Suddenly faced with password prompt while ssh'ing; two ip's assigned to adsl ppp0 iface?!?

[John Doe <security.department () tele2 ch>]

Hello dear list members

yesterday I faced a strange phenomenon on my workstation, and I don't have an 
explanation for it. I'm sorry for my english as well as for the lengthy 
or unclear description. Further, I don't think it's an ssh issue - sorry, if 
I'm wrong with that and hitting an inappropriate list.

I never heard/read of something similar, didn't know what to search for in the 
web, and had no time to start an analysis (I'm not a forensic guy either).

Ok. First, some setup info and what normally happens:
It's a often patched linux box behind a NAT/firewall with adsl connection to 
the internet. No fancy software installed or used (p2p, telephony, chat 
etc.). I just work on it with basic tools. No risky websurfing and such. No 
open ports from outside in the LAN.
I have a tool coded to update my dynamic webapps on a server (hosted by a 
provider) by rsync over ssh with public key auth on a nonstandard remote 
port. There, I log in as a non privileged user, and I have ssh agent running 
under X (locally of course).
I run the update tool in a root shell (yes, not optimal).

Now what happened:
When the phenomenon occured, the root shell was already up for some time, I 
started the tool and was faced with a "Password: ". I tried the command 
(/usr/bin/ssh -p <nonstdport> -l <nonprivuser> <remoteserverip>) from another 
non root shell: everything ok, as well as from another new su root shell. The 
phenomenon disappeard when I exited the root shell, su'd again and rerun the 
command.
What I found out by inspecting the remote log: 
   <Date> linux sshd[<pid>]: reverse mapping checking getaddrinfo 
   for <dxx-xxx-xxx-xxx.cust.tele2.yy failed - POSSIBLE BREAKIN ATTEMPT!
The log entry as such appears from time to time, and I'm 99.9% sure it's not a 
breakin attempt but a problem with my adsl provider.
BUT: the above IP in the name was not the current ip of my adsl connection 
(but another IP of the same adsl provider). I nmap'ed it from the remote 
server, and *I* got the packets. 
What I found out locally:
- The tcpdump on the NAT/firewall box showed *this* ip only as target, never 
as source (the latter in case of outgoing packets).
- ssh tried to use the *root* key, not the unpriviledged user's one, and there 
is no public key for root on the remote box (yes, this reveals a suboptimal 
remote config).

So, somehow the adsl connection was assigned two different ips?!? When running 
ifconfig ppp0, I just saw the correct adsl ip.

From all that, I conclude that's most probably an issue with my local box 
and/or my adsl provider.

Does anybody out there has any idea or any hint what could be the reason for 
this? (I mean the second ip and the "Password: " prompt in a certain root 
shell). It would be mostly appreciated, because I hate not having the least 
idea about such things...

I may provide more info if needed. 

sincerely, joe

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfoc_ml
----------------------------------------------------------------------------