CVE-2021-26855 Exploit Activity found in proxy log reported by running Test-ProxyLogon.ps1

%3CLINGO-SUB%20id%3D%22lingo-sub-2216592%22%20slang%3D%22en-US%22%3ECVE-2021-26855%20Exploit%20Activity%20found%20in%20proxy%20log%20reported%20by%20running%20Test-ProxyLogon.ps1%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2216592%22%20slang%3D%22en-US%22%3E%3CP%3EHi.%3C%2FP%3E%3CP%3EAfter%20running%20the%20ps1%20file%20possible%20suspicious%20activity%20was%20mentioned%20in%20the%20http%20proxy%20log.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAn%20extenal%20security%20company%20are%20now%20looking%20at%20the%20mail%20server%20and%20have%20said%20that%20are%20domain%20may%20have%20been%20compromised%20and%20that%20it%20will%20be%20the%20whole%20network%20will%20have%20to%20be%20taken%20down%20and%20all%20clients%2Fservers%20reinstalled%20%3F%20Do%20you%20agree%20with%20this%20senario%20%3F%26nbsp%3B%20I%20was%20going%20to%20just%20to%20patch%20the%20exfhange%20server%20and%20run%20the%20eomt%20tool%20to%20scan%20and%20hopefully%20fix%20any%20changes.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2216592%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EEOMT%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Visitor

Hi.

After running the ps1 file possible suspicious activity was mentioned in the http proxy log. 

 

An extenal security company are now looking at the mail server and have said that are domain may have been compromised and that it will be the whole network will have to be taken down and all clients/servers reinstalled ? Do you agree with this senario ?  I was going to just to patch the exfhange server and run the eomt tool to scan and hopefully fix any changes.

 

1 Reply

Hi @jasonblake7 

 

Have you checked for presence of any malicious files related to the latest vulnerabilities? Did you run MSERT scanner on the exchange server?

In our environment the proxylogon script has found loads of "suspicious activity" logs, however when I trawled through those logs they all seem to be logins of our support team.

 

Also, the way I understand it - once you've patched your server there's no need to run EOMT. EOMT is a temporary measure you can put in place until you can fully patch the exchange server. Someone please correct me if I'm wrong.

 

I may be a cynic but to me it sound's like the external company wants to land itself a big project. Get a second opinion from someone else.