This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 82%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJO%3C/text%3E%3C/svg%3E)
Hi All,
We have run scanner on both of our exchange 2016 servers and one came back positive and the other negative.
However, on both servers, these files are .aspx files in %PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth:
errorFE.aspx
ExpirtedPassword.aspx
frowny.aspx
logoff.aspx
logon.aspx
OutlookCN.aspx
RedirSuiteServiceProxy.aspx
signout.aspx
Are these file normal in exchange 2016?
Also these files were created way before the attack.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 67%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Any update about your question?
Have you tried the MSERT tool?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 54%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBN%3C/text%3E%3C/svg%3E)
I have these same files on my server and I have the same question.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 6%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBL%3C/text%3E%3C/svg%3E)
I have got those same files on an Exchange 2019 machine.
There is one extra: getidtoken.htm
Looks a bit out of place, there...
Will run a restore of a version before this exploit to verify and post back...
I have checked in my environment, and found the same files under the path.
These files should be nomal files for Exchange. For security reasons, I would suggest you use the MSERT.exe tool to scan your server.
For more information: Microsoft Exchange Server Vulnerabilities Mitigations – updated March 9, 2021 ,mainly refer to the part Microsoft Support Emergency Response Tool (MSERT) to scan Microsoft Exchange Server.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
I can confirm I have the exact same files with the same creation dates and sizes on a restore of that box from before the exploit. Seems legit...
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 49%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGS%3C/text%3E%3C/svg%3E)
The files you pointed out exist on my exchange also however I also had a recent incident where Backdoor shell script was installed in the ecp\auth virtual directory that looked like this:
Here are some useful links that helped me narrow down the issue and remove them:
https://www.microsoft.com/security/blog/2020/06/24/defending-exchange-servers-under-attack/