So I was playing around with scapy and I ran this simple script on my Linode.
#!/usr/bin/python3
from scapy.all import sniff
#import socket
print("starting")
#sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
def callbackfn(data):
if data[0].getlayer('IP'):
if (data[0].getlayer('IP').src != "redacted") and (data[0].getlayer('IP').dst != "redacted") and (data[0].getlayer('IP').src == "45.33.113.47"):
print(data[0].getlayer('IP').src+" -> "+data[0].getlayer('IP').dst)
#sock.sendto(data, (UDP_IP, UDP_PORT))
while True:
capture = sniff(prn=callbackfn, count=1, store=0)
All this does is log traffic leaving the VPS that is not going to my IP.
However, when I ran this I got the following:
starting
45.33.113.47 -> 193.32.162.136
45.33.113.47 -> 193.32.162.136
45.33.113.47 -> 218.92.0.245
45.33.113.47 -> 218.92.0.245
45.33.113.47 -> 218.92.0.245
45.33.113.47 -> 50.218.103.254
45.33.113.47 -> 92.255.85.189
45.33.113.47 -> 92.255.85.189
45.33.113.47 -> 218.92.0.245
45.33.113.47 -> 218.92.0.245
45.33.113.47 -> 218.92.0.245
45.33.113.47 -> 218.92.0.245
45.33.113.47 -> 50.218.103.254
This seems fairly suspicious. I then reloaded the VM via the Linode GUI and I still get strange outgoing traffic:
starting
45.33.113.47 -> 198.60.22.240
45.33.113.47 -> 218.92.0.245
45.33.113.47 -> 218.92.0.245
45.33.113.47 -> 218.92.0.245
45.33.113.47 -> 50.218.103.254
45.33.113.47 -> 218.92.0.245
45.33.113.47 -> 218.92.0.245
45.33.113.47 -> 218.92.0.245
45.33.113.47 -> 74.6.168.72
45.33.113.47 -> 198.60.22.240
45.33.113.47 -> 23.111.186.186
What is going on? Does anyone know what this could be?
Edit:
I am dumb. It was just SSH attempts from bots and the occasional NTP