KP Holland

Starting Nmap 6.40 ( http://nmap.org ) at 2021-03-08 13:29 CET Nmap scan report for srv-name (XXX.XXX.XXX.XXX) Host is up (0.0049s latency). Not shown: 970 filtered ports PORT STATE SERVICE 25/tcp open smtp 80/tcp open http 81/tcp open hosts2-ns 110/tcp open pop3 135/tcp open msrpc 139/tcp open netbios-ssn 143/tcp open imap 443/tcp open https | http-vuln-cve2021-26855: | VULNERABLE: | Exchange Server SSRF Vulnerability | State: VULNERABLE | IDs: CVE:CVE-2021-26855 | Description: | Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010 are vulnerable to a SSRF via the X-AnonResource-Backend and X-BEResource cookies. | | Disclosure date: 2021-03-02 | References: | http://aka.ms/exchangevulns |_ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26855 444/tcp open snpp 445/tcp open microsoft-ds 465/tcp open smtps 587/tcp open submission 593/tcp open http-rpc-epmap 808/tcp open ccproxy-http 993/tcp open imaps 995/tcp open pop3s 1801/tcp open msmq 2103/tcp open zephyr-clt 2105/tcp open eklogin 2107/tcp open msmq-mgmt 2525/tcp open ms-v-worlds 3389/tcp open ms-wbt-server 5060/tcp open sip 5901/tcp open vnc-1 6001/tcp open X11:1 6005/tcp open X11:5 6006/tcp open X11:6 6007/tcp open X11:7 6009/tcp open X11:9 6547/tcp open powerchuteplus MAC Address: 00:15:5D:04:65:07 (Microsoft) Nmap done: 1 IP address (1 host up) scanned in 7.93 seconds

We are getting this message (see red text) from our (onprimise) Microsoft Exchange 2016 server. Is our windows server infected or is it a warning? Event "Probably infected object detected" has occurred on device SRV_NAME in Windows domain XXVYZ on Monday, March 8, 2021 11:06:04 AM (GMT+01:00) Probably infected object detected: Trojan HEUR:Exploit.Script.CVE-2021-26855.a. Object name: View_tools.aspx. User: SYSTEM