NeilFryatt-9458 avatar image
0 Votes"
NeilFryatt-9458 asked LucasLiu-MSFT commented

Exchange Server 2013 Compromised Suspicious IIS Modules

Hey Everyone, hope you're well.

Can someone please confirm for my sanity.

After Hafnium Shell exploit and a run of EOMT scripts and IISRewrites I still have what I expect to be suspicious native modules in IIS.
A belated update to CU23 did show that the applicationhost.config while was written to, I've not copied all of the globalmodules, but doea anyone know if this UpData
module is part of the usual IIS modules, looks suspicious to me and until I get rid of it I can't access OWA/EMS/ECP and have errors in event logs.

... <add name="kerbauth" image="c:\Program Files\Microsoft\Exchange Server\V15\Bin\kerbauth.dll" preCondition="bitness64" />
<add name="WSMan" image="C:\Windows\system32\wsmsvc.dll" />
<add name="exppw" image="c:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\Owa\auth\exppw.dll" />
<add name="cafe_exppw" image="c:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\bin\exppw.dll" />
<add name="UpData" image="C:\Windows\System32\system.dll" />
<add name="RewriteModule" image="%SystemRoot%\system32\inetsrv\rewrite.dll" />

Please give me some guidance.



· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks Andy,

I ran a full MSERT scan as part of the EOMT script and then re-ran after CU23 upgrade and it shows this


I've not run the nmap script separately yet.
Test_ProxyLogon results showed a lot in the Cve-2021-26855.csv results from 20 IP's that have been blocked at firewall level.
The CVE 27065 log has had no evidence in the ECP logs since 09/04.

I've read other articles about Huntress so I'm trying to deploy that also.

0 Votes 0 ·
eomtsuccessobs.png (258.5 KiB)

Well, if it shows no malware found, then Id say you are good to go.
If you have any doubts consider opening a ticket with Microsoft, or rebuild the server ( or move to a new one)

0 Votes 0 ·

Hi @NeilFryatt-9458 ,
How do you judge these specific modules as suspicious modules? Was it prompted by the scanning software? As Andy said, try to scan the entire server and see the results.
Did you fail to log in to OWA/EMS/ECP after clearing these modules?
Are related error messages recorded in the event log?

0 Votes 0 ·

Hi Lucas,
Thanks for your reply I judge this one as suspicious as it refers to a system.dll file that looks like it has been deployed.
<add name="UpData" image="C:\Windows\System32\system.dll" />

There's no evidence of that being a standard globalmodule added by Exchange, I was hoping someone might concur if they had a similar environment on Exchange 2013 on Win 2012R2.
I've not yet cleared this module, the event log is just filled with 2280 "The Module DLL C:\Windows\System32\system.dll failed to load. The data is the error." because something renamed the file system.dll.000. AFAIK It didn't get picked up or cleared by Trend AV or malwarebytes which cleared the other hafnium threats.

0 Votes 0 ·

I'm only going to know if I can get back into OWA/EMS/ECP by deleting this module and removing it from applicationhost.config.
The closest I've found to confirmation of the default IIS modules is for Exchange 2016 here;

There's a reddit post where someone seems to have had a similar issue

0 Votes 0 ·

1 Answer

NeilFryatt-9458 avatar image
0 Votes"
NeilFryatt-9458 answered LucasLiu-MSFT commented

Thanks guys,
I know rebuilding the server or moving to a new one is the best option when it has been compromised.
Still I managed to manually remove the rogue IIS module, and then my OWA/EMS/ECP access has returned.
April security update already installed. Fingers crossed.
Thanks for your advice, much appreciated.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Sure, no problem.

If you could please mark an answer as accepted so we can close this up. thanks!

0 Votes 0 ·

Hi @NeilFryatt-9458 ,
I am happy to hear that your issue have been resolved. And thank you for sharing the solution : )
You could click “Accept as answer” to mark helpful reply as an answer, this will make answer searching in the forum easier and be beneficial to other community members as well.

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 Votes 0 ·