webshell on exchange 2016 system

Pham Tien Dung 105 Reputation points
2024-07-16T01:41:30.2733333+00:00

Currently on our Exchange 2016 system there is an iisstart.aspx file. I don't know what it is. Does it affect the system? On the security side of our organization, we suspect it is a webshell attack on the system.

Thanks to everyone for help

User's image

Exchange Server
Exchange Server
A family of Microsoft client/server messaging and collaboration software.
1,334 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,629 questions
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,569 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,662 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
2,132 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Yanhong Liu 11,860 Reputation points Microsoft Vendor
    2024-07-16T06:33:17.1733333+00:00

    Hello,

    Thank you for posting in Q&A forum.

    The "iisstart.aspx" file is usually a default placeholder page used by Internet Information Services (IIS) Microsoft. Its main purpose is to verify that IIS is installed and running correctly. In theory, it does not pose any threat to your system.

    However, if you suspect that your system may have been attacked by a webshell, you should take the following steps to confirm and take action:

    1. Check file integrity and content:

    Verify the content of "iisstart.aspx". Compare it to a known good version from a clean installation of Exchange 2016 or IIS to ensure that it has not been tampered with.

    1. Scan for viruses and malware:

    Scan this file and the entire system with up-to-date antivirus software to detect any potential malware or webshells.

    1. Check log files:

    Review IIS logs, system event logs, and application logs for any unusual activity or logon attempts.

    1. Check file properties:

    Review file properties (e.g., creation date, modification date) to see if they are consistent with other system files or if they look suspicious.

    1. Updates and Patches:

    Make sure your Exchange 2016 and IIS installations are up to date with the latest security patches.

    I hope the information above is helpful.

    Best Regards,

    Yanhong Liu

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

  2. Amit Singh 4,901 Reputation points
    2024-07-16T07:01:47.3566667+00:00

    The iisstart.aspx file is not harmful. It is a default file that is part of Internet Information Services (IIS), the web server software used by Exchange Server. You can remove this file, if you don’t want it.

    0 comments No comments

  3. Pham Tien Dung 105 Reputation points
    2024-07-18T09:16:16.0666667+00:00

    Hi @Yanhong Liu

    I discovered some more of these files, please help me see what they are? Is it dangerous?

    C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp\auth\getidtoken.aspx

     

    C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp\auth\logon.aspx

     

    C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\owafont.aspx

     

    C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp\auth\Logout.aspx

     

    C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.1.2242\themes\resources\aria-down.css.aspx

     

    C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.1.2242\themes\resources\owafont_es.aspx

     

    /aspnet_client/system_web.aspx

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.