This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 62%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
In my ES2019 Exchange Admin Center, I am seeing cert requests which I never made.
There are about 20 of them in the last 3 months.
Does this mean I've been hacked? Anyone who had my admin password would surely have better things to do with it, than create requests, which no authority will honor since the hacker won't have access to the Domain Control Proof email for verification. Also, upon inspection, the requests are for domain "{example.org}". Obviously, anyone trying to break into my server would try to get a cert with my domain's name, and not a dummy name like "example.org".
The Certification authority-signed certificate details in the right Details Panel show what looks like to be HTML code from an ASP (!!!) Page.
I'd appreciate guidance on this.
@mlavie
I am writing here to confirm with you any update about this thread now?
If the suggestion below helps, please be free to accept it as an answer for helping more people.
hmmm, that sounds weird, yes.
What CU and Security updates have been applied?
Are you up to date?
If admin audit logging is enabled, search and see if you find anything:
Search-AdminAuditLog -Cmdlets New-ExchangeCertificate
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 13%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EML%3C/text%3E%3C/svg%3E)
Long story - but I am not a real Exchange admin - the responsibility was just dumped on me. I hadn't heard of the Zero Day virus, etc.
I just patched to cu11 and installed the Nov 9 security update. I also ran the EOMT which found (and then removed) web shell footprints.
I hope that solves it.
Thanks for your quick response!
mlavie
Have a check whether admin audit log enabled in your organization:
Get-AdminAuditLogConfig | fl AdminAuditLog*,LogLevel
If this phenomenon occurs again, you could check it as AndyDavid said.
Cool! Glad you got it updated. If you could, please mark an answer as accepted so this can closed if my suggestions worked. Thanks!