I am experiencing some possibly suspicious activity. I am using Syncthing via SyncTrayzor (SyncTrayzor 1.1.29) and just updated this evening.
The gist of the issue is that Malwarebytes is alerting that Syncthing.exe is trying to connect to ip addresses that are reportedly compromised. With the syncthing.exe that was bundled with SyncTrayzor 1.1.28, the ip address was 18.104.22.168:22000 on the inbound direction. This ip address has an nginx daemon running on port 80 but it is the default placeholder page.
After upgrading to SyncTrayzor 1.1.29 (current version), another ip address that syncthing.exe is trying to connect triggered another alert (22.214.171.124:22072 in the outbound direction). That second ip doesn’t seem to have an nginx daemon like the first ip address.
Please tell me that these are benign heartbeat signals to calm my fears, or did I stumble onto something serious? Each of the ip addresses are allocated to cloud providers that I’ve never heard of…