Exchange attack Hafnium

Jendislav 96 Reputation points
2021-03-06T19:11:05.103+00:00

Hello, please can anybody tell me by this log, if my 2 servers had been compromised please? Thank you.
Server log
CVE-2021-26855
"2021-03-03T07:52:03.579Z","ServerInfo~a]@Testta .domain.local:444/autodiscover/autodiscover.xml?#"
"2021-03-04T23:03:44.923Z","ServerInfo~akak]@Testta .domain.local:444/autodiscover/autodiscover.xml?#"
"2021-03-05T05:37:27.400Z","ServerInfo~akak]@Testta .domain.local:444/autodiscover/autodiscover.xml?#"
"2021-03-05T16:44:51.174Z","ServerInfo~a]@Testta .domain.local:444/autodiscover/autodiscover.xml?#"
"2021-03-05T16:44:54.680Z","ServerInfo~a]@Testta .domain.local:444/autodiscover/autodiscover.xml?#"
"2021-03-05T16:45:32.913Z","ServerInfo~a]@Testta /autodiscover/autodiscover.xml#"
"2021-03-06T14:55:28.198Z","ServerInfo~burpcollaborator.net/ecp/default.flt?"

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,485 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Andy David - MVP 145K Reputation points MVP
    2021-03-06T19:17:06.39+00:00

    Probably. Consider opening a Microsoft support ticket or hiring a security consultant to investigate further:

    https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

    Personally, I would take all the Exchange Servers offline and rebuild them from scratch.


  2. Eric Yin-MSFT 4,386 Reputation points
    2021-03-08T02:58:52.417+00:00

    You could run the script here and it will give you the result like following if it's not affected:
    75203-3.png


    If an Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.