question

raminsa-6505 avatar image
0 Votes"
raminsa-6505 asked KaelYao-MSFT commented

exchange 2016 vulnerable

Hi

after running below PS1 for exchange 2016 march 2021 security we get below result

please give me hand to fix our issue

*run MSERT and KB5000871 for all exchnage server but still our server are vulnerable84290-capture.jpg84656-84348-capture2.jpg


84340-cassrv01-cve-2021-26855.txt


office-exchange-server-administration
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, @raminsa-6505

As mentioned in the link: Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities
Applying the March 2021 Exchange Server Security Updates is critical to prevent (re)infection, but it will not evict an adversary who has already compromised your server.

As Andy suggested, please follow the recommendations in the link.


Also,please remember to use the latest version of the Test-ProxyLogon script as it is being continually updated.
https://github.com/microsoft/CSS-Exchange/tree/main/Security#test-proxylogonps1

0 Votes 0 ·
AndyDavid avatar image
0 Votes"
AndyDavid answered
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

raminsa-6505 avatar image
0 Votes"
raminsa-6505 answered KaelYao-MSFT commented

we done all below steps

-run KB5000871
-run MSERT (every time we run this application we get different result)
-run exchangemitigation.ps1
-run Test-ProxyLogon

the main post attachment show the result and i wanna know we are compromised ?
if yes what should we do

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

From the results, it is likely that your Exchange server has been compromised.

As the Test-ProxyLogon script discovers the potential attacker activity in Exchange and IIS logs, the results should be showing the evidence of being attacked before you install KB5000871(the date in the log is before 4.1)

If you have run the MSERT tool, it may discover and remove the web shells which are backdoors that adversaries use to maintain persistence on your server.

For security reasons, you may follow the guide to make sure if there aren't any malicious aspx files left and reset your admin credentials.
Or you may also consider restoring your Exchange server.

0 Votes 0 ·

Hi, @raminsa-6505

I am writing here to confirm with you how thing going now?
Did the issue get resolved?

0 Votes 0 ·