Non-standard IP address with dashes

Question

I ran the who command on a shared NetBSD box, and this weird user IP came up:

<redacted> pts/33   May 13 02:13  (XXX.XXX.XXX.XXX)
<redacted> pts/35   May 12 20:59  (202-172-110-147-)
<redacted> pts/36   May  6 20:36  (XXX.XXX.XXX.XXX)

I've never seen an IP like that. Obviously, ping 202-172-110-147- will complain with "Cannot resolve ... (Unknown host)".

There was a similar question posted 7 years ago, which posited that it was a non-standard way of denoting IP ranges, but seeing there's a - at the end of the address, it doesn't seem like a similar thing.

---

Edit:

I've tried reverse DNS with nslookup 202-172-110-147-, which errors with "** server can't find 202-172-110-147-: NXDOMAIN"

Doing w <user> returns:

9:49AM  up 89 days,  7:46, 1 user, load averages: 0.23, 0.18, 0.17
USER          TTY     FROM              LOGIN@  IDLE WHAT
<redacted>    pts/35  202-172-110-147- Tue08PM  4:13

Edit 2: This is on NetBSD, not Linux like I mentioned at the beginning (I thought the box was Linux):

$ uname -rsv
NetBSD 8.1 NetBSD 8.1 (GENERIC) #0: Fri May 31 08:43:59 UTC 2019  mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/amd64/compile/GENERIC

Edit 3: Following @NStorm update, I ran w -n to display network addresses as numbers. I still see the same result

$ w -n <user>
 9:57AM  up 89 days,  7:54, 1 user, load averages: 0.12, 0.12, 0.14
USER          TTY     FROM              LOGIN@  IDLE WHAT
<redacted>    pts/35  202-172-110-147- Tue08PM  4:22

Answer 1

That is just a DNS RR (reverse record) resolved from IP to that name.

There is no way to really map resolved RR back to original IP as the records are independent. Moreover the RR can contain non-existing domain name. So you can't rely on RR to obtain information on the logged on users IP.

To check back real IP without DNS resolution, you can use last -a -i command which not only shows currently logged in users but also all recent logins.

If you really need to show only currently logged users, you can simply filter last output with grep like this: last -ai | grep "still logged in"

Or you can simply use w -fi as per Janne Pikkarainen comment below, if you have modern distro. I've just realized that it is really unsupported distro versions already which lack the support for -i key of this tool, like CentOS 5. Just keep in mind - if your distro complains on w -fi, you can always use last command as noted above.

EDIT: As OP update information on the OS below (NetBSD 8.1) here is the way to get IP instead of DNS records on NetBSD according to the NetBSD man pages: w -n

    -n      Show network addresses as numbers (normally w interprets
                 addresses and attempts to display them symbolically).

Or last -n -f /var/run/utmptx:

     -n             Print host addresses numerically.  This option works only
                    on wtmpx(5) entries, and prints nothing on wtmp(5)
                    entries.

According to the NetBSD manpages, if the user is currently logged /var/run/utmptx is the only place where it logs real IP of the currently logged in users as struct sockaddr_storage ut_ss field. If you don't have access to that file and/or current network connections (netstat for example, which you most likely don't have access too) you can't tell for sure. The best way is to guess then.

It seems like the 202-172-110-147- record is truncated from the FQDN. But we can try guessing it belongs the IP 202.172.110.147 which was try digging RR. And bingo:

dig -x 202.172.110.147
...
;; ANSWER SECTION:
147.110.172.202.in-addr.arpa. 300 IN    PTR     202-172-110-147-cpe.spintel.net.au.

Seems like this is the one. And the full hostname is 202-172-110-147-cpe.spintel.net.au which is just truncated in who and other tool output.

If you have access to the /var/log/wtmpx you can get that IP from there but only once this user will log out.