Hi i ran this Script
https://gist.github.com/ecapuano/13386852fb80beac4561f2bed569095e
against my exchange server logs and i get the following output:
u_ex210303.log:13342:2021-03-03 07:40:23 192.168.XXX:XXX POST /ecp/y.js
&CorrelationID=<empty>;&cafeReqId=bc516abe-4c9e-4d53-821b-*REDACTED*; 443 - 86.105.18.116
ExchangeServicesClient/0.0.0.0 - 200 0 0 67
I need a human readable explanation for these numbers and what happened there
Especially what the numbers after 200 supposed to mean.
The IP in that String is a known hafnium IP !!!
So as far as i understand this is an attept to deply their webshells to my server.
thx
