This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 77%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJC%3C/text%3E%3C/svg%3E)
Hello everyone,
As per Microsoft Recommendations, we already installed all security patches earlier in the March and installed CU 20 updates. Here are the details about our issues. Any help on this will be appreciated:
Issue: High CPU utilization due to cmd.exe process
Exchange 2016 Standard
Work done so far:
All patches installed, CU 20 installed, Performed multiple scan with Microsoft Safety Scanner, every time it finds and remove "Backdoor:MSIL/Chopper.F!dha " but next day same issue occurs
Opened CMD.exe file with process explorer today and found following scripts:
C:\Windows\System32\cmd.exe -o 95.216.46.125:443 -u 44EspGiviPdeZSZyX1r3R9RhpGCkxYACEKUwbA4Gp6cVCzyiNeB21STWYsJZYZeZt63JaUn8CVxDeWWGs3f6XNxGPtSuUEX -k --tls -p MOON
Also ran Exchange Mitigation Tool and it did not found anything.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 47%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIS%3C/text%3E%3C/svg%3E)
We just got hit with this as well. Fully patched Exchange 2016.
That said, Microsoft did put out a new cumulative update this morning for both Exchange 2016 and Exchange 2019.
https://learn.microsoft.com/en-us/Exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019
Ladies and gentlemen, get to patching!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 22%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELL%3C/text%3E%3C/svg%3E)
Hi @JSS CGY ,
Are there any Exchange functions that are not working properly?
According to my research on "Backdoor:MSIL/Chopper.F!dha ", I found that this is a security issue about Windows server, not specific to Exchange. I can provide limited help. So I help you add a "Windows-server-security" tag, which will bring in professional engineers to help you.
Based on my research on this issue, I recommend that you upgrade your Windows server to the latest version and install the relevant Security update. Then you could scan your PC by using Microsoft Defender. In addition, if all the methods cannot be solved, reinstalling the Windows system will be our last choice.
For more information you could refer to: Troubleshoot problems with detecting and removing malware
----------
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi LucasLiu-MSFT,
Thanks for your response.
Exchange functions on the server are working fine. During our initials scans in March all malicious .aspx files were removed with Microsoft safety scanner.
We have Exchange 2016 Std. running on Windows Server 2016 Std and this server is up with date with Windows Patches and CU20 latest updates for Exchange 2016.
With Microsoft Safety Scanner, it detects and remove ""Backdoor:MSIL/Chopper.F!dha" but same issue appear after few hours.
Hi @JSS CGY ,
As I mentioned above, this security issue not specific to Exchange server, and this malicious file is not involved in the latest Exchange security patch.
According to the article provide above, for malware keeps coming baack, it is recommended that you use Windows Defender Offline to scan. Please refer to: Help protect my PC with Microsoft Defender Offline
----------
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 86%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EOY%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 25%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
Same problem on 2 exchange 2016 servers for 2 customers. Seems to be only happening on 2016. Customers with 2019 and even one with an old 2013 install have no problems.
After killing the mining process and running MSERT it's always Chopper.F!dha that is found. But a few hours later it just comes back
Every form of patch/mitigation has been tried, as well as all possible versions of the nmap checks but they all say it's safe. But it just isn't.
The first customer was migrated to 2019 and the problem stopped as soon as internet access port 443 was changed from the 2016 server to the 2019, so pretty sure it's remotely triggered.
Saying it's not an exchange problem but a windows server problem is cute, but the only reason these servers have IIS installed is because of exchange and not running anything else on it. It seems that microsoft just didn't fix it enough on exchange 2016.
I guess they like to sell 2019 but upgrading is not always an option, upgrading the second customer will probably be a lot harder. A real fix would be nice.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 34%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
i have the same problem with Exchange 2013, found some backdoor and Trojan..
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 3%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBA%3C/text%3E%3C/svg%3E)
We are experiencing this exact problem on a fully patched 2019 server running Exchange 2019
I appreciate the comments, but on what planet is "Reinstall the Windows system" ever a practical answer.
During the pandemic we have lots of users reliant on web mail. Does remapping port 443 add some friction to this attack?
Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 13%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
We have to remember that there was a gap of 55 days between the earliest detected exploits in January and Microsoft releasing any patches in March.
During this window, the miscreants deployed their webshells - many of which remain undetected by security software. These are now being used to launch data exfiltration and/or ransomware operations.
We're about to wipe and redeploy ourselves. Fully patched Windows Server and Exchange 2019.
I'm more curious to know why On-Premises Exchange was vulnerable but Online Exchange wasn't. A cynic might say it's to "encourage" migration to subscription services...