webshell on exchange 2016 system

Question

Currently on our Exchange 2016 system there is an iisstart.aspx file. I don't know what it is. Does it affect the system? On the security side of our organization, we suspect it is a webshell attack on the system.

Thanks to everyone for help

Answer 1

Hello,

Thank you for posting in Q&A forum.

The "iisstart.aspx" file is usually a default placeholder page used by Internet Information Services (IIS) Microsoft. Its main purpose is to verify that IIS is installed and running correctly. In theory, it does not pose any threat to your system.

However, if you suspect that your system may have been attacked by a webshell, you should take the following steps to confirm and take action:

1. Check file integrity and content:

Verify the content of "iisstart.aspx". Compare it to a known good version from a clean installation of Exchange 2016 or IIS to ensure that it has not been tampered with.

2. Scan for viruses and malware:

Scan this file and the entire system with up-to-date antivirus software to detect any potential malware or webshells.

3. Check log files:

Review IIS logs, system event logs, and application logs for any unusual activity or logon attempts.

4. Check file properties:

Review file properties (e.g., creation date, modification date) to see if they are consistent with other system files or if they look suspicious.

5. Updates and Patches:

Make sure your Exchange 2016 and IIS installations are up to date with the latest security patches.

I hope the information above is helpful.

Best Regards,

Yanhong Liu

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer 2

The iisstart.aspx file is not harmful. It is a default file that is part of Internet Information Services (IIS), the web server software used by Exchange Server. You can remove this file, if you don’t want it.

Answer 3

Hi @Yanhong Liu

I discovered some more of these files, please help me see what they are? Is it dangerous?

C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp\auth\getidtoken.aspx

 

C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp\auth\logon.aspx

 

C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\owafont.aspx

 

C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp\auth\Logout.aspx

 

C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.1.2242\themes\resources\aria-down.css.aspx

 

C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.1.2242\themes\resources\owafont_es.aspx

 

/aspnet_client/system_web.aspx