Even I have a similar question.
The machines were updated with six Chinese IPs, which belonged to China Unicom China169 Backbone and Shenzhen Tencent Computer Systems Company Limited. However, the domains resolved to various names when I did an iplookup.
I even check in abuseipdb but there were no abuse reports there.
Windows update linked to Chinese IP
Dear Team,
For the past few days, I have been facing the following issue with windows updates on 2 machines.
The machines are connecting to the following site [legitimate, as it seems] for updates: [http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?]
However, I get AV detections that the connections to this site are basically connections to the suspicious IP:
Remote IP 175.4.51.35
Remote Port 80
This IP belongs to China Telecom, as can be viewed in
https://whois.domaintools.com/175.4.51.35 and is of mixed reputation reviews.
I checked DNS, WUSUS. All good.
One of the 2 machines, was disconnected from the Internet and still connected to same http and Chinese IP.
I cannot really explain this. Your feedback would be appreciated.
1 answer
Sort by: Most helpful
-
Peter yavi 0 Reputation points
2024-02-08T11:13:04.9166667+00:00