Hey Everyone, hope you're well.
Can someone please confirm for my sanity.
After Hafnium Shell exploit and a run of EOMT scripts and IISRewrites I still have what I expect to be suspicious native modules in IIS.
A belated update to CU23 did show that the applicationhost.config while was written to, I've not copied all of the globalmodules, but doea anyone know if this UpData
module is part of the usual IIS modules, looks suspicious to me and until I get rid of it I can't access OWA/EMS/ECP and have errors in event logs.
... <add name="kerbauth" image="c:\Program Files\Microsoft\Exchange Server\V15\Bin\kerbauth.dll" preCondition="bitness64" />
<add name="WSMan" image="C:\Windows\system32\wsmsvc.dll" />
<add name="exppw" image="c:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\Owa\auth\exppw.dll" />
<add name="cafe_exppw" image="c:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\bin\exppw.dll" />
<add name="UpData" image="C:\Windows\System32\system.dll" />
<add name="RewriteModule" image="%SystemRoot%\system32\inetsrv\rewrite.dll" />
Please give me some guidance.
Thanks
Neil
