Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Boomish69

macrumors 6502
Original poster
Sep 13, 2012
398
105
London
I got this warning from my Hands Off firewall today after booting and wondered what it was
"bin/sh wants to listen to incoming connections"
I had a previous warning which was apple time clock , which I allowed, then this warning, so I wondered what it could be, I did some updates yesterday and installed some software , can anyone tell me if it is safe to allow?
I can't find any other info on it well none I can understand anyway..

Appreciate the help..
 

2984839

Cancelled
Apr 19, 2014
2,114
2,240
I got this warning from my Hands Off firewall today after booting and wondered what it was
"bin/sh wants to listen to incoming connections"
I had a previous warning which was apple time clock , which I allowed, then this warning, so I wondered what it could be, I did some updates yesterday and installed some software , can anyone tell me if it is safe to allow?
I can't find any other info on it well none I can understand anyway..

Appreciate the help..

Block it; the shell should never be allowed to access the internet, nor should it be trying to. What software have you installed and from where did you get it?
 
  • Like
Reactions: Boomish69

Boomish69

macrumors 6502
Original poster
Sep 13, 2012
398
105
London
thanks for the reply, hmm I installed bunch of things and some updates, I have no cracks or weird software, the address was a strange unixcode type of number starting fe80 and another starting fd00 on port 123 ntp, is this something to go with the Apple Clock? I can see a connection to 17.253.52.125 on the same port and that links to Apple in Cupertino..

Realy apreciate the advice
 

cqexbesd

macrumors regular
Jun 4, 2009
176
44
Germany
the address was a strange unixcode type of number starting fe80 and another starting fd00 on port 123 ntp, is this something to go with the Apple Clock? I can see a connection to 17.253.52.125 on the same port and that links to Apple in Cupertino..

Yes. NTP is the network time protocol and is used for keeping clocks in sync across the Internet. The 2 addresses you mention sound like IPv6 addresses. The one beginning with fe80 is a link local address (https://en.wikipedia.org/wiki/Link-local_address).

I would still be suspicious if /bin/sh wants to accept network connections. Did your firewall give you any details about that? If so try posting them. I wouldn't expect it is related to your clock.
 
  • Like
Reactions: Boomish69

Boomish69

macrumors 6502
Original poster
Sep 13, 2012
398
105
London
Thanks again for the reply, I deleted the rules shown in the firewall to see if it warned me again, but it hasn't! now I'm confused, thanks for the reply, I'll def keep a watch on bin accessing the net.

upload_2015-12-1_15-27-36.png


Maybe I should close these too?

Sorry maybe I'm just being paranoid.
 

2984839

Cancelled
Apr 19, 2014
2,114
2,240
Thanks again for the reply, I deleted the rules shown in the firewall to see if it warned me again, but it hasn't! now I'm confused, thanks for the reply, I'll def keep a watch on bin accessing the net.

View attachment 603208

Maybe I should close these too?

Sorry maybe I'm just being paranoid.
ntpd is the NTP daemon and you'd have to allow it outgoing access in order for it to set your clock from other NTP servers on the internet. You do not have to allow incoming connections to ntpd though, unless you were trying to set up your computer as an NTP server.

I would not recommend allowing incoming connections to ntpd, as the version Apple uses has had a history of very bad vulnerabilities and the code quality is poor.
 
  • Like
Reactions: Boomish69

Boomish69

macrumors 6502
Original poster
Sep 13, 2012
398
105
London
ntpd is the NTP daemon and you'd have to allow it outgoing access in order for it to set your clock from other NTP servers on the internet. You do not have to allow incoming connections to ntpd though, unless you were trying to set up your computer as an NTP server.

I would not recommend allowing incoming connections to ntpd, as the version Apple uses has had a history of very bad vulnerabilities and the code quality is poor.

Really appreciate the advice, dam I wonder how long thats been there, might be time for a fresh install, I occasionally do some beta testing & have ran all kinds of installers but it's all legit stuff maybe it's left over from some of that. I shall close those ports now!
Time to do some security software research..I ran a Malware check and that was fine.

Thanks again for all the help everyone.

UPDATE..
I had a warning today for the NTPD to connect to ip 17.253.34.125 , which it seems to my searching is a well known hacking site! damm not sure what to do now, is there any cleanup software anyone recommends I should check my system with? How do I disinfect the ntpd?

Thanks so much for the help in finding this..god knows how it got there..
 
Last edited:

cqexbesd

macrumors regular
Jun 4, 2009
176
44
Germany
I had a warning today for the NTPD to connect to ip 17.253.34.125 , which it seems to my searching is a well known hacking site!

Belonging to that well known hacking company Apple Inc. 17.0.0.0/8 is all Apple.

I recommend trying Google again :) From the name I expect that is an apple NTP server though I haven't tried it.
 
  • Like
Reactions: Boomish69
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.