port 7680 and weird IP's

MikeO 11 Reputation points
2023-01-12T14:15:14.8066667+00:00

we noticed on our firewall that yesterday our computer started to send packets to random IP's over the 7680 WUDO port

the ip's are random and blocked

96.49.20.217

172.17.179.1

192.168.137.1

plus a bunch of others we have created a policy to disable update optimization but we are still seeing pc's reach out to weird ip's

what is this behavior, our systems are window 10 ltsc 1809 and 21h2 and none of the ip's are on my local network they are all trying to go out to the internet

we are thinking it might be malicious behavior

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
5,986 questions
No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Dillon Silzer 33,616 Reputation points
    2023-01-12T17:59:26.73+00:00

    Hi Mike,

    From a quick look at it, the 172.x and 192.x are private IP addresses so I'm not sure if you have a private network set up with 172.17.x.x and 192.168.x.x, but it might be trying to reach out to computers that are on the network. The 96.49.20.217 looks like it is an Public IP address but is not registered to Microsoft.

    I'd probably recommend wiping that computer as it may be infected.


    If this is helpful please accept answer.

    No comments

  2. MikeO 11 Reputation points
    2023-01-12T18:10:49.88+00:00

    we have run many products to try and detect if there is anything on the box everything comes up with nothing.

    we have engaged a CIRT to scan but so far, we are coming up with nothing

    that was a small sample of IPS' there are many some private some public all blocked by our Firewall

    we see no ill effect from this traffic either it is a change in our normal traffic patterns, and we are wondering if Microsoft or 365 made any changes that might affect port 7680

    No comments