This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 95%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
hello all,
i found in HttpProxy ECP logfiles this entrys . Is this a hafnium attack?
myip /ecp/program.js FBA false ServerInfo~a]@myservername:444/autodiscover/autodiscover.xml?# ExchangeServicesClient/0.0.0.0 211.200.57.186
myip /ecp/program.js FBA false ServerInfo~a]@myservername:444/autodiscover/autodiscover.xml?# ExchangeServicesClient/0.0.0.0 110.10.238.99
A cloud-based service included in Microsoft 365, delivering scalable messaging and collaboration features with simplified management and automatic updates.
Answer accepted by question author
Run this script to see:
https://github.com/microsoft/CSS-Exchange/tree/main/Security
Download Test-ProxyLogon.ps1
Andy,
Output is from test-proxyLogon Script, but it is not 443 and i can't find any *.zip *.7z files or new aspx files
In that case, I would say its likely a hafnium issue.
COnsider opening a case with Microsoft support, but you may want to look at further checking to see if you have been compromised and rebuild your Exchange Servers.
I would seriously get Microsoft assistance.
Run the scanner to see if there are any malicious files
https://github.com/microsoft/CSS-Exchange/blob/main/Security/Defender-MSERT-Guidance.md
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 22%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKY%3C/text%3E%3C/svg%3E)
Hi,@Chris
Please always ensure that you are running the latest version of the script as the script is being updated frequently to ensure there are no false positives.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.