question

Toadstool42-9000 avatar image
0 Votes"
Toadstool42-9000 asked Toadstool42-9000 commented

Exchange Server 2019generating network traffic via Powershell.

In watching recent traffic generated by my Exchange Server 2019 Version 15.2 ‎(Build 858.5)‎. I see this as a newer traffic since updating with the latest "patches" from earlier this month (March 2021). According to healthchecker.ps1 and every other scan I can get my hands on, I don't have a "nasty" in my network. Specifically usually a TCP connection attempt to various ports to the AD Servers in the organization from the E2019 VM. This is the script that is running. The only change I see is the hexadecimal number changes after .\pipe\iisipm c:\windows\system32\inetsrv\w3wp.exe () -ap "msexchangepowershellapppool" -v "v4.0" -c "C:\Program Files\Microsoft\Exchange Server\V15\bin\GenericAppPoolConfigWithGCServerEnabledFalse.config" -a \.\pipe\iisipm2102ad39-516e-4a5c-a934-228a22f08eb5 () -h "C:\inetpub\temp\apppools\MSExchangePowerShellAppPool\MSExchangePowerShellAppPool.config" -w "" -m 0 Does anyone know if this is normal behavior? I am currently block the process through our internal behavior monitoring software.

windows-server-powershelloffice-exchange-server-administrationoffice-exchange-server-connectivity
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
Where do you get those information? It looks more related to IIS.
Any errors in Event Log? Or any performance issues found?


If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 Votes 0 ·

I am writing here to confirm with you how the thing going now?
If you need further help, please provide more detailed information, so that we can give more appropriate suggestions.


If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 Votes 0 ·

This process is associated with exchange_cve_2021_26855

If you are seeing it I am just letting you know that it is possible if you are UNPATCHED that you are hacked. If you are patched it could be attempts to try.

Not trying to stress you out but figured you are looking to know.

0 Votes 0 ·

The behavior described above stopped occurring after the "Latest Update 3/16/2021 PST (this will be the final update)" was applied. I saw no other blocked behavior in the Carbon Black logs after this was patched. So what you mentioned about CVE-2021-26855 appears to be correct.
Thanks

0 Votes 0 ·

1 Answer

RichMatheisen-8856 avatar image
0 Votes"
RichMatheisen-8856 answered

Exchange uses RPC to do may things, and the connections are ephemeral so while the initial connection from the Exchange server would always begin on the same port (135), the actual data exchange would always take place on a dynamically assigned "high port".

I haven't worked on Exchange since 2014 (I was an Exchange Server MVP for 16 years before retiring), but looking at what you posted it seems to have to do with the configuration of the application pool used by what used to be the Client Access Server (I don't know what that role's called now, sorry).

Maybe one of the Exchange folks can fill in more detail. But I wouldn't interfere with that traffic for now.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.