I monitor my network traffic and recently received a notification that my Sonos Play 3 was accessing a phishing site at 1:03 AM (a time when the system was not being used). As part of the monitoring I have noticed over time that all my Sonos devices connect to random IP addresses once per hour via port 123 (UDP). It’s my understand this is network time protocol used for synchronization. However after months of monitoring I received the following notification for the first time.
”Device Sonos Play 3 is accessing phishing site 104.236.116.147.“
After further investigation it seems like this IP address (104.236.116.147) has been identified as an unsecured phishing site. I did a Whois search and the domain owner is digital ocean which seems normal for the UDP sync. When navigating to the site via web browser it appears to be a default message saying nginx has been successfully installed.
Has anyone else seen an issue like this or ran into issues with the IP address block 104.236.0.0/16?