flagged associated with Malware


We use *.rhel.pool.ntp.org (default pool from Red Hat chrony RPM).

Our InfoSec department flagged as being associated with malware. I’m afraid I don’t have any further information on their specific findings. Other than it was mentioned is no longer being used as an NTP server.

However, I am questioning if this was a false alert. We can see the client server was syncing time successfully from four servers in the pool.

^* 2 10 300 124m -4737us[-4767us] +/- 93ms
^* 2 10 360 97m -5877us[-5929us] +/- 76ms
^* 2 10 360 98m -6959us[-7011us] +/- 63ms
^* 2 10 340 108m *48ms[ *48ms] +/- 196ms

I can’t find any further information on that might suggest it’s being used for malicious purposes. How could I confirm if is suspicious?

In addition, we use the DNS name for the pool in our chrony.conf so why would DNS resolve to an IP that is no longer used as an NTP host?


As far as I can see, it’s still in the pool: pool.ntp.org: Statistics for
I don’t think you can get malware via NTP requests.

Thank you very much for the reply.

I can see the IP is associated to a TOR relay or exit node. 2 reports for from France

Looking through previous threads in this forum, it seems running TOR and NTP services is common and therefore the most likely explanation.

So technically our InfoSec scans flagged the IP based on the shared nature of (although it’s still a valid NTP pool member as you’ve pointed out).

Please let me know if you disagree.

1 Like

I wouldn’t say running TOR on NTP servers is common, but given that there are currently 2562 NTP servers in the pool, there’s a chance that some of them are used for TOR as well.

I don’t have statistics to back this up, but I have a hunch that only a small percentage of servers in the pool serve only NTP and nothing else. Many of those servers are also used as web, mail, DNS or whatever-servers.

Again, thank you very much for your replies.