Share via

webshell on exchange 2016 system

Pham Tien Dung 105 Reputation points
2024-07-16T01:41:30.2733333+00:00

Currently on our Exchange 2016 system there is an iisstart.aspx file. I don't know what it is. Does it affect the system? On the security side of our organization, we suspect it is a webshell attack on the system.

Thanks to everyone for help

User's image

Exchange Online
Exchange Online
A Microsoft email and calendaring hosted service.
6,171 questions
Exchange | Exchange Server | Other
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Exchange | Exchange Server | Management
Exchange | Hybrid management
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Yanhong Liu 14,195 Reputation points Microsoft External Staff
    2024-07-16T06:33:17.1733333+00:00

    Hello,

    Thank you for posting in Q&A forum.

    The "iisstart.aspx" file is usually a default placeholder page used by Internet Information Services (IIS) Microsoft. Its main purpose is to verify that IIS is installed and running correctly. In theory, it does not pose any threat to your system.

    However, if you suspect that your system may have been attacked by a webshell, you should take the following steps to confirm and take action:

    1. Check file integrity and content:

    Verify the content of "iisstart.aspx". Compare it to a known good version from a clean installation of Exchange 2016 or IIS to ensure that it has not been tampered with.

    1. Scan for viruses and malware:

    Scan this file and the entire system with up-to-date antivirus software to detect any potential malware or webshells.

    1. Check log files:

    Review IIS logs, system event logs, and application logs for any unusual activity or logon attempts.

    1. Check file properties:

    Review file properties (e.g., creation date, modification date) to see if they are consistent with other system files or if they look suspicious.

    1. Updates and Patches:

    Make sure your Exchange 2016 and IIS installations are up to date with the latest security patches.

    I hope the information above is helpful.

    Best Regards,

    Yanhong Liu

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments
  2. Amit Singh 5,306 Reputation points
    2024-07-16T07:01:47.3566667+00:00

    The iisstart.aspx file is not harmful. It is a default file that is part of Internet Information Services (IIS), the web server software used by Exchange Server. You can remove this file, if you don’t want it.

    0 comments
  3. Pham Tien Dung 105 Reputation points
    2024-07-18T09:16:16.0666667+00:00

    Hi @Yanhong Liu

    I discovered some more of these files, please help me see what they are? Is it dangerous?

    C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp\auth\getidtoken.aspx

     

    C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp\auth\logon.aspx

     

    C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\owafont.aspx

     

    C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp\auth\Logout.aspx

     

    C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.1.2242\themes\resources\aria-down.css.aspx

     

    C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.1.2242\themes\resources\owafont_es.aspx

     

    /aspnet_client/system_web.aspx

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.