question

BoeDillard-9400 avatar image
0 Votes"
BoeDillard-9400 asked AndyDavid edited

OK - I ran Test-ProxyLogon.ps1 for the zero day attack

I patched and shut down my server before this scan was available. My server is isolated to the internet but I brought it up long enough to run the scan.

The response log is just a bunch of IP addresses.

82093-image.png


or
82094-image.png


or
82095-image.png




Anyone know what to do with this info?

office-exchange-server-administration
image.png (5.4 KiB)
image.png (7.8 KiB)
image.png (19.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered AndyDavid edited

that script checks to see if there are any indications of the exploit. it doesnt mean you have been exploited however.
If you already removed any malware and dealt with the it, then you should be good. Just continue to be vigilant :)

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered

Scan to see if there are any exploits. It not, then you are good.

https://msrc-blog.microsoft.com/2021/03/16/guidance-for-responders-investigating-and-remediating-on-premises-exchange-server-vulnerabilities/

Exchange On-premises Mitigation Tool
Download and run EOMT.ps1 as an administrator on your Exchange Server to automatically run the latest version of Microsoft Safety Scanner (MSERT). MSERT discovers and remediates web shells, which are backdoors that adversaries use to maintain persistence on your server.

https://github.com/microsoft/CSS-Exchange/tree/main/Security

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BoeDillard-9400 avatar image
0 Votes"
BoeDillard-9400 answered BoeDillard-9400 edited

Sorry - if I just ran that Test-ProxyLogon.ps1 - and got some results that I couldn't understand, what was the purpose of it? I'm not trying to be flip - I honestly don't know what the point of it was.

I'm not trying to patch my server - I've already gotten rid of it. I'm trying to ascertain if anything was really done.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.