0

So recently Microsoft published this document: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

They mention a web shell called errorEE.aspx and when I checked my exchange auth folder I found this file there with date modified showing as 4/252018 but I am 100% sure this file is not supposed to exist in this folder and it was not there before.

So now if this is a web shell what am I supposed to do and how to proceed. BTW McAfee also removed a trojan from the same folder a few days ago.

this is the directory(also mentioned in Microsoft document): Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth

I also found this script: https://github.com/microsoft/CSS-Exchange/tree/main/Security

Would it be safe to run it on my office server ?

David Kent
  • 39
  • 1
  • 6
  • Yes, you should run that script to detect potential HAFNIUM compromise. If the script returns any results then your server has most likely been compromised. Then run the Microsoft Safety Scanner - https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download – joeqwerty Mar 07 '21 at 16:15
  • i ran it and there were some zip files but all in my antivirus folders so I guess thats not an issue but this file has been clearly mentioned as a Web Shell so how do i proceed....do i just open the aspx file in notepad – David Kent Mar 08 '21 at 04:16

1 Answers1

0

According to the latest update in this MS official blog, Microsoft Support Emergency Response Tool (MSERT) has been updated to scan Microsoft Exchange Server.

You can run the MSERT to scan the Microsoft Exchange Server locations for known indicators from adversaries. For more details, read: https://github.com/microsoft/CSS-Exchange/blob/main/Security/Defender-MSERT-Guidance.md

Microsoft Defender has included security intelligence updates to the latest version of the Microsoft Safety Scanner (MSERT.EXE) to detect and remediate the latest threats known to abuse the Exchange Server vulnerabilities disclosed on March 2, 2021.
...
These remediation steps are effective against known attack patterns but are not guaranteed as complete mitigation for all possible exploitation of these vulnerabilities. Microsoft Defender will continue to monitor and provide the latest security updates.

Yuki Sun
  • 101
  • 1