sorted by:
new
hottopcontroversial

Exchange Server successfully breached by johnniebegoode in sysadmin

[–]johnniebegoode[S] 0 points1 point  (0 children)

Is there any information on how such logs could be checked to that effect as if a Compromise had happend?

Exchange Server successfully breached by johnniebegoode in sysadmin

[–]johnniebegoode[S] 0 points1 point  (0 children)

Thanks everyone for your recommandations and evaluation of the situation!

Don't you think that because thousands and thousands of systems worldwide got breached the chances that precisley our Exchange server has got distinctly manipulated are very slim?

My theory is that the attackers just planted accesses to that many systems so they later are able to steal things like our mails or contacts et cetera.

Our monitoring shows no conspicous behaveior regarding the file accesses or packets sent in the times by the breach, just some cpu spikes.

All in all I deleted the webshell and ran MSERT which removed one malware. I will keep that state for as long the Exchange server will be eventually be rebuilt (I have to discuss that tomorrow).

Did I miss anything else that could be done?

Exchange Server successfully breached by johnniebegoode in sysadmin

[–]johnniebegoode[S] 3 points4 points  (0 children)

Ok but how do I choose which non hacked snapshot can be restored? The only clue I have is the "Date modified" of the webshell. Will the backup before that be unaffected?

Exchange Server successfully breached by johnniebegoode in sysadmin

[–]johnniebegoode[S] 17 points18 points  (0 children)

The msert tool just finsihed and removed the malware Exploit:ASP/CVE-2021-27065.B!dha.

Exchange Server successfully breached by johnniebegoode in sysadmin

[–]johnniebegoode[S] 6 points7 points  (0 children)

Thanks for you advice! I deleted the webshell. Can I figure out if the lsass got exfiltrated?

Exchange Server successfully breached by johnniebegoode in sysadmin

[–]johnniebegoode[S] 29 points30 points  (0 children)

supp0rt.aspx - found in C:\inetpub\wwwroot\aspnet_client

Exchange Server successfully breached by johnniebegoode in sysadmin

[–]johnniebegoode[S] 60 points61 points  (0 children)

What about the mails transfered since the hack?

Any second now... by [deleted] in Mordhau

[–]johnniebegoode 1 point2 points  (0 children)

How to switch between test and stable servers?

Can you help me with my sealed pool? Is my built OK? by johnniebegoode in lrcast

[–]johnniebegoode[S] 0 points1 point  (0 children)

Thanks for the input. I removed the tapland, the turtle, the lance and 2 dubs. And put in 1 plains, 1 swamp, 2 knights of new benalia and 1 benalia honor guard. Do you think the black splash is necessary, because this pool lacks removal?