What is happening with my Linode VPS?

So I was playing around with scapy and I ran this simple script on my Linode.

#!/usr/bin/python3
from scapy.all import sniff
#import socket

print("starting")

#sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)

def callbackfn(data):
  if data[0].getlayer('IP'):
    if (data[0].getlayer('IP').src != "redacted") and (data[0].getlayer('IP').dst != "redacted") and (data[0].getlayer('IP').src == "45.33.113.47"):
      print(data[0].getlayer('IP').src+" -> "+data[0].getlayer('IP').dst)
  #sock.sendto(data, (UDP_IP, UDP_PORT))

while True:
  capture = sniff(prn=callbackfn, count=1, store=0)

All this does is log traffic leaving the VPS that is not going to my IP.

However, when I ran this I got the following:

starting
45.33.113.47 -> 193.32.162.136
45.33.113.47 -> 193.32.162.136
45.33.113.47 -> 218.92.0.245
45.33.113.47 -> 218.92.0.245
45.33.113.47 -> 218.92.0.245
45.33.113.47 -> 50.218.103.254
45.33.113.47 -> 92.255.85.189
45.33.113.47 -> 92.255.85.189
45.33.113.47 -> 218.92.0.245
45.33.113.47 -> 218.92.0.245
45.33.113.47 -> 218.92.0.245
45.33.113.47 -> 218.92.0.245
45.33.113.47 -> 50.218.103.254

This seems fairly suspicious. I then reloaded the VM via the Linode GUI and I still get strange outgoing traffic:

starting

45.33.113.47 -> 198.60.22.240
45.33.113.47 -> 218.92.0.245
45.33.113.47 -> 218.92.0.245
45.33.113.47 -> 218.92.0.245
45.33.113.47 -> 50.218.103.254
45.33.113.47 -> 218.92.0.245
45.33.113.47 -> 218.92.0.245
45.33.113.47 -> 218.92.0.245
45.33.113.47 -> 74.6.168.72
45.33.113.47 -> 198.60.22.240
45.33.113.47 -> 23.111.186.186

What is going on? Does anyone know what this could be?

Edit:

I am dumb. It was just SSH attempts from bots and the occasional NTP

See edit

If you think it’s SSH attempts, check with tail -f /var/log/auth.log and see what the sshd service is logging.

1 Like