1

I'm running the Exchange server exploit checks recommended by Microsoft here: [MS Security Response Center - OnPremise Exchange Server Vulnerabilities Resource Center - updated March 16, 2021]2 Security Scripts

I installed the latest patches and then ran the Exploit checks EOMT.ps1 and Test-ProxyLogon.ps1.

The Exchange log files scan for IOC came back with Suspicious activity found in Http Proxy log! with AnchorMailbox stuff like this (actual servername replaced with THISSERVER for anonymity):

AnchorMailbox       : ServerInfo~a]@THISSERVERAppS.THISSERVER.local:444/autodiscover/autodiscover.xml?#
AnchorMailbox       : ServerInfo~a]@THISSERVERAPPS/autodiscover/autodiscover.xml#
AnchorMailbox       : ServerInfo~localhost/owa/auth/logon.aspx?
AnchorMailbox       : ServerInfo~8gmqsf.dnslog.cn/owa/auth/logon.aspx?
AnchorMailbox       : ServerInfo~THISSERVERAPPS/EWS/Exchange.asmx?a=
AnchorMailbox       : ServerInfo~THISSERVERAppS.THISSERVER.local/EWS/Exchange.asmx?a=
AnchorMailbox       : ServerInfo~THISSERVERAPPS/autodiscover/autodiscover.xml?a=
AnchorMailbox       : ServerInfo~Administrator@THISSERVERAPPS:444/mapi/emsmdb?MailboxId=f26bc937-b7b3-4402-b890-96c4671
AnchorMailbox       : ServerInfo~Administrator@THISSERVERAPPS:444/ecp/proxyLogon.ecp?a=
AnchorMailbox       : ServerInfo~Admin@THISSERVERAPPS:444/mapi/emsmdb?MailboxId=e21c6801-85e9-4f90-98ca-df928510591a@mo
AnchorMailbox       : ServerInfo~Admin@THISSERVERAPPS:444/ecp/proxyLogon.ecp?a=
AnchorMailbox       : ServerInfo~Admin@THISSERVERAPPS:444/ecp/about.aspx?a=
AnchorMailbox       : ServerInfo~Admin@THISSERVERAPPS:444/ecp/DDI/DDIService.svc/GetObject?schema=OABVirtualDirectory&m
AnchorMailbox       : ServerInfo~localhost/ecp/default.flt?
AnchorMailbox       : ServerInfo~8gmqsf.dnslog.cn/ecp/default.flt?
AnchorMailbox       : ServerInfo~somethingnonexistent/ecp/default.flt?

and dodgy looking UserAgent entries like Mozilla hehe amongst others.

I can't see the URL Stems in the virtual directories reported by the scan:

/ecp/default.flt
/ecp/temp.js
/ecp/xxx.js
/ecp/s36y.js
/ecp/ssrf.js
/ecp/043l.js
/ecp/hk9o.js
/owa/auth/x.js

I'm running the latest MSERT (1.333.600.0) right now. Started about 35 mins ago and still only 25% done. It's found 1 infected file so far. I'm hoping it can clear things up. Not sure what else I can do at this stage?

cb2791
  • 11
  • 1
  • 3
  • 2
    Does this answer your question? [How do I deal with a compromised server?](https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) – Ginnungagap Mar 17 '21 at 06:57
  • Any news on this? I have the exact same scenario but I can't find anything about this online and no indication of invasion. – Salsa Mar 26 '21 at 16:42
  • Not sure if it helps, but it seems a probing script hit your server: https://github.com/Mr-xn/CVE-2021-26855-d/blob/master/owamails.py – Salsa Mar 26 '21 at 20:33

1 Answers1

0

Unfortunately, this is a bit late time to patch already, as these vulnerabilities have been exploited since January 2021 and mass exploited starting March 3, 2021 (according to ESET WeLiveSecurity & Bleeping Computer).

At this point you would probably have been compromised even if the tools like MSERT wouldn't find anything, as e.g. the initially installed web shells may have been removed during the next phase of an attack. Therefore, you might need to focus on some additional things, like:

  • Finding evidence of lateral movement and removing possibly gained persistence.
  • Installing clean Exchange servers and migrating the data to them.
  • Treating all the data in the mailboxes as potentially leaked.

General tips can be found on our canonical question: How do I deal with a compromised server?

Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
  • Oh dear. I see. Yes the MS scripts didn't find anything else except for the suspicious entries in the http proxy log. The full MSERT scan took hours and whilst it reported one infected item during the scan, upon completion it said there was nothing which is a bit odd. – cb2791 Mar 17 '21 at 09:26