Note: this post is getting frequent updates; please keep checking back. Last update: 3/19/2021
Microsoft has released a set of out of band security updates for vulnerabilities for the following ver...
Updated Mar 19, 2021
Version 44.0
Blog Post
Hi guys,
i found one of my customer with same situation
#TYPE Selected.System.Management.Automation.PSCustomObject
"DateTime","AnchorMailbox"
"2021-03-03T05:00:33.539Z","ServerInfo~a]@srv-exchange2k16.customername.com:444/autodiscover/autodiscover.xml?#"
"2021-03-03T05:00:34.007Z","ServerInfo~a]@srv-exchange2k16.customername.com:444/mapi/emsmdb/?#"
"2021-03-03T05:00:34.742Z","ServerInfo~a]@srv-exchange2k16.customername.com:444/ecp/proxyLogon.ecp?#"
"2021-03-03T05:00:44.913Z","ServerInfo~a]@srv-exchange2k16.customername.com:444/ecp/DDI/DDIService.svc/GetObject?msExchEcpCanary=_HV0lDB_ikOmpsnbVQiNVJaeO5yT39gIITw_5BLa-uTGkojJayHwv8G5xIJlVuvJ85yYqzJPOv8.&schema=OABVirtualDirectory#"
"2021-03-03T05:00:47.162Z","ServerInfo~a]@srv-exchange2k16.customername.com:444/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=_HV0lDB_ikOmpsnbVQiNVJaeO5yT39gIITw_5BLa-uTGkojJayHwv8G5xIJlVuvJ85yYqzJPOv8.&schema=OABVirtualDirectory#"
"2021-03-03T05:00:47.349Z","ServerInfo~a]@srv-exchange2k16.customername.com:444/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=_HV0lDB_ikOmpsnbVQiNVJaeO5yT39gIITw_5BLa-uTGkojJayHwv8G5xIJlVuvJ85yYqzJPOv8.&schema=ResetOABVirtualDirectory#"
"2021-03-03T05:00:48.162Z","ServerInfo~a]@srv-exchange2k16.customername.com:444/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=_HV0lDB_ikOmpsnbVQiNVJaeO5yT39gIITw_5BLa-uTGkojJayHwv8G5xIJlVuvJ85yYqzJPOv8.&schema=OABVirtualDirectory#"
"2021-03-03T07:18:59.052Z","ServerInfo~a]@srv-exchange2k16.customername.com:444/autodiscover/autodiscover.xml?#"
"2021-03-03T07:19:00.145Z","ServerInfo~a]@srv-exchange2k16.customername.com:444/mapi/emsmdb/?#"
"2021-03-03T07:19:02.723Z","ServerInfo~a]@srv-exchange2k16.customername.com:444/ecp/proxyLogon.ecp?#"
"2021-03-03T07:19:05.020Z","ServerInfo~a]@srv-exchange2k16.customername.com:444/ecp/DDI/DDIService.svc/GetObject?msExchEcpCanary=K4280YIeEEqQDGwcVzoxf4YDLfSm39gI-WBR0LKXv_hbE9VqpYK2K7mnT38YkPy1bgDz8qWg60M.&schema=OABVirtualDirectory#"
"2021-03-03T07:19:06.379Z","ServerInfo~a]@srv-exchange2k16.customername.com:444/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=K4280YIeEEqQDGwcVzoxf4YDLfSm39gI-WBR0LKXv_hbE9VqpYK2K7mnT38YkPy1bgDz8qWg60M.&schema=OABVirtualDirectory#"
"2021-03-03T07:19:07.301Z","ServerInfo~a]@srv-exchange2k16.customername.com:444/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=K4280YIeEEqQDGwcVzoxf4YDLfSm39gI-WBR0LKXv_hbE9VqpYK2K7mnT38YkPy1bgDz8qWg60M.&schema=ResetOABVirtualDirectory#"
"2021-03-03T07:19:08.707Z","ServerInfo~a]@srv-exchange2k16.customername.com:444/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=K4280YIeEEqQDGwcVzoxf4YDLfSm39gI-WBR0LKXv_hbE9VqpYK2K7mnT38YkPy1bgDz8qWg60M.&schema=OABVirtualDirectory#"
"2021-03-04T01:23:11.324Z","ServerInfo~a]@srv-exchange2k16.customername.com:444/autodiscover/autodiscover.xml?#"
In this case i found also file (discover.aspx) in the wwroot of inet pub folder but the Sophos Antivirus deleted it.
Ok for putting CU19 but how can I fix compromised server ?
Best regards