I'm running the latest MSERT (1.333.600.0) right now. I can't see the URL Stems in the virtual directories reported by the scan: /ecp/default.flt The Exchange log files scan for IOC came back with Suspicious activity found in Http Proxy log! with AnchorMailbox stuff like this (actual servername replaced with THISSERVER for anonymity): AnchorMailbox : : : ServerInfo~localhost/owa/auth/logon.aspx?ĪnchorMailbox : ServerInfo~/owa/auth/logon.aspx?ĪnchorMailbox : ServerInfo~THISSERVERAPPS/EWS/Exchange.asmx?a=ĪnchorMailbox : ServerInfo~/EWS/Exchange.asmx?a=ĪnchorMailbox : ServerInfo~THISSERVERAPPS/autodiscover/autodiscover.xml?a=ĪnchorMailbox : : : : : : : ServerInfo~localhost/ecp/default.flt?ĪnchorMailbox : ServerInfo~/ecp/default.flt?ĪnchorMailbox : ServerInfo~somethingnonexistent/ecp/default.flt?Īnd dodgy looking UserAgent entries like Mozilla hehe amongst others. I installed the latest patches and then ran the Exploit checks EOMT.ps1 and Test-ProxyLogon.ps1. I'm running the Exchange server exploit checks recommended by Microsoft here: 2 Security Scripts
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |