/_serverstatus /config/server

dummzeuch

I found that from many of our computers there are frequent requests to

http://<some ip address>/_ServerStatus

and afterwards usually one request to

http://<one of the ip addresses above>/config/server

the request to /config/server returns a text file with the following content:

eu01.nimbus.bitdefender.net

eu02.nimbus.bitdefender.net

east01.us.nimbus.bitdefender.net

b01.hq.nimbus.bitdefender.net

b02.hq.nimbus.bitdefender.net

ep1.west-us.nimbus.bitdefender.net

tokyolb01-1969621043.ap-northeast-1.elb.amazonaws.com

which corresponds to the IP addresses that were originally accessed:

184.173.143.53 east01.us.nimbus.bitdefender.net

195.210.4.16 b02.hq.nimbus.bitdefender.net

195.210.4.200 b01.hq.nimbus.bitdefender.net

50.23.91.250 ep1.west-us.nimbus.bitdefender.net

54.249.8.176 tokyolb01-1969621043.ap-northeast-1.elb.amazonaws.com

87.98.141.228 eu01.nimbus.bitdefender.net

87.98.182.19 eu02.nimbus.bitdefender.net

So, this seems to be the doing of BitDefender rather than that of some malicious piece of software.

Is this documented somewhere? Should I have been able to find it easily rather than wasting 3 hours trying to find some malware that does it?

And why is BitDefender accessing IP addresses directly rather than names? And what is the purpose of these requests?

rootkit

Hello

Welcome to the forums!

Those servers are used for the update process and cloud detection.

They are all valid and they are used by all our products.

We use IP addresses because is a lot easier to manage all the servers and mirrors.

Let me know if you have other questions.

Take care.