This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 66%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESF%3C/text%3E%3C/svg%3E)
Hello everybody,
a german customer is running Exchange 2016 and installed CU19 and the Hafnium patch on 2021-03-04. Running the then current version of the Test-Hafnium.ps1 script, which the Exchange team put on GitHub, showed:
"DateTime","AnchorMailbox"
"2021-03-03T08:06:05.126Z","ServerInfo~a]@sn .customerdomain.de/autodiscover/autodiscover.xml?#"
"2021-03-03T11:33:18.593Z","ServerInfo~a]@sn .customerdomain.de/autodiscover/autodiscover.xml?#"
"2021-03-03T13:39:33.153Z","ServerInfo~a]@sn .customerdomain.de/autodiscover/autodiscover.xml?#"
"2021-03-03T13:39:36.546Z","ServerInfo~a]@sn .customerdomain.de/mapi/emsmdb/?#"
"2021-03-03T13:39:38.925Z","ServerInfo~a]@sn .customerdomain.de/ecp/proxyLogon.ecp?#"
"2021-03-03T13:39:42.650Z","ServerInfo~a]@sn .customerdomain.de/ecp/DDI/DDIService.svc/GetObject?msExchEcpCanary=-OlNq08-d06AaYApbaSPFtoynh_c39gIS35a8dhtli23cZk8G1r--7R0C8P_ce8LqCfENIZYkg0.&schema=OABVirtualDirectory#"
I would interpret this as the effort to use an eventually already installed Hafnium backdoor, but not as a sign of a successfull attack, neither for the installation of the backdoor nor to a successful exploitation. So there was someone who tried if that server had the backdoor installed, but I feel it was never installed. IIS logs were available down to early January 2021.
Would you agree or is this a sign that the server had been compromized?
Hi @Stefan Falk ,
As the Microsoft Doc explains:
I think you may got the attack by CVE-2021-26855, as the security update patch has fixed this SSRF vulnerability, I think your Exchange server is safe now.
But it is also suggested to double check the whole system with Safety Scanner(has been provided by Andy above), or apply the mitigation: ExchangeMitigations.ps1.
Regards,
Lou
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hello Andy and Lou,
Thank you for your valuable input. I wanted to accept both of your postings as answer, but one can only pick one.
We had run all those tools and are confident that the server hasn't been hacked now. Thank you again.
Best Regards,
Stefan
Scan for any known malware from these exploits:
https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/
https://learn.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download
If you do not find any , that's a pretty good sign that there is no compromise - but they should remain vigilant.
Ensure you have a permanent anti-malware solution