Jump to content

Network Connections - svchost.exe - port 7680 - 1GB


Recommended Posts

Hi there,

Just finished up re-setting my laptop after a complete wipe from a suspected hack / malicious activity and already I'm seeing unexplained network connectivity and transfers.

Details: Lenovo X1 Carbon - Gen 8 - Windows 10 Pro 19045. All Windows and Lenovo updates and firmware. Running ESET Smart Security Premium.

Whether I'm at home or at the office, I'm noticing unwanted connections coming from 20+ IP addresses. 

From my office, I've had over 3000x attempt and attacks by 7 workstations, 2 phones, and 1 printer, through ports: 137, 138, 7680, 1900, and 5355. I noticed over 1GB of data transfer so far.

From Home, I'm getting similar attacks as well from the above mentioned ports.

Everything is going through masks uses of svchost.exe, spoolsv.exe, jhi_service.exe, msedge.exe. I believe they've manipulated ESET as well, because when I see the IP addresses and I try to right click it, I can't Deny the connection, it won't allow me too. I can't Deny the service of the file as well as it's greyed out.

My browser also had the Green Border missing earlier this afternoon.

 

I don't believe there's any Malware on the system itself as I didn't click on anything or install anything unwanted or questionable as it's a brand new setup.

I have also been going through this for the last 2 months. This is some sort of script or a really bored indivdual(s) using Windows exploits to get in.

How do I stop this? What can I do?

 

Thank you,

Link to comment
Share on other sites

In addition to the above, this is the 3rd time Windows Update has notified me that 22H2 update is available and ready to be installed. I've done this twice already. WTH is going on here!?

Link to comment
Share on other sites

14 hours ago, Stratego said:

From my office, I've had over 3000x attempt and attacks by 7 workstations, 2 phones, and 1 printer, through ports: 137, 138, 7680, 1900, and 5355. I noticed over 1GB of data transfer so far.

From Home, I'm getting similar attacks as well from the above mentioned ports.

For starters, set your Eset network connection profile to Public. When the network connection is set to Public, it will block any inbound connections from both the Internet and your local subnet to ports 137, 138, 1900, and 5355.

As far as port 7680 goes, it is used for Delivery Optimization for Win 10 updating: https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization-faq . Refer to the below screen shot. If you haven't disabled "Allow downloads from other PCs settings," your PC is basically being used as part a Microsoft botnet for updating of its software. This will also account for the high volume of Internet network traffic you are observing. Also, allowing this network traffic is a potential security risk.

Delivery_Opt.thumb.png.e2a2d88e52affd6149928289f9598a85.png

Edited by itman
Link to comment
Share on other sites

15 hours ago, Stratego said:

In addition to the above, this is the 3rd time Windows Update has notified me that 22H2 update is available and ready to be installed. I've done this twice already. WTH is going on here!?

Appears to be a Windows Update issue. Refer to this posting: https://answers.microsoft.com/en-us/windows/forum/all/windows-10-22h2-repeatedly-updates-despite-the/edaef2f5-ffa0-488b-8b6a-385d751569ce .

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...