that script checks to see if there are any indications of the exploit. it doesnt mean you have been exploited however.
If you already removed any malware and dealt with the it, then you should be good. Just continue to be vigilant :)
OK - I ran Test-ProxyLogon.ps1 for the zero day attack
I patched and shut down my server before this scan was available. My server is isolated to the internet but I brought it up long enough to run the scan.
The response log is just a bunch of IP addresses.
or
or
Anyone know what to do with this info?
-
Andy David - MVP 141.3K Reputation points MVP
2021-03-27T22:13:59.12+00:00
2 additional answers
Sort by: Most helpful
-
Andy David - MVP 141.3K Reputation points MVP
2021-03-27T15:26:39.453+00:00 Scan to see if there are any exploits. It not, then you are good.
Exchange On-premises Mitigation Tool
Download and run EOMT.ps1 as an administrator on your Exchange Server to automatically run the latest version of Microsoft Safety Scanner (MSERT). MSERT discovers and remediates web shells, which are backdoors that adversaries use to maintain persistence on your server.https://github.com/microsoft/CSS-Exchange/tree/main/Security
-
Boe Dillard 666 Reputation points
2021-03-27T22:08:25.323+00:00 Sorry - if I just ran that Test-ProxyLogon.ps1 - and got some results that I couldn't understand, what was the purpose of it? I'm not trying to be flip - I honestly don't know what the point of it was.
I'm not trying to patch my server - I've already gotten rid of it. I'm trying to ascertain if anything was really done.