Question about Hafnium-related entry in IIS log file

Stefan Falk 156 Reputation points

Hello everybody,

a german customer is running Exchange 2016 and installed CU19 and the Hafnium patch on 2021-03-04. Running the then current version of the Test-Hafnium.ps1 script, which the Exchange team put on GitHub, showed:


I would interpret this as the effort to use an eventually already installed Hafnium backdoor, but not as a sign of a successfull attack, neither for the installation of the backdoor nor to a successful exploitation. So there was someone who tried if that server had the backdoor installed, but I feel it was never installed. IIS logs were available down to early January 2021.

Would you agree or is this a sign that the server had been compromized?

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
6,529 questions
0 comments No comments
{count} votes

Accepted answer
  1. Zhengqi Lou-MSFT 8,821 Reputation points Microsoft Employee

    Hi @Stefan Falk ,

    As the Microsoft Doc explains:
    I think you may got the attack by CVE-2021-26855, as the security update patch has fixed this SSRF vulnerability, I think your Exchange server is safe now.

    But it is also suggested to double check the whole system with Safety Scanner(has been provided by Andy above), or apply the mitigation: ExchangeMitigations.ps1.


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Stefan Falk 156 Reputation points

    Hello Andy and Lou,

    Thank you for your valuable input. I wanted to accept both of your postings as answer, but one can only pick one.

    We had run all those tools and are confident that the server hasn't been hacked now. Thank you again.

    Best Regards,

    1 person found this answer helpful.
    0 comments No comments

  2. Andy David - MVP 121.3K Reputation points MVP

    Scan for any known malware from these exploits:

    If you do not find any , that's a pretty good sign that there is no compromise - but they should remain vigilant.
    Ensure you have a permanent anti-malware solution

    0 comments No comments