virus message from our mailserver

[KP Holland]

We are getting this message (see red text) from our (onprimise) Microsoft Exchange 2016 server.  Is our windows server infected or is it a warning?

 

Event "Probably infected object detected" has occurred on device SRV_NAME in Windows domain XXVYZ on Monday, March 8, 2021 11:06:04 AM (GMT+01:00) Probably infected object detected: Trojan HEUR:Exploit.Script.CVE-2021-26855.a. Object name: View_tools.aspx. User: SYSTEM

[MilanBortel]

Hi @KP Holland,

to be sure of your server compromise, I’d recommend to check IOC’s using script released by Microsoft. You can read more at https://www.arnnet.com.au/article/686750/microsoft-releases-script-spot-exchange-server-zero-days/

Get back to us if you know the result 🤠

Cheers,
Milan

[KP Holland]

Starting Nmap 6.40 ( http://nmap.org ) at 2021-03-08 13:29 CET
Nmap scan report for srv-name (XXX.XXX.XXX.XXX)
Host is up (0.0049s latency).
Not shown: 970 filtered ports
PORT     STATE SERVICE
25/tcp   open  smtp
80/tcp   open  http
81/tcp   open  hosts2-ns
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
| http-vuln-cve2021-26855:
|   VULNERABLE:
|   Exchange Server SSRF Vulnerability
|     State: VULNERABLE
|     IDs:  CVE:CVE-2021-26855
|     Description:
|       Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010 are vulnerable to a SSRF via the X-AnonResource-Backend and X-BEResource cookies.
|
|     Disclosure date: 2021-03-02
|     References:
|       http://aka.ms/exchangevulns
|_      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26855
444/tcp  open  snpp
445/tcp  open  microsoft-ds
465/tcp  open  smtps
587/tcp  open  submission
593/tcp  open  http-rpc-epmap
808/tcp  open  ccproxy-http
993/tcp  open  imaps
995/tcp  open  pop3s
1801/tcp open  msmq
2103/tcp open  zephyr-clt
2105/tcp open  eklogin
2107/tcp open  msmq-mgmt
2525/tcp open  ms-v-worlds
3389/tcp open  ms-wbt-server
5060/tcp open  sip
5901/tcp open  vnc-1
6001/tcp open  X11:1
6005/tcp open  X11:5
6006/tcp open  X11:6
6007/tcp open  X11:7
6009/tcp open  X11:9
6547/tcp open  powerchuteplus
MAC Address: 00:15:5D:04:65:07 (Microsoft)

Nmap done: 1 IP address (1 host up) scanned in 7.93 seconds