Mar 08 2021 01:10 PM
Exchange 2016 fully patched.
Saw a few errors in Application log.
Source: MSExchange Front End HTTP Proxy
[Owa] An internal server error occurred. The unhandled exception was: System.ArgumentException: Invalid input value
Parameter name: input
at Microsoft.Exchange.Data.ApplicationLogic.Cafe.BackEndServer.FromString(String input)
at Microsoft.Exchange.HttpProxy.OwaResourceProxyRequestHandler.ResolveAnchorMailbox()
at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.InternalBeginCalculateTargetBackEnd(AnchorMailbox& anchorMailbox)
at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.<BeginCalculateTargetBackEnd>b__280_0()
at Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(Action tryDelegate, Func`2 filterDelegate, Action`1 catchDelegate)
Source: ASP.NET 4.0.30319.0
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 3/8/2021 5:33:57 AM
Event time (UTC): 3/8/2021 1:33:57 PM
Event ID: 049c535e9be849829a634bccfc74e4ea
Event sequence: 5
Event occurrence: 4
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/1/ROOT/owa-1-132593003067932026
Trust level: Full
Application Virtual Path: /owa
Application Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\
Machine name: EXCH
Process information:
Process ID: 12956
Process name: w3wp.exe
Account name: NT AUTHORITY\SYSTEM
Exception information:
Exception type: ArgumentException
Exception message: Invalid input value
Parameter name: input
at Microsoft.Exchange.Data.ApplicationLogic.Cafe.BackEndServer.FromString(String input)
at Microsoft.Exchange.HttpProxy.OwaResourceProxyRequestHandler.ResolveAnchorMailbox()
at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.InternalBeginCalculateTargetBackEnd(AnchorMailbox& anchorMailbox)
at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.<BeginCalculateTargetBackEnd>b__280_0()
at Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(Action tryDelegate, Func`2 filterDelegate, Action`1 catchDelegate)
at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.CallThreadEntranceMethod(Action method)
Request information:
Request URL: https://public_ip:443/owa/auth/x.js
Request path: /owa/auth/x.js
User host address: 35.244.82.13
User:
Is authenticated: False
Authentication Type:
Thread account name: NT AUTHORITY\SYSTEM
Thread information:
Thread ID: 7
Thread account name: NT AUTHORITY\SYSTEM
Is impersonating: False
Stack trace: at Microsoft.Exchange.Data.ApplicationLogic.Cafe.BackEndServer.FromString(String input)
at Microsoft.Exchange.HttpProxy.OwaResourceProxyRequestHandler.ResolveAnchorMailbox()
at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.InternalBeginCalculateTargetBackEnd(AnchorMailbox& anchorMailbox)
at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.<BeginCalculateTargetBackEnd>b__280_0()
at Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(Action tryDelegate, Func`2 filterDelegate, Action`1 catchDelegate)
at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.CallThreadEntranceMethod(Action method)
Custom event details:
Source: C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\Owa\HttpProxy_2021030813-1.LOG
2021-03-08T13:33:57.477Z,8b72ab0b-1b16-46cf-b84e-48d6cbfa7b45,15,1,2176,9,,Owa,public_ip,/owa/auth/x.js,,FBA,false,,,,Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/88.0.4324.182 Safari/537.36 Edg/88.0.705.81,35.244.82.13,EXCH,302,,,GET,,,,,X-AnonResource-Backend-Cookie,,,,0,,,,0,,,0,,0,,0,0,,0,106,0,,,,,,,,,0,104,2,,106,,106,106,,,,BeginRequest=2021-03-08T13:33:57.371Z;CorrelationID=<empty>;ProxyState-Run=None;ProxyState-Complete=CalculateBackEnd;SharedCacheGuard=0;EndRequest=2021-03-08T13:33:57.477Z;,UnexpectedException=System.ArgumentException: Invalid input value Parameter name: input at Microsoft.Exchange.Data.ApplicationLogic.Cafe.BackEndServer.FromString(String input) at Microsoft.Exchange.HttpProxy.OwaResourceProxyRequestHandler.ResolveAnchorMailbox() at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.InternalBeginCalculateTargetBackEnd(AnchorMailbox& anchorMailbox) at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.<BeginCalculateTargetBackEnd>b__280_0() at Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(Action tryDelegate Func`2 filterDelegate Action`1 catchDelegate) at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.CallThreadEntranceMethod(Action method);,,,,,
