So recently Microsoft published this document: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
They mention a web shell called errorEE.aspx and when I checked my exchange auth folder I found this file there with date modified showing as 4/252018 but I am 100% sure this file is not supposed to exist in this folder and it was not there before.
So now if this is a web shell what am I supposed to do and how to proceed. BTW McAfee also removed a trojan from the same folder a few days ago.
this is the directory(also mentioned in Microsoft document): Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth
I also found this script: https://github.com/microsoft/CSS-Exchange/tree/main/Security
Would it be safe to run it on my office server ?