We host exchange on premise (exchange 2013). We believe following MS's guides and guidelines that we were compromised regarding the exchange zero days hack. We did find some .aspx files that did not appear to be from us in our inetpub directory. From the article listed we followed this to find these aspx files:
To determine possible webshell activity, administrators should search for aspx files in the following paths:
\inetpub\wwwroot\aspnet_client\ (any .aspx file under this folder or sub folders) <exchange install path>\FrontEnd\HttpProxy\ecp\auth
(any file besides TimeoutLogoff.aspx) <exchange install path>\FrontEnd\HttpProxy\owa\auth\ (any file or modified file that is not part of a standard install) <exchange install path>\FrontEnd\HttpProxy\owa\auth\Current\ (any aspx file in this folder or subfolders) <exchange install path>\FrontEnd\HttpProxy\owa\auth<folder with version number>\ (any aspx file in this folder or subfolders)
We have patched the server immediately and ran the MSERT tool that microsoft has released across all of our servers. We also took some additional security precautions like blocking the IP ranges listed from the article above on our firewall, as mentioned in the article:
Volexity has seen attackers leverage the following IP addresses. Although these are tied to virtual private servers (VPSs) servers and virtual private networks (VPNs), responders should investigate these IP addresses on their networks and act accordingly:
103.77.192[.]219 104.140.114[.]110 104.250.191[.]110 108.61.246[.]56 149.28.14[.]163 157.230.221[.]198 167.99.168[.]251 185.250.151[.]72 192.81.208[.]169 203.160.69[.]66 211.56.98[.]146 5.254.43[.]18 5.2.69[.]14 80.92.205[.]81 91.192.103[.]43
All other servers were scanned and we are also using a tool called SentinelOne on all of our servers.
I'm not a network administrator but wanted to know if it is required to change our administrator password.
What is the probability that an attacker could somehow get this password?
