I have LittleSnitch on my MacBook and after months of being just fine it popped up a message saying ntpd wanted to connect to 58.215.177.51:52562. Any idea what that is about? It's a server running in Beijing and doesn't seem to have anything to do with time. This is on ML.
Later: Now the address traces to China Telecom in Nanjing.
Same here... It says it's 'ntpd is the network time daemon that synchronizes your clock with a network time server.' and its a system daemon so I would think it is OK.
ntpd is OK, it's the computer that it is trying to connect to that doesn't make sense. The listed servers that ntpd are supposed to be using are time.apple.com, time.asia.apple.com and time.euro.apple.com. This address is none of those.
NMBob,
You're not alone. My iMac running OSX 10.9.1 with all latest updates and Little Snitch v3.3 just did same to me. I'm located in WV here in the U.S. Found it odd so backtracked the IP with ARIN/WHOIS, and when I saw the IP was assigned by APNIC to China Telecomm, really started to wonder. Then started Googling and landed here. Definitely a bit odd. And my Date & Time system preferences are to check a specific IP here where I work, so shouldn't even be trying to hit the standard NTP servers as far as I can tell. Even checked /etc/ntp.conf and it shows just that single, static IP.
Would love to hear from someone at Apple what this is.
I'm over here in New Mexico, mine is set to the regular time.apple.com, and that's what's in ntp.conf. I just denied until shutdown, restarted the Mac that night/next day and haven't seen it come up since. I guess "they" already know where I am and don't need to check anymore, or "they" figured out another way in. Now we have to worry about the Chinese NSA too!? 🙂 I guess I'll fill out a feedback message about it for OSX. I don't know how else to get the word to Apple.
Oh -- product-security@apple.com. Who knew? There was a link on the feedback page to something about security in Pages and I clicked on it just to see what it was. This address was on there. I sent an email and got an automated response back right away with an ID number. Very good.
Apple doesn’t routinely monitor the discussions.
Send Apple feedback. They won't answer, but at least will know there is a problem. If enough people send feedback, it may get the problem solved sooner.
Feedback
Also do send info to product-security@apple.com if this has happened to you. They just got back to me and requested some more info. They wanted to know how long Little Snitch had been installed and wanted a copy of the System Report .spx file that you generate through About My Mac...
I complained a little in the feedback message that I sent before the security email that there really isn't anything in feedback for 'security concerns'. Maybe they will add a little link to the security section. It was just by accident that I discovered there even IS a security section.
Well done matey... :)
Thanks for posting. I saw the same IP address (58.215.177.51) with Little Snitch running under Mac OS X 10.6.8. Denied it after I saw it was in China. Apple's time server may have been compromised and who knows what else at this point.
I just emailed product-security@apple.com with details and got the automated response. I agree that the more who do, the faster this will get attention.
I am in Tasmania (Australia), got the same alert and IP from Little Snitch, iMac G5 running OSX 10.5.8. This is my home server (connected 24/7).
Looks suspicious and apparently is widespread and affects OSX in general.
Maybe is a 30th anniversary "Surprise".
Dang, this thing is getting popular. Just for "fun" I reset all of my Little Snitch rules to the factory defaults. I'll be a little grouchy for the next few days approving and disapproving, but it'll be interesting to see if there is anything else strange going on. I needed to do a little pre-Spring (pre-Fall in Tasmania) cleaning of the rules anyway.
So, has it changed the Time Server in Sys Prefs> Date & Time, or is it DNS poisoning, or even related to this Mobile threat out of China?
http://securitywatch.pcmag.com/mobile-security/320087-mobile-threat-monday-myste ry-malware-appears-in-google-play
Nope, the Date & Time pref just stayed (on mine) at time.apple.com, and only Apple's servers are listed. It never has popped up on mine again. Maybe they found a way around Little Snitch. 🙂 Little Snitch's default settings are kinda liberal (not political, but non-restrictive) to begin with. I hope that's not a problem.
Glad I don't have ANY phone, except the one in my iPad which does not get used for banking.
OK, thanks.
NTPD and IP address 58.215.177.51?
