Jump to content

ESET update and Suspicious HTTP post data


altangerel
 Share

Recommended Posts

Hi all,

 

Where does ESET RA server download virus signature updates? Our server tries to connect to tsm02.eset.com domain (91.228.166.143, 91.228.166.11) over HTTP, but snort identifies these connection as a malware-cnc RAT update. We tried to investigate the cause of that problem, and found some suspicious things in the HTTP post data. There is possible bot update command: hxxp://fast.onoodor.com:443/update?id=ff64a2f9 in post data. Anyone know about this?

 

Regards,

Altangerel

Link to comment
Share on other sites

  • 3 weeks later...
  • ESET Moderators

Hello Altangerel,

 

please see this KB article hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN332+

 

To submit suspicious files and anonymous statistical information to ESET's Threat Lab (ThreatSense.net):

  • tsm00.eset.com - tsm08.eset.com
  • ts.eset.com

So that is why your ERA is connecting to tsm02.eset.com domain

 

Do you have any further questions regarding this?

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...