Strange IP address showing up with OS X ssh

Question

I was futzing around with DTrace on Mac OS X and found the following script that prints out information about connections being established:

$ cat script.d

syscall::connect:entry
{
printf("execname: %s\n", execname);
printf("pid: %d\n", pid);
printf("sockfd: %d\n",arg0);

socks = (struct sockaddr*)copyin(arg1, arg2);

hport = (uint_t)socks->sa_data[0];
lport = (uint_t)socks->sa_data[1];
hport <<= 8; 
port = hport + lport; 
printf("Port number: %d\n", port); printf("IP address: %d.%d.%d.%d\n",
 socks->sa_data[2],
 socks->sa_data[3],
 socks->sa_data[4],
 socks->sa_data[5]);
printf("======\n");
}

I run it in one window:
$ sudo dtrace -s ./script.d

Then I ssh to another machine from another window. I get this output from my dtrace window:

CPU     ID                    FUNCTION:NAME
  0  18696                    connect:entry execname: ssh
pid: 5446
sockfd: 3
Port number: 22
IP address: 192.168.0.207
======

  0  18696                    connect:entry execname: ssh
pid: 5446
sockfd: 5
Port number: 12148
IP address: 109.112.47.108
======

^C

The first IP address I can explain (192.168.0.207), that's the machine I'm connecting to. But what's with the 109.112.47.108 machine? It doesn't show up in tcpdump nor netstat -an

Is there something with my dtrace code or my understanding of how the connect system call works?

Answer 1

I think I've figured it out, it's the dtrace script which I grabbed from a Solarius site, needs to be changed for BSD.

Answer 2

Try doing a traceroute to that address and see where it is. If it's only a couple of hops away it's probably a firewall or switch.

Answer 3

It's a vodaphone IP address in Italy. Are you connected to an ISP in Europe/Italy? If not, better start worrying.

Answer 4

Port 12148 looks like a virus/Trojan issue - best to clean infected system asap

Answer 5

What does grep 'sshd.*from' secure.log say? If someone besides you has logged in via SSH then you have a problem. If they haven't it's likely an unsuccessful brute force attempt. Are you running DenyHosts or Fail2Ban?

I can't find any documentation on syscall::connect, but it looks like it's printing out both ends of the socket. What happens when you run the script and ssh in from another machine?

Answer 6

For what it is worth, this IP appears to be part of the vodafone.it network. Observe:

> host -a 109.112.47.108
Trying "108.47.112.109.in-addr.arpa"
Host 108.47.112.109.in-addr.arpa. not found: 3(NXDOMAIN)
Received 116 bytes from 68.94.156.1#53 in 180 ms
> host -a 47.112.109.in-addr.arpa
Trying "47.112.109.in-addr.arpa"
Received 112 bytes from 68.94.156.1#53 in 388 ms
Trying "47.112.109.in-addr.arpa.domain_not_set.invalid"
Host 47.112.109.in-addr.arpa not found: 3(NXDOMAIN)
Received 139 bytes from 68.94.156.1#53 in 859 ms
> host -a 112.109.in-addr.arpa
Trying "112.109.in-addr.arpa"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20054
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;112.109.in-addr.arpa.  IN ANY

;; ANSWER SECTION:
112.109.in-addr.arpa. 28800 IN SOA mivsx030.net.vodafone.it. hostmaster.vodafone.it. 9 10800 3600 2592000 900
112.109.in-addr.arpa. 28800 IN NS mivsx030.net.vodafone.it.
112.109.in-addr.arpa. 28800 IN NS gmigdns006.net.vodafone.it.

Received 148 bytes from 68.94.156.1#53 in 373 ms