Note: this post is getting frequent updates; please keep checking back. Last update: 3/19/2021
Microsoft has released a set of out of band security updates for vulnerabilities for the following ver...
Updated Mar 19, 2021
Version 44.0
Blog Post
Hi,
I have Exchange 2016, upgraded to CU19 then install patch KB5000871 on 5th March. I thought that is safe.
Yesterday, I ran Test-ProxyLogon.ps1 and reported some suspicious activity for CVE-2021-26855 and CVE-2021-27065. However, it all dated (3rd & 4th) prior the CU update and patch.
Then I ran EOMT.ps1, reported clean. MSERT quick scan and I redo full scan, both confirmed clean. I double check targeted folders (C:\inetpub\wwwroot\aspnet_client as well system_web folder, FrontEnd\HttpProxy\owa\auth and ecp\auth) none of the suspicious files. Except there is one OutlookEN.aspx inside owa\auth. The date created and modified is 19/11/20, exactly the same as other legit aspx (logoff, logon, OutlookCN). This file is hidden in Explorer. Not visible in cmd. Is this OutlookEN.aspx legit?
But listed in https://gist.github.com/JohnHammond/0b4a45cad4f4ed3324939d72dc599883 (list of webshell)
In the Event Log, I can see many attempts to ASP.NET 4.0.30319.0 try to execute ecp\j.js (and random.js) which doesn't exist.
Any thought?
Thanks in advance.
Hendri