This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 56.00000000000001%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJW%3C/text%3E%3C/svg%3E)
I'm getting this in my Event Log and the server is very slow (almost unusable)
I rebooted it and looked in the event log I'm seeing this and almost identical errors but showing from different hosts (IP's)
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 30/03/2022 10:59:54
Event time (UTC): 30/03/2022 09:59:54
Event ID: b2395ea0a7c6495e8f512a8ce959e8ec
Event sequence: 2
Event occurrence: 1
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/1/ROOT/owa-1-132931077644820598
Trust level: Full
Application Virtual Path: /owa
Application Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\
Machine name: BH-EX
Process information:
Process ID: 11820
Process name: w3wp.exe
Account name: NT AUTHORITY\SYSTEM
Exception information:
Exception type: ArgumentException
Exception message: Invalid input value
Parameter name: input
at Microsoft.Exchange.Data.ApplicationLogic.Cafe.BackEndServer.FromString(String input)
at Microsoft.Exchange.HttpProxy.OwaResourceProxyRequestHandler.ResolveAnchorMailbox()
at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.InternalBeginCalculateTargetBackEnd(AnchorMailbox& anchorMailbox)
at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.<BeginCalculateTargetBackEnd>b__278_0()
at Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(Action tryDelegate, Func2 filterDelegate, Action1 catchDelegate)
at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.CallThreadEntranceMethod(Action method)
Request information:
Request URL: https://<ip address>:443/owa/auth/x.js
Request path: /owa/auth/x.js
User host address: <ip address>
User:
Is authenticated: False
Authentication Type:
Thread account name: NT AUTHORITY\SYSTEM
Thread information:
Thread ID: 23
Thread account name: NT AUTHORITY\SYSTEM
Is impersonating: False
Stack trace: at Microsoft.Exchange.Data.ApplicationLogic.Cafe.BackEndServer.FromString(String input)
at Microsoft.Exchange.HttpProxy.OwaResourceProxyRequestHandler.ResolveAnchorMailbox()
at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.InternalBeginCalculateTargetBackEnd(AnchorMailbox& anchorMailbox)
at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.<BeginCalculateTargetBackEnd>b__278_0()
at Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(Action tryDelegate, Func2 filterDelegate, Action1 catchDelegate)
at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.CallThreadEntranceMethod(Action method)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 22%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKY%3C/text%3E%3C/svg%3E)
These events seem to be related to Hafnium attack.
Here are several links for your reference:
bad actors targeted exchange- /owa/auth/x.js
Suspicious events
What is the current CU and SU version of your Exchange server?
Please download and run the HealthChecker script to check the result.
If you haven't upgraded to the latest CU and installed the latest SU, please consider upgrading for security.
Exchange Server 2019 builds
Also follow the suggestions in this link: Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
This is a bit odd.
Windows update says that it's installed KB5012698
which is the latest update.
But powershell reports Version 15.2 (Build 986.5)
The healthChecker showed one infected item during the scan, but the end summery reported no problems found.
So which do you believe??
But powershell reports Version 15.2 (Build 986.5)
Did you use this cmdlet?
Get-ExchangeServer | Format-List Name,Edition,AdminDisplayVersion
If yes, it is the expected behavior as this cmdlet would not check SU versions but only the CU version.(Exchange 2019 CU11)
You may also compare the results with the output of the healthChecker.
Besides, have you run Antivirus tools, for example Microsoft safety scanner on the Exchange server?
Yes that was the cmdlet I used.
the healthchecker.ps1 script returns the correct version.
It was the Microsoft safety scanner that showed one infected file in it's detection stage then showed no problems found in it's completion summery.
Since you have installed latest SU and scanned the server, I suppose you may not need to worry too much about this.
If possible, you may also consider blocking these requests on the firewall.
I am writing here to confirm with you how thing going now?
If you have any questions or needed further help on this issue, please feel free to post back.