question

BR0KK avatar image
0 Votes"
BR0KK asked EricYin-MSFT commented

Hafnium IP detected

Hi i ran this Script

https://gist.github.com/ecapuano/13386852fb80beac4561f2bed569095e


against my exchange server logs and i get the following output:

 u_ex210303.log:13342:2021-03-03 07:40:23 192.168.XXX:XXX POST /ecp/y.js 
 &CorrelationID=<empty>;&cafeReqId=bc516abe-4c9e-4d53-821b-*REDACTED*; 443 - 86.105.18.116 
 ExchangeServicesClient/0.0.0.0 - 200 0 0 67


I need a human readable explanation for these numbers and what happened there

Especially what the numbers after 200 supposed to mean.

The IP in that String is a known hafnium IP !!!

So as far as i understand this is an attept to deply their webshells to my server.

thx

office-exchange-server-administration
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BR0KK avatar image
0 Votes"
BR0KK answered EricYin-MSFT commented

Ahh so the program is integrated into this ? I'll give it a try

Does this have to be installed on the IIS or can i just dl it and the logs to a different machine and run with a different path

Ok it doesn't but i found the DL Link ... I Must be blind :D


I ran the query against the ips i got out of the ps query and i get this:

  RowNumber date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
  27963 06.03.2021 00:00:00 01.01.2000 20:55:00 192.168.XXX.XXX POST /ecp/y.js &CorrelationID=<empty>;&cafeReqId=05921a55-f80b-4309-8280-f8c7d2674372; 443 172.105.87.139 ExchangeServicesClient/0.0.0.0 200 0 0 62

So what can i find out about this connection from those logs alone. Are there any Additional logs that i should parse for those IPS?

thx


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

it can be installed on a different mathine.
The script you ran is just one of the tests in this threat, you can follow these articles to have a complete scan, to check if the hackers have made changes:
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
https://www.informaticar.net/microsoft-exchange-march-2021-breach-hafnium/
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

0 Votes 0 ·

I am writing here to confirm with you how the thing going now?
If you need further help, please provide more detailed information, so that we can give more appropriate suggestions.


If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 Votes 0 ·
EricYin-MSFT avatar image
0 Votes"
EricYin-MSFT answered EricYin-MSFT commented

Hi,
It seems a part of IIS log, you can use some tool to analysis it, for example, Log Parser Studio from Microsoft: https://www.microsoft.com/en-us/download/details.aspx?id=24659
Here is a guidance for your reference: https://stackify.com/how-to-interpret-iis-logs/
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
We suggest to follow the official doc to scan your server:
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
https://github.com/microsoft/CSS-Exchange/tree/main/Security


If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jeah im a Script Kiddie so i need a GUI and Log Parser Studio 2.0 seems promissing but i can't seem to find a download link to it.

All i got was the Shell Program ....

0 Votes 0 ·

I used Log Parser Studio 2.2 and it works for me:https://techcommunity.microsoft.com/t5/exchange-team-blog/introducing-log-parser-studio/ba-p/601131

 SELECT TOP 1000 *
 FROM '[LOGFILEPATH]' 
 ORDER BY time-taken

79518-3.png



0 Votes 0 ·
3.png (41.9 KiB)