2

I was futzing around with DTrace on Mac OS X and found the following script that prints out information about connections being established:

$ cat script.d

syscall::connect:entry
{
printf("execname: %s\n", execname);
printf("pid: %d\n", pid);
printf("sockfd: %d\n",arg0);

socks = (struct sockaddr*)copyin(arg1, arg2);

hport = (uint_t)socks->sa_data[0];
lport = (uint_t)socks->sa_data[1];
hport <<= 8; 
port = hport + lport; 
printf("Port number: %d\n", port); printf("IP address: %d.%d.%d.%d\n",
 socks->sa_data[2],
 socks->sa_data[3],
 socks->sa_data[4],
 socks->sa_data[5]);
printf("======\n");
}

I run it in one window:
$ sudo dtrace -s ./script.d

Then I ssh to another machine from another window. I get this output from my dtrace window:

CPU     ID                    FUNCTION:NAME
  0  18696                    connect:entry execname: ssh
pid: 5446
sockfd: 3
Port number: 22
IP address: 192.168.0.207
======

  0  18696                    connect:entry execname: ssh
pid: 5446
sockfd: 5
Port number: 12148
IP address: 109.112.47.108
======

^C

The first IP address I can explain (192.168.0.207), that's the machine I'm connecting to. But what's with the 109.112.47.108 machine? It doesn't show up in tcpdump nor netstat -an

Is there something with my dtrace code or my understanding of how the connect system call works?

Chealion
  • 5,713
  • 27
  • 29
user50799
  • 31
  • 2

6 Answers6

1

I think I've figured it out, it's the dtrace script which I grabbed from a Solarius site, needs to be changed for BSD.

user50799
  • 31
  • 2
0

Try doing a traceroute to that address and see where it is. If it's only a couple of hops away it's probably a firewall or switch.

James L
  • 5,915
  • 1
  • 19
  • 24
  • 12+ hops, can't ping it either. It's weird that it just shows up with ssh - but not safari, not ftp, not curl, etc. – user50799 Aug 10 '10 at 23:18
0

It's a vodaphone IP address in Italy. Are you connected to an ISP in Europe/Italy? If not, better start worrying.

  • Check this out, I did the same thing on a G5 with OSX 10.5.8, got the exact same results as on 10.6.4 on intel OSX. – user50799 Aug 10 '10 at 23:28
0

Port 12148 looks like a virus/Trojan issue - best to clean infected system asap

0

What does grep 'sshd.*from' secure.log say? If someone besides you has logged in via SSH then you have a problem. If they haven't it's likely an unsuccessful brute force attempt. Are you running DenyHosts or Fail2Ban?

I can't find any documentation on syscall::connect, but it looks like it's printing out both ends of the socket. What happens when you run the script and ssh in from another machine?

Gerald Combs
  • 6,331
  • 23
  • 35
  • Just a bunch of crap. Doesn't look like it's been compromised. I'm running both emerging threats iptables firewall rules and denyhosts on the server. – user50799 Aug 11 '10 at 00:00
  • Apparently doesn't show incoming connections, just looks like outgoing connections. – user50799 Aug 11 '10 at 00:04
0

For what it is worth, this IP appears to be part of the vodafone.it network. Observe:

> host -a 109.112.47.108
Trying "108.47.112.109.in-addr.arpa"
Host 108.47.112.109.in-addr.arpa. not found: 3(NXDOMAIN)
Received 116 bytes from 68.94.156.1#53 in 180 ms
> host -a 47.112.109.in-addr.arpa
Trying "47.112.109.in-addr.arpa"
Received 112 bytes from 68.94.156.1#53 in 388 ms
Trying "47.112.109.in-addr.arpa.domain_not_set.invalid"
Host 47.112.109.in-addr.arpa not found: 3(NXDOMAIN)
Received 139 bytes from 68.94.156.1#53 in 859 ms
> host -a 112.109.in-addr.arpa
Trying "112.109.in-addr.arpa"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20054
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;112.109.in-addr.arpa.  IN ANY

;; ANSWER SECTION:
112.109.in-addr.arpa. 28800 IN SOA mivsx030.net.vodafone.it. hostmaster.vodafone.it. 9 10800 3600 2592000 900
112.109.in-addr.arpa. 28800 IN NS mivsx030.net.vodafone.it.
112.109.in-addr.arpa. 28800 IN NS gmigdns006.net.vodafone.it.

Received 148 bytes from 68.94.156.1#53 in 373 ms
womble
  • 95,029
  • 29
  • 173
  • 228