conf anywhere on my pc or NAS. Most of the stuff on Google talks about servers or Linux and I'm left scratching my head.
Could anyone tell me where to find the file I should check and modify, please?
I have Windowp XP, Windows 7 which i don't use yet, a WD NAS box, an Android tablet and a Samsung "smart" TV all feeding into a Belkin router. Could just one, or all, be the possible culprit?
Alternatively, is it possible to run whatever the bankers' security scanners ran from insider or outside my system to see if there really is a problem?
The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013
I have had the same letter, I unlike you do have a server running windows server 2012R2. Its the second time I have had this letter, the first time I checked it out running the commands and stuff they give for checking ntp versions etc, to which I was getting unrecognised command (so im assuming that package isnt active on my machine). I dont actually know if these letters are fact there is an issue on your network, or if its scare mungering for you to then use their own gadget rescue service to look at it for you which costs money....its a possibility
Thanks. Being an old cynic, I did wonder! But I was very surprised that if the vulnerability is so prevalent there is no easy-peasy diagnostic method available. VM Internet is, after all,a service sold mainly to folk who just want to use their computers and not dig around inside them. They say that an organisation scans on behalf of the banks. Why, if they've scanned my network can they only give me my IP address and not the address or device on the network? Why can't I have access to whatever - surely easy if it's automated - method they are using?
Sadly there is no simple malware scan for it, but its a bit more technically involved because from my understanding its related to servers and the chances are if you have a server you know a thing or two. Like you I was surprised by the lack of information they give, with only a Wide Area Network Ip address, and they provide a date which i dont know what is for whether thats the date they ran the scan on the network or the date they detected strange activity or what.
It would also be helpful if they provided us with whatever found this possible vulnerability so like you said can scan internally. Thats what makes me so skeptical of it when they are saying they can have a look for a fee. If VM do get around to this post it might be worth them looking into being more open about how they found it etc, for all we know there could be a bug in whats identifying it, incorrectly picking people out which needs fixing.
I have also received the letter. I have nothing Linux based that would be used with NTP V2 or below so unsure where this comes from. Only additional kit I have it BT Hive - which is linux based so checking that part out. Letter points at a page that is supposed to be able to scan the network for Monlist responses which I cannot see.
I am a techy so as per previous posts I would like to know how this issue has been identified and how to pinpoint it.
Thanks for those last two. The first relates to Unix/Linux which I suppose could just possibly be my Android tablet or my TV at fault.
The second from Microsoft only refers to Windows Server, which would seem to rule out my XP machines.
From the previously posted link see the section under
Windows Time Service Tools and Settings
W32tm.exe: Windows Time
This tool is installed as part of Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server® 2008 R2 default installations.
This tool works on Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2 default installations.
W32tm.exe is used to configure Windows Time service settings. It can also be used to diagnose problems with the time service. W32tm.exe is the preferred command line tool for configuring, monitoring, or troubleshooting the Windows Time service.