Also
2021-03-06T15:31:05.660Z,16a4dee4-37b2-430f-8df4-3bc228d55faf,15,1,2176,9,,Owa,mail.example.com,/owa/auth/x.js,,FBA,false,,,,Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html),104.225.219.16,EXCH,302,,,GET,,,,,X-AnonResource-Backend-Cookie,,,,0...: Invalid input value Parameter name: input at Microsoft.Exchange.Data.ApplicationLogic.Cafe.BackEndServer.FromString(String input) at Microsoft.Exchange.HttpProxy.OwaResourceProxyRequestHandler.ResolveAnchorMailbox() at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.InternalBeginCalculateTargetBackEnd(AnchorMailbox& anchorMailbox) at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.<BeginCalculateTargetBackEnd>b__280_0() at Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(Action tryDelegate Func`2 filterDelegate Action`1 catchDelegate) at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.CallThreadEntranceMethod(Action method);,,,,,
Is this some kind of new exploit?
Mar 10 2021 07:59 AM - edited Mar 10 2021 08:00 AM
I have also started seeing these on my Exchange 2016 server that is fully patched with the latest CU. The errors are identical to yours. I have not been able to determine what these are and I've opened a support request with Microsoft to see if they can help figure out what is going on. This started on Saturday the 6th for me.
Mar 10 2021 09:12 AM
@Jason284 , i have the same event showing on several Exchange servers, all patched with the latest CUs and patches since 3.3.2021...
Mar 10 2021 11:00 AM
Mar 10 2021 02:59 PM
Mar 11 2021 07:23 AM
Mar 11 2021 09:16 AM
@RrrrowsdowerThis also appears to have started in less than 24 hours after installing the Exchange zero day patch for me as well.
Mar 11 2021 02:27 PM
@Jason284 - Did you get any update from Microsoft on your case?
Mar 11 2021 02:45 PM
@DhruvaKudvaUnfortunately no, not a word yet. Although I have noticed that there are a lot of people getting these exact errors and it seems to correlate with installing the Exchange zero day patch last week from what I can tell. It's frustrating there hasn't been any response from Microsoft on this.
Mar 12 2021 05:12 AM - edited Mar 12 2021 05:16 AM
From what I understand, this could be due to Mailbox Anchoring. When an External connection is made (OWA) Exchange looks for the users mailbox on the same node as the Transport node.
If the users mailbox is not the same node as the transport node, it throws this error.
We get this error as well and each time it occurs, the users mailbox is NOT on the same node as the transport. Doesnt impact anything as the DAG handles this but it does seem to throw this error each time.
Mar 13 2021 09:12 AM
@MS_Tech_user1875 Do you got any feedback from MS? I see this events on fully patched exchange servers 2013 & 2016, at all of the servers the Test-ProxyLogon.ps1 found entries and webshells like discovery.aspx. Every server was cleaned and daily checked with ps scripts, msert scan. All the bad IPs are blocked Before we blocked the bad IPs, we get the same events ASP.NET 4.... Web Event with owa an x.js Files.
what is unclear to me, is this still a problem which indicates a compromise or active hacker access or are these prevented access attempts and the server is safe for now?
Mar 17 2021 06:54 AM
We just received an email from our ISP that they have detected activity suggesting our OWA was compromised. Not 100% sure but this may be evidence of exploitation. Investigating currently
Mar 17 2021 08:04 AM
Mar 29 2021 02:37 PM
Mar 30 2021 09:24 AM
Apr 04 2021 10:17 PM